Thanks! And thanks for the stack-trace in the ticket; as a follow-up, I want to look at some of the uses of these so that they gracefully handle "no auth config" (nil); looks like various code-paths were depending on existing behavior from elsewhere, not accounting for nil at all 😞

FWIW; I had a quick check on docker pull ("image create" endpoint), and that looks to not have the same problem, as it unconditionally tries to unmarshal the header, even if not set;

(...) (perhaps linters want authConfig := &registry.AuthConfig{})

Indeed, thanks.

Looking at how other functions handle the header, perhaps we can do the

authConfig, _ := registry.DecodeAuthConfig(r.Header.Get(registry.AuthHeader))

I would believe that the if comes from a previous version, where an else would read from the request body, as I referenced in the issue.

Looking at the source code, it seems that a missing header would result in an empty authConfig.

Thoughts?

Yes, I'd be fine with changing it to try unconditionally for now.

My ultimate goal is to be more specific about whether auth is passed or not, so that code-paths further down the line can also make decisions whether they're dealing with an unauthenticated request (and skip some handling, or use alternatives), or authentication is present.

That's not present yet, so I think it's good to just change it to "unconditionally try to unmarshal" (as docker pull does)

I did a force push to avoid multiple commits, however, I don't think the CI is picking that ...

Any idea how to force the CI to run? Make "Draft" and "Ready" again?

I gave it a kick; it requires approval for first-time contributors; should be running now 👍

All green! Thanks!