From 9b7a5fc618f4364d13af184b2a37012fccbb83f5 Mon Sep 17 00:00:00 2001
From: Corey Larson <corey@earthly.dev>
Date: Fri, 2 Apr 2021 12:29:02 -0600
Subject: [PATCH] Remove potentially expired tokens.

Some registries (notably Quay) issue tokens that expire without providing an `expires in` value in the authorization payload. Therefore, if a token produces a 401, we should remove it and re-fetch.

Signed-off-by: Corey Larson <corey@earthly.dev>
---
 util/resolver/authorizer.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/util/resolver/authorizer.go b/util/resolver/authorizer.go
index e58038c4..32a3b23c 100644
--- a/util/resolver/authorizer.go
+++ b/util/resolver/authorizer.go
@@ -400,6 +400,11 @@ func (ah *authHandler) fetchToken(ctx context.Context, sm *session.Manager, g se
 }
 
 func invalidAuthorization(c auth.Challenge, responses []*http.Response) error {
+	lastResponse := responses[len(responses)-1]
+	if lastResponse.StatusCode == http.StatusUnauthorized {
+		return errors.Wrapf(docker.ErrInvalidAuthorization, "authorization status: %v", lastResponse.StatusCode)
+	}
+
 	errStr := c.Parameters["error"]
 	if errStr == "" {
 		return nil