Make container registry support Apple Container (basic auth) (#36920)

Fix #36907
This commit is contained in:
wxiaoguang
2026-03-19 07:43:44 +08:00
committed by GitHub
parent 18c65965ab
commit 00060ff73c
3 changed files with 28 additions and 11 deletions
+6 -4
View File
@@ -120,17 +120,19 @@ func apiErrorDefined(ctx *context.Context, err *namedError) {
})
}
func apiUnauthorizedError(ctx *context.Context) {
func APIUnauthorizedError(ctx *context.Context) {
// container registry requires that the "/v2" must be in the root, so the sub-path in AppURL should be removed
realmURL := httplib.GuessCurrentHostURL(ctx) + "/v2/token"
ctx.Resp.Header().Add("WWW-Authenticate", `Bearer realm="`+realmURL+`",service="container_registry",scope="*"`)
// support apple container like: container registry login <gitea-host> -u
ctx.Resp.Header().Add("WWW-Authenticate", `Basic realm="Gitea Container Registry"`)
apiErrorDefined(ctx, errUnauthorized)
}
// ReqContainerAccess is a middleware which checks the current user valid (real user or ghost if anonymous access is enabled)
func ReqContainerAccess(ctx *context.Context) {
if ctx.Doer == nil || (setting.Service.RequireSignInViewStrict && ctx.Doer.IsGhost()) {
apiUnauthorizedError(ctx)
APIUnauthorizedError(ctx)
}
}
@@ -156,7 +158,7 @@ func Authenticate(ctx *context.Context) {
packageScope := auth_service.GetAccessScope(ctx.Data)
if u == nil {
if setting.Service.RequireSignInViewStrict {
apiUnauthorizedError(ctx)
APIUnauthorizedError(ctx)
return
}
@@ -170,7 +172,7 @@ func Authenticate(ctx *context.Context) {
if err != nil {
log.Error("Error checking access scope: %v", err)
}
apiUnauthorizedError(ctx)
APIUnauthorizedError(ctx)
return
}
}