From 4c9ff0fb7de791ea4401acce8ce118b8e8ec6709 Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Tue, 9 Jun 2020 13:43:35 +0200
Subject: [PATCH] oci authenticator: Only loop password prompt on 401 error

---
 common/flatpak-oci-registry.c                 | 12 ++++++++++++
 oci-authenticator/flatpak-oci-authenticator.c | 13 ++++++++++---
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c
index 6576ae81..48c8dd04 100644
--- a/common/flatpak-oci-registry.c
+++ b/common/flatpak-oci-registry.c
@@ -1036,6 +1036,18 @@ get_token_for_www_auth (FlatpakOciRegistry *self,
   if (body == NULL)
     return NULL;
 
+  if (!SOUP_STATUS_IS_SUCCESSFUL (auth_msg->status_code))
+    {
+      if (auth_msg->status_code == SOUP_STATUS_UNAUTHORIZED)
+        {
+          flatpak_fail_error (error, FLATPAK_ERROR_NOT_AUTHORIZED, _("Authorization failed: %s"), (char *)g_bytes_get_data (body, NULL));
+          return NULL;
+        }
+
+      flatpak_fail (error, _("Unexpected response status %d when requesting token: %s"), auth_msg->status_code, (char *)g_bytes_get_data (body, NULL));
+      return NULL;
+    }
+
   json = json_from_string ((char *)g_bytes_get_data (body, NULL), error);
   if (json == NULL)
     return NULL;
diff --git a/oci-authenticator/flatpak-oci-authenticator.c b/oci-authenticator/flatpak-oci-authenticator.c
index 85a36496..a8413eb5 100644
--- a/oci-authenticator/flatpak-oci-authenticator.c
+++ b/oci-authenticator/flatpak-oci-authenticator.c
@@ -539,6 +539,8 @@ handle_request_ref_tokens (FlatpakAuthenticator *f_authenticator,
           if (test_auth == NULL)
             return cancel_request (request, sender);
 
+          g_clear_error (&error);
+
           first_token = get_token_for_ref (registry, ref_data, test_auth, &error);
           if (first_token != NULL)
             {
@@ -547,14 +549,19 @@ handle_request_ref_tokens (FlatpakAuthenticator *f_authenticator,
             }
           else
             {
-              g_debug ("Failed to get token: %s", error->message);
-              g_clear_error (&error);
+              if (!g_error_matches (error, FLATPAK_ERROR, FLATPAK_ERROR_NOT_AUTHORIZED))
+                return error_request (request, sender, error);
+              else
+                {
+                  g_debug ("Auth failed getting token: %s", error->message);
+                  /* Keep error for reporting below, or clear on next iteration start */
+                }
             }
         }
     }
 
   if (!have_auth)
-    return error_request_raw (request, sender, FLATPAK_ERROR_AUTHENTICATION_FAILED, _("Authentication failed"));
+    return error_request (request, sender, error);
 
   g_variant_builder_init (&tokens, G_VARIANT_TYPE ("a{sas}"));