Retain authentication attached to URLs when making requests to the same host #1874
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MichaReiser
reviewed
Feb 22, 2024
zanieb
commented
Feb 22, 2024
charliermarsh
approved these changes
Feb 22, 2024
MichaReiser
approved these changes
Feb 22, 2024
Comment on lines
544
to
545
| /// <https://datatracker.ietf.org/doc/html/rfc7235#section-2.2> | ||
| /// <https://datatracker.ietf.org/doc/html/rfc7230#section-5.5> |
There was a problem hiding this comment.
Thanks for linking to the relevant sections
Comment on lines
569
to
571
| if request_url.port() != response_url.port() { | ||
| if (request_url.port() == default_port || request_url.port().is_none()) | ||
| && (response_url.port() == default_port || response_url.port().is_none()) |
There was a problem hiding this comment.
I find the check the port comment not that useful. I can see that we check something with the port but I'm having difficulty understanding what's being checked. Maybe we can explain that instead?
There was a problem hiding this comment.
This comment just matches all the previous ones saying which part we're checking, the inner comment is supposed to explain this. I can try to do better though.
There was a problem hiding this comment.
Okay 477e18b should be a lot better
|
Fyi I tested this against AWS CodeArtifact. |
This was referenced Feb 22, 2024
zanieb
added a commit
that referenced
this pull request
Feb 23, 2024
…les (#1886) Closes #1709 Closes #1371 Tested with the reproduction provided in #1709 which gets past the HTTP 401. Reuses the same copying logic we introduced in #1874 to ensure authentication is attached to file URLs with a realm that matches that of the index. I had to move the authentication logic into a new crate so it could be used in `distribution-types`. We will want to something more robust in the future, like track all realms with authentication in a central store and perform lookups there. That's what `pip` does and it allows consolidation of logic like netrc lookups. That refactor feels significant though, and I'd like to get this fixed ASAP so this is a minimal fix.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #1860
In #1816, we started using the URL attached to a response instead of the request URL for subsequent requests — this fixes various bugs but has the side-effect of dropping credentials from the URL. Here, we transfer credentials from the request URL to the response URL. We perform RFC compliant checks for safety.