From be0bbb591134b94fcb3cb855ed00d40300f48987 Mon Sep 17 00:00:00 2001
From: chlins <chlins.zhang@gmail.com>
Date: Tue, 28 Oct 2025 11:04:28 +0800
Subject: [PATCH] fix(backend): correct auth key handling for token retrieval

Signed-off-by: chlins <chlins.zhang@gmail.com>
---
 pkg/backend/pull_by_d7y.go | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/pkg/backend/pull_by_d7y.go b/pkg/backend/pull_by_d7y.go
index b288e32e..465544ce 100644
--- a/pkg/backend/pull_by_d7y.go
+++ b/pkg/backend/pull_by_d7y.go
@@ -141,8 +141,20 @@ func getAuthToken(ctx context.Context, src *remote.Repository, registry, repo st
 		return "", fmt.Errorf("failed to get scheme: %w", err)
 	}
 
-	repo = strings.TrimPrefix(repo, registry+"/")
-	token, err := client.Cache.GetToken(ctx, registry, scheme, fmt.Sprintf("repository:%s:pull", repo))
+	// Auth key in client cache is different for basic and bearer authentication,
+	// it is empty for basic but with scope repository:{repo_name}:pull for bearer.
+	var authKey string
+	switch scheme {
+	case auth.SchemeBasic:
+		authKey = ""
+	case auth.SchemeBearer:
+		repo = strings.TrimPrefix(repo, registry+"/")
+		authKey = fmt.Sprintf("repository:%s:pull", repo)
+	default:
+		return "", fmt.Errorf("unsupported scheme: %s", scheme)
+	}
+
+	token, err := client.Cache.GetToken(ctx, registry, scheme, authKey)
 	if err != nil {
 		return "", fmt.Errorf("failed to get token: %w", err)
 	}