diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb
index 06d967747545e30b43ffb3232c8c8c7d8c2a1dd3..34d5d99558e8c082327718feef8db12f162bdbbd 100644
--- a/app/controllers/jwt_controller.rb
+++ b/app/controllers/jwt_controller.rb
@@ -11,10 +11,8 @@ class JwtController < ApplicationController
     service = SERVICES[params[:service]]
     return head :not_found unless service
 
-    @authentication_result ||= Gitlab::Auth::Result.new
-
     result = service.new(@authentication_result.project, @authentication_result.actor, auth_params).
-      execute(authentication_abilities: @authentication_result.authentication_abilities)
+      execute(authentication_abilities: @authentication_result.authentication_abilities || [])
 
     render json: result, status: result[:http_status]
   end
@@ -22,6 +20,8 @@ class JwtController < ApplicationController
   private
 
   def authenticate_project_or_user
+    @authentication_result = Gitlab::Auth::Result.new
+
     authenticate_with_http_basic do |login, password|
       @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip)
 
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index 98da65639475438a96ca575f7a6360bd7fd7927d..38ac66312287e2842fba59c100aba486cc2977ee 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -5,7 +5,7 @@ module Auth
     AUDIENCE = 'container_registry'
 
     def execute(authentication_abilities:)
-      @authentication_abilities = authentication_abilities || []
+      @authentication_abilities = authentication_abilities
 
       return error('not found', 404) unless registry.enabled
 
diff --git a/lib/ci/mask_secret.rb b/lib/ci/mask_secret.rb
index 3388a642eb476e06d2b01c00474e6778d89c7ebc..997377abc55fd6ff858298319dd36a342469994f 100644
--- a/lib/ci/mask_secret.rb
+++ b/lib/ci/mask_secret.rb
@@ -1,9 +1,10 @@
 module Ci::MaskSecret
   class << self
     def mask!(value, token)
-      return unless value.present? && token.present?
+      return value unless value.present? && token.present?
 
       value.gsub!(token, 'x' * token.length)
+      value
     end
   end
 end
diff --git a/spec/lib/ci/mask_secret_spec.rb b/spec/lib/ci/mask_secret_spec.rb
index a69385331385ff68e7929f7469a257e897395310..3101bed20fbab9193efd65e075ab69125342317a 100644
--- a/spec/lib/ci/mask_secret_spec.rb
+++ b/spec/lib/ci/mask_secret_spec.rb
@@ -16,10 +16,12 @@ describe Ci::MaskSecret, lib: true do
       expect(mask('token', 'not')).to eq('token')
     end
 
+    it 'does support null token' do
+      expect(mask('token', nil)).to eq('token')
+    end
+
     def mask(value, token)
-      value = value.dup
-      subject.mask!(value, token)
-      value
+      subject.mask!(value.dup, token)
     end
   end
 end