Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check token validity when loading registry config #15127

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Check token validity when loading registry config #15127

wants to merge 2 commits into from
+16 −7

Conversation

kornelski
Copy link
Contributor

This change checks validity of registry tokens earlier, when they're read from the config. Previously Cargo would check the token only when sending a request.

This makes the error message more helpful, because it can tell how the token has been defined. This is especially helpful when users do something like:

export CARGO_REGISTRIES_FOO_TOKEN=$(misconfigured tool printing error messages)

@rustbot
Copy link
Collaborator

rustbot commented Jan 31, 2025

r? @epage

rustbot has assigned @epage.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

@rustbot rustbot added A-interacts-with-crates.io Area: interaction with registries A-registry-authentication Area: registry authentication and authorization (authn authz) S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Jan 31, 2025
epage
epage reviewed Jan 31, 2025
View reviewed changes
src/cargo/util/auth/mod.rs
Comment on lines +240 to +250
if let Some(RegistryConfig {
token: Some(token), ..
}) = &cfg
{
check_token(&token.val.as_deref().expose()).with_context(|| {
format!(
"Token for {sid} is invalid (defined in {})",
token.definition
)
})?;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is moving the check from

  • token credential provider

To

  • token credential provider
  • paseto credential provider
  • the enumeration of all credential providers

I'd want to better understand if its a good idea to be running this check in all of those other situations

CC @arlosi

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Construction of RegistryConfig is closer to TOML deserialization of credentials.toml than to implementation of credential providers. The token here is the input for downstream users of the registry config, and does not touch output token of credential providers (that's CredentialResponse).

Paseto uses secret_key and secret_key_subject fields, not token.

This field is only read by TokenCredential, apart from code that warns when cargo::token is not enabled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@epage epage epage left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@epage epage

Labels
A-interacts-with-crates.io Area: interaction with registries A-registry-authentication Area: registry authentication and authorization (authn authz) S-waiting-on-review Status: Awaiting review from the assignee but also interested parties.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kornelski @rustbot @epage