From af99f645342e429a8d60fabc8e49ced90052302c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 18 May 2026 22:41:05 +0000
Subject: [PATCH] fix(api): tighten OIDC basic token parsing and error wrapping

Agent-Logs-Url: https://github.com/project-zot/zot/sessions/0c0a0243-d702-44d5-a93f-457595fe485d

Co-authored-by: rchincha <45800463+rchincha@users.noreply.github.com>
---
 pkg/api/bearer_oidc.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pkg/api/bearer_oidc.go b/pkg/api/bearer_oidc.go
index 5873655f..c1d01fde 100644
--- a/pkg/api/bearer_oidc.go
+++ b/pkg/api/bearer_oidc.go
@@ -226,7 +226,7 @@ func getOIDCTokenFromAuthorizationHeader(header string) (string, error) {
 	case "basic":
 		decodedStr, err := base64.StdEncoding.DecodeString(splitStr[1])
 		if err != nil {
-			return "", zerr.ErrInvalidBearerToken
+			return "", fmt.Errorf("%w: %w", zerr.ErrInvalidBearerToken, err)
 		}
 
 		pair := strings.SplitN(string(decodedStr), ":", 2) //nolint:mnd
@@ -238,8 +238,9 @@ func getOIDCTokenFromAuthorizationHeader(header string) (string, error) {
 		if tokenString == "" {
 			tokenString = pair[0]
 		}
+		tokenString = strings.TrimSpace(tokenString)
 
-		if strings.TrimSpace(tokenString) == "" {
+		if tokenString == "" {
 			return "", zerr.ErrInvalidBearerToken
 		}