From 6ad3188b8561225bfd0370d7504e0e157f24048d Mon Sep 17 00:00:00 2001
From: pi-farm <info@pi-farm.de>
Date: Fri, 6 Feb 2026 23:14:57 +0100
Subject: [PATCH] add anonym token authentication

---
 multi-watch.sh | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)

diff --git a/multi-watch.sh b/multi-watch.sh
index 4252b3c..9bfd798 100644
--- a/multi-watch.sh
+++ b/multi-watch.sh
@@ -27,19 +27,37 @@ while true; do
         echo "Prüfe $TYPE: $REPO:$EXTRA..."
 
         if [ "$TYPE" == "DOCKER" ]; then
-            # Prüfen ob es Docker Hub (kein Punkt oder docker.io) oder eine eigene Registry ist
             if [[ "$REPO" != *"."* ]] || [[ "$REPO" == *"docker.io"* ]]; then
-                # Docker Hub
-                CLEAN_REPO=${REPO#docker.io/} # Entferne docker.io/ falls vorhanden
+                # --- Docker Hub Logik ---
+                CLEAN_REPO=${REPO#docker.io/}
                 [[ "$CLEAN_REPO" != *"/"* ]] && CLEAN_REPO="library/$CLEAN_REPO"
                 NEW_VAL=$(curl -s "https://hub.docker.com/v2/repositories/${CLEAN_REPO}/tags/${EXTRA}" | jq -r '.last_updated // empty')
             else
-                # Eigene Registry (V2 API)
+                # --- Custom Registry (z.B. Gitea) ---
                 REG_HOST=$(echo $REPO | cut -d/ -f1)
                 IMG_NAME=$(echo $REPO | cut -d/ -f2-)
-                # Wir holen den Docker-Content-Digest Header (funktioniert meist ohne komplexen Token-Voodoo)
-                NEW_VAL=$(curl -sI -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
-                    "https://${REG_HOST}/v2/${IMG_NAME}/manifests/${EXTRA}" | grep -i "Docker-Content-Digest" | awk '{print $2}' | tr -d '\r')
+
+                # 1. Versuche einen anonymen Token zu holen (Standard V2 Auth)
+                TOKEN=$(curl -s "https://${REG_HOST}/v2/token?service=${REG_HOST}&scope=repository:${IMG_NAME}:pull" | jq -r '.token // empty')
+
+                # 2. Abfrage mit Token (falls vorhanden) und explizitem GET statt HEAD
+                if [ -n "$TOKEN" ] && [ "$TOKEN" != "null" ]; then
+                    AUTH_HEADER="Authorization: Bearer $TOKEN"
+                else
+                    AUTH_HEADER="X-No-Auth: true" # Dummy Header
+                fi
+
+                # Wir nutzen curl -i (Header + Body) und fangen den Digest ab
+                RESPONSE=$(curl -s -i -H "$AUTH_HEADER" \
+                    -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
+                    "https://${REG_HOST}/v2/${IMG_NAME}/manifests/${EXTRA}")
+                
+                NEW_VAL=$(echo "$RESPONSE" | grep -i "docker-content-digest" | awk '{print $2}' | tr -d '\r')
+                
+                # Falls Digest leer, versuche ETag (Backup für manche Registries)
+                if [ -z "$NEW_VAL" ]; then
+                    NEW_VAL=$(echo "$RESPONSE" | grep -i "etag" | awk '{print $2}' | tr -d '\r' | tr -d '"')
+                fi
             fi
         elif [ "$TYPE" == "GITHUB" ]; then
             NEW_VAL=$(curl -s "https://api.github.com/repos/${REPO}/branches/${EXTRA}" | jq -r '.commit.sha // empty')