Fix bearer token invalidation bug by calling AddResponses() twice on 401 errors #763
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
#686
Description of changes:
There's a pretty detailed description of the bug that this PR fixes at #686. This fix addresses the first sentence of the second paragraph there:
Instead of just calling
AddResponses()
with the one response, this PR changes that logic to provide the same 401 response twice toAddResponses()
to force invalidation of the expired token and then adds a second call toAddResponses()
with just once 401 response to fetch a fresh bearer token before proceeding to retry fetching resources from the remote registry.Testing performed:
We have been using this fix in production at BuildBuddy to stream public container images from remote registries without incident:
Kern also kindly offered to add an integration test for this bug in #686.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.