This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/netlify/functions/oci-proxy.js
dependabot[bot] d14a2906f5
website: bump prettier from 2.8.8 to 3.0.0 in /website ()
* website: bump prettier from 2.8.8 to 3.0.0 in /website

Bumps [prettier](https://github.com/prettier/prettier) from 2.8.8 to 3.0.0.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/2.8.8...3.0.0)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* prettier

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
2023-07-06 12:00:54 +02:00

79 lines
2.8 KiB
JavaScript

const config = {
namespace: "goauthentik/",
registryTokenEndpoint: "https://ghcr.io/token",
registryService: "ghcr.io",
};
async function getToken(event) {
const fetch = await import("node-fetch");
const querystring = await import("querystring");
let scope = event.queryStringParameters["scope"];
let tokenParams = {
service: config.registryService,
};
delete event.headers.host;
let forwardHeaders = event.headers;
if (scope && scope.includes(":")) {
const repo = scope.split(":")[1];
console.debug(`oci-proxy[token]: original scope: ${scope}`);
scope = `repository:${config.namespace}${repo}:pull`;
console.debug(`oci-proxy[token]: rewritten scope: ${scope}`);
tokenParams["scope"] = scope;
// We only need to forward headers for authentication requests
forwardHeaders = {};
} else {
console.debug(`oci-proxy[token]: no scope`);
// For non-scoped requests, we need to forward some URL parameters
["account", "client_id", "offline_token", "token"].forEach((param) => {
tokenParams[param] = event.queryStringParameters[param];
});
}
const tokenUrl = `${config.registryTokenEndpoint}?${querystring.stringify(
tokenParams,
)}`;
console.debug(`oci-proxy[token]: final URL to fetch: ${tokenUrl}`);
const tokenRes = await fetch.default(tokenUrl, {
headers: forwardHeaders,
});
const tokenResult = await tokenRes.text();
console.debug(`oci-proxy[token]: Status ${tokenRes.status}`);
return {
statusCode: tokenRes.status,
body: tokenResult,
};
}
exports.handler = async function (event, context) {
console.debug(`oci-proxy: URL ${event.httpMethod} ${event.rawUrl}`);
if (event.queryStringParameters.hasOwnProperty("token")) {
console.debug("oci-proxy: handler=token proxy");
return await getToken(event);
}
if (
event.headers.authorization &&
event.headers.authorization.startsWith("Bearer ")
) {
console.debug("oci-proxy: authenticated root handler, returning 200");
return {
statusCode: 200,
headers: {
"Docker-Distribution-API-Version": "registry/2.0",
"content-type": "application/json",
},
body: JSON.stringify({}),
};
}
console.debug(
"oci-proxy: root handler, returning 401 with www-authenticate",
);
return {
statusCode: 401,
headers: {
"www-authenticate": `Bearer realm="https://${event.headers.host}/v2?token",service="${event.headers.host}",scope="repository:user/image:pull"`,
"Docker-Distribution-API-Version": "registry/2.0",
"content-type": "application/json",
},
body: JSON.stringify({}),
};
};