WWW-Authenticate parser drops spaced Bearer directives
Target: openai/tart at 6ada2b955d5af1724751056753f22a69f9fe00d1
Lane: Tart registry/OCI/fetcher/push/pull/credential/network error handling
Summary
WWWAuthenticate parses comma-separated authentication directives without trimming whitespace around directive keys. A standards-style header such as:
Bearer realm="https://auth.example.test/token", service="registry.example.test", scope="repository:owner/image:pull"
is parsed with keys named " service" and " scope" instead of "service" and "scope".
Registry.auth(response:) later looks up wwwAuthenticate.kvs["service"] and wwwAuthenticate.kvs["scope"], so Tart silently omits those token query parameters when the registry includes ordinary spaces after commas. Registries that require service or scope can reject or under-scope the token request.
Root Cause
Sources/tart/OCI/WWWAuthenticate.swift splits directives by commas and then by =, but stores the raw key substring:
let key = String(parts[0])
The parser already has context-aware comma splitting for quoted scopes, but it does not normalize optional whitespace around each directive.
Red Evidence
Proof worktree: /tmp/tart-source-bug-www-auth-spaces
Added a focused parser test:
func testDirectivesWithSpacesAfterCommas() throws
Red command:
swift test --filter WWWAuthenticateTests/testDirectivesWithSpacesAfterCommas
Red result:
XCTAssertEqual failed
actual keys included " service" and " scope"
Executed 1 test, with 1 failure
The failure proves the parser preserves leading spaces in directive keys.
Minimal Proof Fix
Trim whitespace around directive keys and values before stripping quotes:
- let key = String(parts[0])
+ let key = String(parts[0]).trimmingCharacters(in: .whitespaces)
var value = String(parts[1])
+ value = value.trimmingCharacters(in: .whitespaces)
value = value.trimmingCharacters(in: CharacterSet(charactersIn: "\""))
Green Evidence
Focused green:
swift test --filter WWWAuthenticateTests/testDirectivesWithSpacesAfterCommas
Result:
Executed 1 test, with 0 failures
Broader non-live suite:
swift test --skip LayerizerTests --skip RegistryTests
Result:
Executed 42 tests, with 0 failures
Classification
accepted_source_bug
WWW-Authenticate parser drops spaced Bearer directives
Target: openai/tart at
6ada2b955d5af1724751056753f22a69f9fe00d1Lane: Tart registry/OCI/fetcher/push/pull/credential/network error handling
Summary
WWWAuthenticateparses comma-separated authentication directives without trimming whitespace around directive keys. A standards-style header such as:is parsed with keys named
" service"and" scope"instead of"service"and"scope".Registry.auth(response:)later looks upwwwAuthenticate.kvs["service"]andwwwAuthenticate.kvs["scope"], so Tart silently omits those token query parameters when the registry includes ordinary spaces after commas. Registries that requireserviceorscopecan reject or under-scope the token request.Root Cause
Sources/tart/OCI/WWWAuthenticate.swiftsplits directives by commas and then by=, but stores the raw key substring:The parser already has context-aware comma splitting for quoted scopes, but it does not normalize optional whitespace around each directive.
Red Evidence
Proof worktree:
/tmp/tart-source-bug-www-auth-spacesAdded a focused parser test:
Red command:
swift test --filter WWWAuthenticateTests/testDirectivesWithSpacesAfterCommasRed result:
The failure proves the parser preserves leading spaces in directive keys.
Minimal Proof Fix
Trim whitespace around directive keys and values before stripping quotes:
Green Evidence
Focused green:
swift test --filter WWWAuthenticateTests/testDirectivesWithSpacesAfterCommasResult:
Broader non-live suite:
swift test --skip LayerizerTests --skip RegistryTestsResult:
Classification
accepted_source_bug