From be0b41e80ce34e57e0e94c85a2f0c5608967591b Mon Sep 17 00:00:00 2001
From: Klukas <jklukas@netflix.com>
Date: Wed, 29 Jan 2025 13:28:48 -0500
Subject: [PATCH] Drop auth_info on redirect

In particular, this addresses a case where a user-facing registry redirects
to blob storage in S3, providing a URL that includes various `X-Amz-*` query
parameters. S3 refuses requests that have both Authentication header and
authentication query parameters.
---
 src/registry/http/http_cli/mod.rs | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/registry/http/http_cli/mod.rs b/src/registry/http/http_cli/mod.rs
index 3718781..21b6484 100644
--- a/src/registry/http/http_cli/mod.rs
+++ b/src/registry/http/http_cli/mod.rs
@@ -95,6 +95,13 @@ impl HttpCli {
                                     )
                                 })?;
                             }
+                            // We drop existing auth info since this may conflict with auth for the
+                            // redirected destination. In particular, a redirect to blobs in S3 may
+                            // include X-Amz-* query parameters in the URL that cannot be used in
+                            // conjunction with an Authentication header.
+                            let mut ai = self.auth_info.lock().await;
+                            *ai = None;
+                            drop(ai);
                             continue;
                         }
                         RequestFailType::ConnectError(_) => continue,