Drop auth_info on redirect (#487)

In particular, this addresses a case where a user-facing registry redirects to blob storage in S3, providing a URL that includes various `X-Amz-*` query parameters. S3 refuses requests that have both Authentication header and authentication query parameters.
bazeltools · Jan 29, 2025 · cc0c1bf · cc0c1bf
1 parent 351c61c
commit cc0c1bf
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/src/registry/http/http_cli/mod.rs b/src/registry/http/http_cli/mod.rs
@@ -95,6 +95,13 @@ impl HttpCli {
                                     )
                                 })?;
                             }
+                            // We drop existing auth info since this may conflict with auth for the
+                            // redirected destination. In particular, a redirect to blobs in S3 may
+                            // include X-Amz-* query parameters in the URL that cannot be used in
+                            // conjunction with an Authentication header.
+                            let mut ai = self.auth_info.lock().await;
+                            *ai = None;
+                            drop(ai);
                             continue;
                         }
                         RequestFailType::ConnectError(_) => continue,