Add workaround for multiple WWW-Auth schemes

AlexGustafsson · AlexGustafsson · commit 92505db124b4 · 2026-03-14T08:46:08.000+01:00
Forgejo (and I guess Gitea), at least on Codeberg will specify both
bearer and basic auth in the WWW-Authenticate header, which is a bit
ambiguous to parse. For now, work around this by just handling the first
scheme and ignoring any other parts of the header.
diff --git a/internal/httputil/headers.go b/internal/httputil/headers.go
@@ -74,6 +74,8 @@ func ParseLinkHeader(origin *url.URL, header string) ([]Link, error) {
 // ParseWWWAuthenticateHeader parses a Www-Authenticate header.
 // Returns the scheme and parameters.
 //
+// NOTE: Only returns the first scheme, any following scheme is ignored.
+//
 // SEE: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate.
 func ParseWWWAuthenticateHeader(header string) (string, map[string]string, error) {
 	var scheme string
@@ -83,8 +85,9 @@ func ParseWWWAuthenticateHeader(header string) (string, map[string]string, error
 	paramKey := ""
 	paramValue := ""
 	gotParamDelimiter := false
+loop:
 	for i, c := range header {
-		isAlpha := c >= 'a' && c <= 'z'
+		isAlpha := (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'z')
 		isNumeric := c >= '0' && c <= '0'
 		isAlphaNumeric := isAlpha || isNumeric || c == '-'
 		isEnd := i == len(header)-1
@@ -104,6 +107,12 @@ func ParseWWWAuthenticateHeader(header string) (string, map[string]string, error
 				}
 			}
 		case "paramKey":
+			// For now, only parse the first scheme
+			if paramKey == "Bearer" || paramKey == "Basic" {
+				state = "end"
+				break loop
+			}
+
 			// Consume optional whitespace after params delimiter
 			if gotParamDelimiter && c == ' ' {
 				continue
diff --git a/internal/httputil/headers_test.go b/internal/httputil/headers_test.go
@@ -200,6 +200,16 @@ func TestParseWWWAuthenticateHeader(t *testing.T) {
 			},
 			Error: false,
 		},
+		{
+			Header:         `Bearer realm="https://codeberg.org/v2/token",service="container_registry",scope="*",Basic realm="https://codeberg.org/v2",service="container_registry",scope="*"`,
+			ExpectedScheme: "Bearer",
+			ExpectedParams: map[string]string{
+				"realm":   "https://codeberg.org/v2/token",
+				"service": "container_registry",
+				"scope":   "*",
+			},
+			Error: false,
+		},
 		{
 			Header: `Basic realm="Dev" charset="ASCII" charset="UTF-8"`,
 			Error:  true,
diff --git a/internal/oci/client_test.go b/internal/oci/client_test.go
@@ -184,6 +184,7 @@ func TestClientGetTags(t *testing.T) {
 		"registry.k8s.io/kube-state-metrics/kube-state-metrics",
 		"gcr.io/zenika-hub/alpine-chrome",
 		"mongo",
+		"codeberg.org/forgejo/forgejo:14.0.2-rootless",
 	}
 
 	for _, reference := range references {

Original file line number	Diff line number	Diff line change
`@@ -184,6 +184,7 @@ func TestClientGetTags(t *testing.T) {`
`184`	`184`	`"registry.k8s.io/kube-state-metrics/kube-state-metrics",`
`185`	`185`	`"gcr.io/zenika-hub/alpine-chrome",`
`186`	`186`	`"mongo",`
	`187`	`+ "codeberg.org/forgejo/forgejo:14.0.2-rootless",`
`187`	`188`	`}`
`188`	`189`
`189`	`190`	`for _, reference := range references {`