fix(registry): update WithHtpasswd to use os.CreateTemp instead of os.Create with filepath.Join.

modules/registry/options.go

@@ -3,7 +3,6 @@ package registry
 import (
 	"fmt"
 	"os"
-	"path/filepath"
 
 	"github.com/testcontainers/testcontainers-go"
 )
@@ -37,7 +36,7 @@ func WithData(dataPath string) testcontainers.CustomizeRequestOption {
 // the htpasswd file, thanks to the REGISTRY_AUTH_HTPASSWD_PATH environment variable.
 func WithHtpasswd(credentials string) testcontainers.CustomizeRequestOption {
 	return func(req *testcontainers.GenericContainerRequest) error {
-		tmpFile, err := os.Create(filepath.Join(os.TempDir(), "htpasswd"))
+		tmpFile, err := os.CreateTemp("", "htpasswd")
 		if err != nil {
 			tmpFile, err = os.Create(".")
 			if err != nil {

modules/registry/registry_test.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/cpuguy83/dockercfg"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/bcrypt"
 
 	"github.com/testcontainers/testcontainers-go"
 	"github.com/testcontainers/testcontainers-go/modules/registry"
@@ -171,6 +172,67 @@ func TestRunContainer_authenticated_withCredentials(t *testing.T) {
 	require.Equal(t, http.StatusOK, resp.StatusCode)
 }
 
+func TestRunContainer_authenticated_htpasswd_atomic_per_container(t *testing.T) {
+	t.Parallel()
+	ctx := context.Background()
+	r := require.New(t)
+
+	type container struct {
+		pass     string
+		registry *registry.RegistryContainer
+		addr     string
+	}
+
+	newContainer := func(password string) container {
+		hash, err := bcrypt.GenerateFromPassword([]byte(password), 5)
+		r.NoError(err)
+
+		reg, err := registry.Run(
+			ctx,
+			registry.DefaultImage,
+			registry.WithHtpasswd("testuser:"+string(hash)),
+		)
+		r.NoError(err)
+		testcontainers.CleanupContainer(t, reg)
+
+		addr, err := reg.Address(ctx)
+		r.NoError(err)
+
+		return container{pass: password, registry: reg, addr: addr}
+	}
+
+	// Create two independent registries with different credentials.
+	regA := newContainer("passA")
+	regB := newContainer("passB")
+
+	client := http.Client{}
+
+	// 1. Wrong password against A must fail.
+	req, err := http.NewRequest(http.MethodGet, regA.addr+"/v2/_catalog", nil)
+	r.NoError(err)
+	req.SetBasicAuth("testuser", regB.pass)
+	resp, err := client.Do(req)
+	r.NoError(err)
+	r.Equal(http.StatusUnauthorized, resp.StatusCode)
+	_ = resp.Body.Close()
+
+	// 2. Correct password against A must succeed.
+	req.SetBasicAuth("testuser", regA.pass)
+	resp, err = client.Do(req)
+	r.NoError(err)
+	r.Equal(http.StatusOK, resp.StatusCode)
+	_ = resp.Body.Close()
+
+	// 3. Correct password against B must succeed.
+	req, err = http.NewRequest(http.MethodGet, regB.addr+"/v2/_catalog", nil)
+	r.NoError(err)
+	req.SetBasicAuth("testuser", regB.pass)
+	resp, err = client.Do(req)
+	r.NoError(err)
+	r.Equal(http.StatusOK, resp.StatusCode)
+	_ = resp.Body.Close()
+}
+
 func TestRunContainer_wrongData(t *testing.T) {
 	ctx := context.Background()
 	registryContainer, err := registry.Run(