From 165e6c8c3688b10f86183f352d1d3fa7eef792f8 Mon Sep 17 00:00:00 2001
From: Athos Ribeiro <athoscr@fedoraproject.org>
Date: Sun, 12 Apr 2020 12:56:40 +0200
Subject: [PATCH] Do not pass empty service param to auth challenge

When an auth challenge does not contain a value for service there is no
point in passing an empty value to the challenge endpoint. Moreover, not
passing an empty values makes it easier for a proxy [1] to omit the
service name from a client and set it before forwarding a request.

[1] https://docs.docker.com/registry/recipes/nginx/

Signed-off-by: Athos Ribeiro <athoscr@fedoraproject.org>
---
 registry/tokentransport.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/registry/tokentransport.go b/registry/tokentransport.go
index 6af11d1a2..faf14490b 100644
--- a/registry/tokentransport.go
+++ b/registry/tokentransport.go
@@ -113,7 +113,9 @@ type authService struct {
 
 func (a *authService) Request(username, password string) (*http.Request, error) {
 	q := a.Realm.Query()
-	q.Set("service", a.Service)
+	if len(a.Service) > 0 {
+		q.Set("service", a.Service)
+	}
 	for _, s := range a.Scope {
 		q.Set("scope", s)
 	}