From 8fed6bcc9b472b2064bea7cd7fd4ecc66ca42595 Mon Sep 17 00:00:00 2001 From: Andreas Ahlenstorf Date: Sun, 15 Mar 2026 15:18:48 +0100 Subject: [PATCH] fix: add challenge for HTTP Basic Authentication to container registry (#11678) After the [first attempt](https://codeberg.org/forgejo/forgejo/pulls/11393) to introduce a separate challenge for HTTP Basic Authentication failed and had to be [backed out](https://codeberg.org/forgejo/forgejo/pulls/11616) because two challenges in a single header field were not widely supported, we're trying it again. This time a second header `WWW-Authenticate` header is emitted. Example: ``` $ curl -v -u andreas --basic http://192.168.178.62:3000/v2 Enter host password for user 'andreas': * Trying 192.168.178.62:3000... * Connected to 192.168.178.62 (192.168.178.62) port 3000 * using HTTP/1.x * Server auth using Basic with user 'andreas' > GET /v2 HTTP/1.1 > Host: 192.168.178.62:3000 > Authorization: Basic ***** > User-Agent: curl/8.15.0 > Accept: */* > * Request completely sent off < HTTP/1.1 401 Unauthorized < Content-Length: 50 < Content-Type: application/json < Docker-Distribution-Api-Version: registry/2.0 < Www-Authenticate: Bearer realm="http://192.168.178.62:3000/v2/token",service="container_registry",scope="*" * Basic authentication problem, ignoring. < Www-Authenticate: Basic realm="Forgejo Container Registry" < Date: Sat, 14 Mar 2026 15:09:50 GMT < {"errors":[{"code":"UNAUTHORIZED","message":""}]} ``` Tested with Docker 29.1.3, Podman 5.8.0, and Apple container 0.9.0. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes (can be removed for JavaScript changes) - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [ ] `make pr-go` before pushing ### Tests for JavaScript changes (can be removed for Go changes) - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. *The decision if the pull request will be shown in the release notes is up to the mergers / release team.* The content of the `release-notes/.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11678 Reviewed-by: Mathieu Fenniak Reviewed-by: Michael Kriese Co-authored-by: Andreas Ahlenstorf Co-committed-by: Andreas Ahlenstorf --- routers/api/packages/container/container.go | 3 ++- .../api_packages_container_cleanup_sha256_test.go | 5 ++++- tests/integration/api_packages_container_test.go | 5 ++++- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/routers/api/packages/container/container.go b/routers/api/packages/container/container.go index 6781f511c8..f79bea2c84 100644 --- a/routers/api/packages/container/container.go +++ b/routers/api/packages/container/container.go @@ -118,7 +118,8 @@ func apiErrorDefined(ctx *context.Context, err *container_service.NamedError) { func APIUnauthorizedError(ctx *context.Context) { // Do not include more than one challenge in the same header field. That breaks clients even though the HTTP RFC // allows it. - ctx.Resp.Header().Set("WWW-Authenticate", `Bearer realm="`+setting.AppURL+`v2/token",service="container_registry",scope="*"`) + ctx.Resp.Header().Add("WWW-Authenticate", `Bearer realm="`+setting.AppURL+`v2/token",service="container_registry",scope="*"`) + ctx.Resp.Header().Add("WWW-Authenticate", `Basic realm="Forgejo Container Registry"`) apiErrorDefined(ctx, container_service.ErrUnauthorized) } diff --git a/tests/integration/api_packages_container_cleanup_sha256_test.go b/tests/integration/api_packages_container_cleanup_sha256_test.go index 19b73f7698..50106e6834 100644 --- a/tests/integration/api_packages_container_cleanup_sha256_test.go +++ b/tests/integration/api_packages_container_cleanup_sha256_test.go @@ -63,7 +63,10 @@ func TestPackageContainerCleanupSHA256(t *testing.T) { Token string `json:"token"` } - authenticate := []string{`Bearer realm="` + setting.AppURL + `v2/token",service="container_registry",scope="*"`} + authenticate := []string{ + `Bearer realm="` + setting.AppURL + `v2/token",service="container_registry",scope="*"`, + `Basic realm="Forgejo Container Registry"`, + } t.Run("User", func(t *testing.T) { req := NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL)) diff --git a/tests/integration/api_packages_container_test.go b/tests/integration/api_packages_container_test.go index 21420bb0d8..75b703941a 100644 --- a/tests/integration/api_packages_container_test.go +++ b/tests/integration/api_packages_container_test.go @@ -91,7 +91,10 @@ func TestPackageContainer(t *testing.T) { Token string `json:"token"` } - authenticate := []string{`Bearer realm="` + setting.AppURL + `v2/token",service="container_registry",scope="*"`} + authenticate := []string{ + `Bearer realm="` + setting.AppURL + `v2/token",service="container_registry",scope="*"`, + `Basic realm="Forgejo Container Registry"`, + } t.Run("Anonymous", func(t *testing.T) { defer tests.PrintCurrentTest(t)()