From 2dc9d275b15a0802264bcd49e2f0dddbbadd2225 Mon Sep 17 00:00:00 2001
From: Christina Ying Wang <christina@balena.io>
Date: Mon, 24 Feb 2025 16:17:15 -0800
Subject: [PATCH] Don't revert to regular pull if delta server 401

If the Supervisor receives a 401 Unauthorized from the delta server
when requesting a delta image location, we should surface the error
instead of falling back to a regular pull immediately, as there could
be an issue with the delta auth token, which refreshes after
DELTA_TOKEN_TIMEOUT (10min), or some other edge case.

Change-type: patch
Signed-off-by: Christina Ying Wang <christina@balena.io>
---
 src/lib/docker-utils.ts | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/lib/docker-utils.ts b/src/lib/docker-utils.ts
index 9b03c2b7..2952b08e 100644
--- a/src/lib/docker-utils.ts
+++ b/src/lib/docker-utils.ts
@@ -219,9 +219,17 @@ export async function fetchDeltaWithProgress(
 				}
 				break;
 			case 3:
-				// If 400s status code, throw a more specific error & revert immediately to a regular pull
+				// If 400s status code, throw a more specific error & revert immediately to a regular pull,
+				// unless the code is 401 Unauthorized, in which case we should surface the error by retrying
+				// the delta server request, instead of falling back to a regular pull immediately.
 				if (res.statusCode >= 400 && res.statusCode < 500) {
-					throw new DeltaServerError(res.statusCode, res.statusMessage);
+					if (res.statusCode === 401) {
+						throw new Error(
+							`Got ${res.statusCode} when requesting an image from delta server: ${res.statusMessage}`,
+						);
+					} else {
+						throw new DeltaServerError(res.statusCode, res.statusMessage);
+					}
 				}
 				if (res.statusCode !== 200) {
 					throw new Error(