🔒️✨ docker: Support basic auth for docker hub #76

2025-10-03T16:52:06+08:00

Rirmach commented

2025-10-03 16:52:06 +08:00

(Migrated from github.com)

初步支持 docker hub 认证拉取

考虑到 docker hub 的拉取流程独立于自定义上游进行，因此相应配置也独立于 registries 数组
默认配置中，认证信息留空（匿名拉取）

Summary by CodeRabbit

New Features
- Added optional Docker Hub authentication. You can now provide a username and token in the app configuration to enable authenticated pulls.
- When credentials are supplied, the app automatically uses basic authentication; if not, it continues with anonymous access.
- Default behavior remains unchanged for users who do not configure credentials.

# 初步支持 docker hub 认证拉取 1. 考虑到 docker hub 的拉取流程独立于自定义上游进行，因此相应配置也独立于 registries 数组 2. 默认配置中，认证信息留空（匿名拉取）  ## Summary by CodeRabbit * **New Features** * Added optional Docker Hub authentication. You can now provide a username and token in the app configuration to enable authenticated pulls. * When credentials are supplied, the app automatically uses basic authentication; if not, it continues with anonymous access. * Default behavior remains unchanged for users who do not configure credentials.

coderabbitai[bot] commented

2025-10-03 16:52:13 +08:00

(Migrated from github.com)

Walkthrough

Added Docker Hub auth config (username, token) to config files and structures, initialized defaults, and updated Docker proxy initialization to use basic auth when credentials are provided, otherwise anonymous.

Changes

Cohort / File(s)	Summary
Configuration schema (TOML) `src/config.toml`	Introduced `[dockerHubAuth]` with `username` and `token`; minor formatting tweak on proxy line.
Configuration model (Go) `src/config/config.go`	Added `DockerHubAuth` struct to `AppConfig` with `Username`, `Token`; set empty defaults in `DefaultConfig`.
Docker proxy auth handling `src/handlers/docker.go`	`InitDockerProxy` now selects basic auth if `DockerHubAuth` credentials exist; otherwise uses anonymous auth; other options unchanged.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant C as Config
  participant H as InitDockerProxy
  participant R as Docker Remote

  H->>C: Load DockerHubAuth (username, token)
  alt Credentials provided
    H->>R: Build options with BasicAuth(username, token)
    note right of R: New/changed path
  else No credentials
    H->>R: Build options with AnonymousAuth()
  end
  H->>R: Apply user agent and transport
  R-->>H: Remote client initialized

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I hop through configs, nose a-twitch—
Two keys appear, a snuggly switch:
If name and token line the burrow,
I pass with grace—no need to furrow.
Else I scurry, light and sly,
Anonymous, beneath the sky. 🐇🛠️

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title Check	⚠️ Warning	The title accurately summarizes the main change by indicating support for basic auth with Docker Hub, but it includes decorative emojis that are considered noise. Including emojis can detract from clarity and professionalism in pull request history. Removing them would keep the title concise and focused on the key change.	Please remove the emojis from the title so it reads “docker: Support basic auth for Docker Hub” to maintain clarity and professionalism.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

📝 Generate docstrings

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

## Walkthrough Added Docker Hub auth config (username, token) to config files and structures, initialized defaults, and updated Docker proxy initialization to use basic auth when credentials are provided, otherwise anonymous. ## Changes | Cohort / File(s) | Summary | |---|---| | **Configuration schema (TOML)** `src/config.toml` | Introduced `[dockerHubAuth]` with `username` and `token`; minor formatting tweak on proxy line. | | **Configuration model (Go)** `src/config/config.go` | Added `DockerHubAuth` struct to `AppConfig` with `Username`, `Token`; set empty defaults in `DefaultConfig`. | | **Docker proxy auth handling** `src/handlers/docker.go` | `InitDockerProxy` now selects basic auth if `DockerHubAuth` credentials exist; otherwise uses anonymous auth; other options unchanged. | ## Sequence Diagram(s) ```mermaid sequenceDiagram autonumber participant C as Config participant H as InitDockerProxy participant R as Docker Remote H->>C: Load DockerHubAuth (username, token) alt Credentials provided H->>R: Build options with BasicAuth(username, token) note right of R: New/changed path else No credentials H->>R: Build options with AnonymousAuth() end H->>R: Apply user agent and transport R-->>H: Remote client initialized ``` ## Estimated code review effort 🎯 2 (Simple) | ⏱️ ~10 minutes ## Poem > I hop through configs, nose a-twitch— > Two keys appear, a snuggly switch: > If name and token line the burrow, > I pass with grace—no need to furrow. > Else I scurry, light and sly, > Anonymous, beneath the sky. 🐇🛠️   ## Pre-merge checks and finishing touches <details> <summary>❌ Failed checks (1 warning)</summary> | Check name | Status | Explanation | Resolution | | :---------: | :--------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------- | | Title Check | ⚠️ Warning | The title accurately summarizes the main change by indicating support for basic auth with Docker Hub, but it includes decorative emojis that are considered noise. Including emojis can detract from clarity and professionalism in pull request history. Removing them would keep the title concise and focused on the key change. | Please remove the emojis from the title so it reads “docker: Support basic auth for Docker Hub” to maintain clarity and professionalism. | </details> <details> <summary>✅ Passed checks (2 passed)</summary> | Check name | Status | Explanation | | :----------------: | :------- | :----------------------------------------------------------------------------------- | | Description Check | ✅ Passed | Check skipped - CodeRabbit’s high-level summary is enabled. | | Docstring Coverage | ✅ Passed | Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%. | </details>   <details> <summary>✨ Finishing touches</summary> - [ ]  📝 Generate docstrings <details> <summary>🧪 Generate unit tests (beta)</summary> - [ ]  Create PR with unit tests - [ ]  Post copyable unit tests in a comment </details> </details>   --- Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. <details> <summary>❤️ Share</summary> - [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai) - [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai) - [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai) - [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code) </details> Comment `@coderabbitai help` to get the list of available commands and usage tips.

coderabbitai[bot] (Migrated from github.com) reviewed 2025-10-03 16:53:56 +08:00

coderabbitai[bot] (Migrated from github.com) left a comment

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
src/config/config.go (1)
228-271: Add environment variable support for Docker Hub credentials.

The overrideFromEnv function does not provide environment variable overrides for DockerHubAuth, which is a common pattern for managing secrets in containerized environments. This limits deployment flexibility, especially in Docker/Kubernetes where credentials should not be hardcoded in config files.

Add environment variable support:
 	if val := os.Getenv("MAX_IMAGES"); val != "" {
 		if maxImages, err := strconv.Atoi(val); err == nil && maxImages > 0 {
 			cfg.Download.MaxImages = maxImages
 		}
 	}
+
+	if val := os.Getenv("DOCKERHUB_USERNAME"); val != "" {
+		cfg.DockerHubAuth.Username = val
+	}
+	if val := os.Getenv("DOCKERHUB_TOKEN"); val != "" {
+		cfg.DockerHubAuth.Token = val
+	}
 }

🧹 Nitpick comments (2)

src/config.toml (1)

55-58: LGTM! Consider clarifying the token comment.

The new [dockerHubAuth] section is well-structured and the empty defaults correctly support anonymous pulls as stated in the PR objectives.

However, the token comment could be more specific about the expected token type.

Consider this enhancement to clarify the token type:
 # Docker Hub 认证信息,留空则匿名拉取
 [dockerHubAuth]
 username = "" # e.g., user1
-token = "" # e.g., dckr_pat_***
+token = "" # Docker Hub Access Token (e.g., dckr_pat_***)

src/handlers/docker.go (1)

74-82: Add validation and logging for Docker Hub authentication.

The conditional auth logic correctly checks for both credentials before enabling Basic auth, but silently falls back to anonymous mode when credentials are incomplete. This could lead to confusion when users expect authenticated access.

Consider these improvements:

Trim whitespace from credentials to prevent accidental empty values:

 	dockerHubAuth := config.GetConfig().DockerHubAuth
-	if dockerHubAuth.Token != "" && dockerHubAuth.Username != "" {
+	username := strings.TrimSpace(dockerHubAuth.Username)
+	token := strings.TrimSpace(dockerHubAuth.Token)
+	
+	if token != "" && username != "" {
 		options = append(options, remote.WithAuth(&authn.Basic{
-			Username: dockerHubAuth.Username,
-			Password: dockerHubAuth.Token,
+			Username: username,
+			Password: token,
 		}))
+		fmt.Println("Docker Hub: Using Basic authentication")
 	} else {
 		options = append(options, remote.WithAuth(authn.Anonymous))
+		if token != "" || username != "" {
+			fmt.Println("Warning: Docker Hub credentials incomplete, using anonymous authentication")
+		} else {
+			fmt.Println("Docker Hub: Using anonymous authentication")
+		}
 	}

Alternative: Fail fast if credentials are incomplete to make misconfiguration explicit:

 	dockerHubAuth := config.GetConfig().DockerHubAuth
-	if dockerHubAuth.Token != "" && dockerHubAuth.Username != "" {
+	username := strings.TrimSpace(dockerHubAuth.Username)
+	token := strings.TrimSpace(dockerHubAuth.Token)
+	
+	hasUsername := username != ""
+	hasToken := token != ""
+	
+	if hasUsername && hasToken {
 		options = append(options, remote.WithAuth(&authn.Basic{
-			Username: dockerHubAuth.Username,
-			Password: dockerHubAuth.Token,
+			Username: username,
+			Password: token,
 		}))
-	} else {
+		fmt.Println("Docker Hub: Using Basic authentication")
+	} else if !hasUsername && !hasToken {
 		options = append(options, remote.WithAuth(authn.Anonymous))
+		fmt.Println("Docker Hub: Using anonymous authentication")
+	} else {
+		fmt.Printf("Warning: Docker Hub credentials incomplete (username=%t, token=%t), using anonymous authentication\n", hasUsername, hasToken)
+		options = append(options, remote.WithAuth(authn.Anonymous))
 	}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3f614e8011 and 4053481714.

📒 Files selected for processing (3)

src/config.toml (1 hunks)
src/config/config.go (2 hunks)
src/handlers/docker.go (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

src/handlers/docker.go (1)

src/config/config.go (1)

GetConfig (160-196)

🔇 Additional comments (2)

src/config/config.go (2)

51-54: LGTM! Struct definition is correct.

The DockerHubAuth struct is properly defined with appropriate TOML tags and integrates cleanly into the AppConfig structure.

116-122: LGTM! Default initialization aligns with anonymous pull behavior.

The empty default values for Username and Token correctly support anonymous Docker Hub pulls as specified in the PR objectives.

**Actionable comments posted: 0** > [!CAUTION] > Some comments are outside the diff and can’t be posted inline due to platform limitations. > > > > <details> > <summary>⚠️ Outside diff range comments (1)</summary><blockquote> > > <details> > <summary>src/config/config.go (1)</summary><blockquote> > > `228-271`: **Add environment variable support for Docker Hub credentials.** > > The `overrideFromEnv` function does not provide environment variable overrides for `DockerHubAuth`, which is a common pattern for managing secrets in containerized environments. This limits deployment flexibility, especially in Docker/Kubernetes where credentials should not be hardcoded in config files. > > > Add environment variable support: > > ```diff > if val := os.Getenv("MAX_IMAGES"); val != "" { > if maxImages, err := strconv.Atoi(val); err == nil && maxImages > 0 { > cfg.Download.MaxImages = maxImages > } > } > + > + if val := os.Getenv("DOCKERHUB_USERNAME"); val != "" { > + cfg.DockerHubAuth.Username = val > + } > + if val := os.Getenv("DOCKERHUB_TOKEN"); val != "" { > + cfg.DockerHubAuth.Token = val > + } > } > ``` > > </blockquote></details> > > </blockquote></details> <details> <summary>🧹 Nitpick comments (2)</summary><blockquote> <details> <summary>src/config.toml (1)</summary><blockquote> `55-58`: **LGTM! Consider clarifying the token comment.** The new `[dockerHubAuth]` section is well-structured and the empty defaults correctly support anonymous pulls as stated in the PR objectives. However, the token comment could be more specific about the expected token type. Consider this enhancement to clarify the token type: ```diff # Docker Hub 认证信息,留空则匿名拉取 [dockerHubAuth] username = "" # e.g., user1 -token = "" # e.g., dckr_pat_*** +token = "" # Docker Hub Access Token (e.g., dckr_pat_***) ``` </blockquote></details> <details> <summary>src/handlers/docker.go (1)</summary><blockquote> `74-82`: **Add validation and logging for Docker Hub authentication.** The conditional auth logic correctly checks for both credentials before enabling Basic auth, but silently falls back to anonymous mode when credentials are incomplete. This could lead to confusion when users expect authenticated access. Consider these improvements: 1. **Trim whitespace** from credentials to prevent accidental empty values: ```diff dockerHubAuth := config.GetConfig().DockerHubAuth - if dockerHubAuth.Token != "" && dockerHubAuth.Username != "" { + username := strings.TrimSpace(dockerHubAuth.Username) + token := strings.TrimSpace(dockerHubAuth.Token) + + if token != "" && username != "" { options = append(options, remote.WithAuth(&authn.Basic{ - Username: dockerHubAuth.Username, - Password: dockerHubAuth.Token, + Username: username, + Password: token, })) + fmt.Println("Docker Hub: Using Basic authentication") } else { options = append(options, remote.WithAuth(authn.Anonymous)) + if token != "" || username != "" { + fmt.Println("Warning: Docker Hub credentials incomplete, using anonymous authentication") + } else { + fmt.Println("Docker Hub: Using anonymous authentication") + } } ``` 2. **Alternative**: Fail fast if credentials are incomplete to make misconfiguration explicit: ```diff dockerHubAuth := config.GetConfig().DockerHubAuth - if dockerHubAuth.Token != "" && dockerHubAuth.Username != "" { + username := strings.TrimSpace(dockerHubAuth.Username) + token := strings.TrimSpace(dockerHubAuth.Token) + + hasUsername := username != "" + hasToken := token != "" + + if hasUsername && hasToken { options = append(options, remote.WithAuth(&authn.Basic{ - Username: dockerHubAuth.Username, - Password: dockerHubAuth.Token, + Username: username, + Password: token, })) - } else { + fmt.Println("Docker Hub: Using Basic authentication") + } else if !hasUsername && !hasToken { options = append(options, remote.WithAuth(authn.Anonymous)) + fmt.Println("Docker Hub: Using anonymous authentication") + } else { + fmt.Printf("Warning: Docker Hub credentials incomplete (username=%t, token=%t), using anonymous authentication\n", hasUsername, hasToken) + options = append(options, remote.WithAuth(authn.Anonymous)) } ``` </blockquote></details> </blockquote></details> <details> <summary>📜 Review details</summary> **Configuration used**: CodeRabbit UI **Review profile**: CHILL **Plan**: Pro <details> <summary>📥 Commits</summary> Reviewing files that changed from the base of the PR and between 3f614e8011223fe8cb0391938a317dce965d1344 and 405348171480b2a3fd9349ecf6c14fb3c2ab3d25. </details> <details> <summary>📒 Files selected for processing (3)</summary> * `src/config.toml` (1 hunks) * `src/config/config.go` (2 hunks) * `src/handlers/docker.go` (1 hunks) </details> <details> <summary>🧰 Additional context used</summary> <details> <summary>🧬 Code graph analysis (1)</summary> <details> <summary>src/handlers/docker.go (1)</summary><blockquote> <details> <summary>src/config/config.go (1)</summary> * `GetConfig` (160-196) </details> </blockquote></details> </details> </details> <details> <summary>🔇 Additional comments (2)</summary><blockquote> <details> <summary>src/config/config.go (2)</summary><blockquote> `51-54`: **LGTM! Struct definition is correct.** The `DockerHubAuth` struct is properly defined with appropriate TOML tags and integrates cleanly into the `AppConfig` structure. --- `116-122`: **LGTM! Default initialization aligns with anonymous pull behavior.** The empty default values for `Username` and `Token` correctly support anonymous Docker Hub pulls as specified in the PR objectives. </blockquote></details> </blockquote></details> </details>

Checking for merge conflicts…

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin Rirmach/dockerhub_auth:Rirmach/dockerhub_auth

git checkout Rirmach/dockerhub_auth

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: 3344/hubproxy#76