Blob endpoint response for missing repositories #22363
Description
In Harbor 2.13 I have a public project that is configured as a public pull through cache for docker.io registry that doesn't require any kind of authentication.
harbor.example.com/docker.io
When I try to download a blob from the non-existing repository I get 401 response from the endpoint using the crane CLI I get
Error: fetching blob harbor.example.com/docker.io/non/existing/repo@sha256:XXXX: GET https://harbor.example.com/v2/docker.io/non/existing/repo/blobs/sha256:XXXX: UNAUTHORIZED: http status code: 401, body: {"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"non/existing/repo","Action":"pull"}]}]}
I see that the token service will issue a token that is used by the crane for this request.
Is that an expected response type? Why this is not a 404 response that would be aligned with the distribution spec - https://specs.opencontainers.org/distribution-spec/?v=v1.0.0#endpoints
end-2 | GET / HEAD | /v2/<name>/blobs/<digest> | 200 | 404
Other endpoints behavior
List tags
If I do list tags request I get 200 with empty list
{"name":"docker.io/non/existing/repo","tags":[]}
Getting a non-existing tag (manifest endpoint)
If I try to fetch a non-existing tag I get 404 response from the registry:
2025/09/16 15:35:18 <-- 404 https://harbor.example.com/v2/docker.io/non/existing/repo/manifests/0.0.0 (619.680167ms)
2025/09/16 15:35:18 HTTP/1.1 404 Not Found
Content-Length: 122
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Date: Tue, 16 Sep 2025 13:35:18 GMT
Server: nginx
Set-Cookie: sid=XXXX ; Path=/; HttpOnly
X-Request-Id: UUID
{"errors":[{"code":"NOT_FOUND","message":"repository docker.io/non/existing/repo not found"}]}
Error: fetching manifest harbor.example.com/docker.io/non/existing/repo:0.0.0: ....