fix: fix auth for Dockerfiles referencing cross-project base images#526
fix: fix auth for Dockerfiles referencing cross-project base images#526WitoDelnat wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 3 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 5cc9744. Configure here.
| } | ||
| } | ||
|
|
||
| return false |
There was a problem hiding this comment.
Empty scopes skip Depot auth
Medium Severity
When projectID is set, shouldUseDepotCredentials incorrectly delegates FetchToken requests to the inner provider if req.Scopes are empty, nil, or don't explicitly match repository:{projectID}:. This bypasses Depot credentials, causing build failures for push/save operations that rely on them without a separate Docker login.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 5cc9744. Configure here.
| if provider.shouldUseDepotCredentials([]string{"repository:other-project:pull"}) { | ||
| t.Fatal("expected other project scope to use Docker credentials") | ||
| } | ||
| } |
There was a problem hiding this comment.
Low-value scope predicate tests
Low Severity
TestShouldUseDepotCredentialsForCurrentProjectScope and TestShouldUseDepotCredentialsFallsBackForOtherProjectScope only assert the private shouldUseDepotCredentials helper mirrors its own prefix logic. They do not exercise observable auth behavior and would not catch regressions in FetchToken or registry pulls beyond what TestFetchTokenFallsBackForOtherProjectScope already covers.
Triggered by team rule: Test Critic
Reviewed by Cursor Bugbot for commit 5cc9744. Configure here.
| } | ||
|
|
||
| func (a *AuthProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequest) (*auth.FetchTokenResponse, error) { | ||
| if !a.shouldUseDepotCredentials(req.Scopes) { |
There was a problem hiding this comment.
Credentials ignore project scoping
Medium Severity
FetchToken now gates Depot build credentials on projectID and OAuth scopes, but Credentials still returns the build x-token whenever req.Host matches registry.depot.dev, with no use of projectID. Cross-project base image pulls that authenticate through the Credentials RPC can still get the current-build token instead of Docker config credentials.
Reviewed by Cursor Bugbot for commit 5cc9744. Configure here.


Note
Medium Risk
Changes build-time registry authentication and token selection; incorrect scope logic could break pushes/pulls for the current project or still mis-auth cross-project images.
Overview
Registry auth now picks credentials from the OAuth scope, so pulls of base images in another Depot project use the user’s Docker config instead of the build’s Depot credentials.
AuthProviderstores a project ID andFetchTokenonly uses Depot credentials when scopes includerepository:<projectID>:...; otherwise it delegates to the inner Docker auth provider.WithDepotSavewires this viaReplaceDockerAuthForProject. Setup no longer merges Depot credentials into the Docker config file up front.Tests cover scope matching and
FetchTokenfallback for other-project scopes.Reviewed by Cursor Bugbot for commit 5cc9744. Bugbot is set up for automated code reviews on this repo. Configure here.