Use absolute realm URL in WWW-Authenticate and add service_name

OCI clients (podman, docker) require an absolute URL in the
WWW-Authenticate realm. Derive it from the request Host header
so it works behind any proxy. Add service_name to rift config.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/server/middleware.go

@@ -19,10 +19,14 @@ type TokenValidator interface {
 // into the request context. On failure a 401 with an OCI-format error
 // body and a WWW-Authenticate header is returned.
 func RequireAuth(validator TokenValidator, serviceName string) func(http.Handler) http.Handler {
-	wwwAuth := fmt.Sprintf(`Bearer realm="/v2/token",service="%s"`, serviceName)
-
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Build the WWW-Authenticate header with an absolute realm URL
+			// derived from the request Host, per OCI Distribution Spec.
+			scheme := "https"
+			realm := fmt.Sprintf("%s://%s/v2/token", scheme, r.Host)
+			wwwAuth := fmt.Sprintf(`Bearer realm="%s",service="%s"`, realm, serviceName)
+
 			token := extractBearerToken(r)
 			if token == "" {
 				w.Header().Set("WWW-Authenticate", wwwAuth)

internal/server/middleware_test.go

@@ -68,7 +68,7 @@ func TestRequireAuthMissing(t *testing.T) {
 	}
 
 	wwwAuth := rec.Header().Get("WWW-Authenticate")
-	want := `Bearer realm="/v2/token",service="mcr-test"`
+	want := `Bearer realm="https://example.com/v2/token",service="mcr-test"`
 	if wwwAuth != want {
 		t.Fatalf("WWW-Authenticate: got %q, want %q", wwwAuth, want)
 	}

internal/server/routes_test.go

@@ -55,7 +55,7 @@ func TestRoutesV2Unauthenticated(t *testing.T) {
 	}
 
 	wwwAuth := rec.Header().Get("WWW-Authenticate")
-	want := `Bearer realm="/v2/token",service="mcr-test"`
+	want := `Bearer realm="https://example.com/v2/token",service="mcr-test"`
 	if wwwAuth != want {
 		t.Fatalf("WWW-Authenticate: got %q, want %q", wwwAuth, want)
 	}