From 0d9c9913d2bd687ac7c5347872fa53153b5ad683 Mon Sep 17 00:00:00 2001
From: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
Date: Sat, 22 Nov 2025 16:09:52 +0800
Subject: [PATCH] Fix: bad request will remove header and retry login

If you're requesting on /v2/ with basic auth, AWS ECR will return 400 Bad Request and won't provide www-authenticate information.
Retry the request after removing the Authorization header.

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
---
 Sources/ContainerizationOCI/Client/RegistryClient.swift | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Sources/ContainerizationOCI/Client/RegistryClient.swift b/Sources/ContainerizationOCI/Client/RegistryClient.swift
index 4e3ac2e6..14f3142c 100644
--- a/Sources/ContainerizationOCI/Client/RegistryClient.swift
+++ b/Sources/ContainerizationOCI/Client/RegistryClient.swift
@@ -210,6 +210,11 @@ public final class RegistryClient: ContentClient {
                         throw err
                     }
 
+                    continue
+                } else if _response.status == .badRequest && request.headers.contains(name: "Authorization") {
+                    // Retry without basic auth
+                    request.headers.remove(name: "Authorization")
+                    retryCount += 1
                     continue
                 }
                 guard let retryOptions = self.retryOptions else {