fix(proxy): get scope from headers for authentication

Author: plaffitt

internal/proxy/bearer.go

@@ -21,16 +21,16 @@ func (b *Bearer) GetToken() string {
 	return b.AccessToken
 }
 
-func NewBearer(endpoint string, scope string) (*Bearer, error) {
-	response, err := http.Get(endpoint + "/v2")
+func NewBearer(endpoint string, path string) (*Bearer, error) {
+	response, err := http.Get(endpoint + path)
 	if err != nil {
 		return nil, err
 	}
 
 	bearer := Bearer{}
 	if response.StatusCode == 401 {
 		wwwAuthenticate := parseWwwAuthenticate(response.Header.Get("www-authenticate"))
-		url := fmt.Sprintf("%s?service=%s&scope=%s", wwwAuthenticate["realm"], wwwAuthenticate["service"], scope)
+		url := fmt.Sprintf("%s?service=%s&scope=%s", wwwAuthenticate["realm"], wwwAuthenticate["service"], wwwAuthenticate["scope"])
 
 		response, err := http.Get(url)
 		if err != nil {

internal/proxy/proxy.go

@@ -2,7 +2,6 @@ package proxy
 
 import (
 	"errors"
-	"fmt"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
@@ -44,12 +43,6 @@ func proxyRegistry(c *gin.Context, endpoint string, image string, httpToError bo
 		image = strings.Join(parts, "/")
 	}
 
-	scope := fmt.Sprintf("repository:%s:pull", image)
-	bearer, err := NewBearer(endpoint, scope)
-	if err != nil {
-		panic(err)
-	}
-
 	proxy := httputil.NewSingleHostReverseProxy(remote)
 
 	proxy.Director = func(req *http.Request) {
@@ -59,6 +52,10 @@ func proxyRegistry(c *gin.Context, endpoint string, image string, httpToError bo
 		req.URL.Host = remote.Host
 		req.URL.Path = "/v2/" + originRegistry + strings.Join(strings.Split(req.URL.Path, "/")[2:], "/")
 
+		bearer, err := NewBearer(endpoint, req.URL.Path)
+		if err != nil {
+			panic(err)
+		}
 		token := bearer.GetToken()
 		if token != "" {
 			req.Header.Set("Authorization", "Bearer "+token)