Kyle Isom
8c654a5537
The /v2/token endpoint now detects when the password looks like a JWT (contains two dots) and validates it directly against MCIAS before falling back to the standard username+password login flow. This enables non-interactive registry auth for service accounts — podman login with a pre-issued MCIAS token as the password. Follows the personal-access-token pattern used by GHCR, GitLab, etc. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
30 lines
819 B
Go
30 lines
819 B
Go
package server
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
)
|
|
|
|
// NewRouter builds the chi router with all OCI Distribution Spec
|
|
// endpoints and auth middleware wired up. If ociRouter is non-nil,
|
|
// its routes are mounted under /v2 behind the auth middleware.
|
|
func NewRouter(validator TokenValidator, loginClient LoginClient, serviceName string, ociRouter http.Handler) *chi.Mux {
|
|
r := chi.NewRouter()
|
|
|
|
// Token endpoint is NOT behind RequireAuth — clients use Basic auth
|
|
// here to obtain a bearer token.
|
|
r.Get("/v2/token", TokenHandler(loginClient, validator))
|
|
|
|
// All other /v2 endpoints require a valid bearer token.
|
|
r.Route("/v2", func(v2 chi.Router) {
|
|
v2.Use(RequireAuth(validator, serviceName))
|
|
v2.Get("/", V2Handler())
|
|
if ociRouter != nil {
|
|
v2.Mount("/", ociRouter)
|
|
}
|
|
})
|
|
|
|
return r
|
|
}
|