mc/mcr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Fix OCI route mounting — integrate into authenticated /v2 group

Browse Source 
NewRouter now accepts an optional OCI handler to mount inside the
authenticated /v2 route group, avoiding chi's Mount conflict on
an existing path.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-25 22:22:31 -07:00
parent 8cf26895a3
commit 15a306dc4a
3 changed files with 15 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
internal/server/routes.go
View File

@@ -1,10 +1,15 @@
package server
import "github.com/go-chi/chi/v5"
import (
"net/http"
"github.com/go-chi/chi/v5"
)
// NewRouter builds the chi router with all OCI Distribution Spec
// endpoints and auth middleware wired up.
func NewRouter(validator TokenValidator, loginClient LoginClient, serviceName string) *chi.Mux {
// endpoints and auth middleware wired up. If ociRouter is non-nil,
// its routes are mounted under /v2 behind the auth middleware.
func NewRouter(validator TokenValidator, loginClient LoginClient, serviceName string, ociRouter http.Handler) *chi.Mux {
r := chi.NewRouter()
// Token endpoint is NOT behind RequireAuth — clients use Basic auth
@@ -15,6 +20,9 @@ func NewRouter(validator TokenValidator, loginClient LoginClient, serviceName st
r.Route("/v2", func(v2 chi.Router) {
v2.Use(RequireAuth(validator, serviceName))
v2.Get("/", V2Handler())
if ociRouter != nil {
v2.Mount("/", ociRouter)
}
})
return r

6
internal/server/routes_test.go
View File

@@ -15,7 +15,7 @@ func TestRoutesV2Authenticated(t *testing.T) {
claims: &auth.Claims{Subject: "alice", AccountType: "user", Roles: []string{"reader"}},
}
loginClient := &fakeLoginClient{token: "tok-abc", expiresIn: 3600}
router := NewRouter(validator, loginClient, "mcr-test")
router := NewRouter(validator, loginClient, "mcr-test", nil)
req := httptest.NewRequest(http.MethodGet, "/v2/", nil)
req.Header.Set("Authorization", "Bearer valid-token")
@@ -42,7 +42,7 @@ func TestRoutesV2Unauthenticated(t *testing.T) {
t.Helper()
validator := &fakeValidator{claims: nil, err: auth.ErrUnauthorized}
loginClient := &fakeLoginClient{}
router := NewRouter(validator, loginClient, "mcr-test")
router := NewRouter(validator, loginClient, "mcr-test", nil)
req := httptest.NewRequest(http.MethodGet, "/v2/", nil)
// No Authorization header.
@@ -66,7 +66,7 @@ func TestRoutesTokenEndpoint(t *testing.T) {
// The validator should never be called for /v2/token.
validator := &fakeValidator{claims: nil, err: auth.ErrUnauthorized}
loginClient := &fakeLoginClient{token: "tok-from-login", expiresIn: 1800}
router := NewRouter(validator, loginClient, "mcr-test")
router := NewRouter(validator, loginClient, "mcr-test", nil)
req := httptest.NewRequest(http.MethodGet, "/v2/token", nil)
req.SetBasicAuth("bob", "password")