Private registry dependencies using API token

[danieleades]

• I am on the latest Poetry version.
• I have searched the issues of this repo and believe that this is not a duplicate.
• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

• ubuntu 18.04
• poetry 1.0.5

Issue

Apologies for the brevity of this description, i'm not in front of my machine right now. There may be a very simple answer to this question.

Are private pypi registries accessible using the API token, rather than username/password? I see that API token support for the public pypi registry was added in #1275, was this intended to also provide support for non-public registries?

• we have an Artifactory-hosted pypi registry
• we can use poetry with this registry using username and password authentication
• we cannot use API token authentication with this registry
• we have security concerns with using username/password authentication
• other tools (such as twine) are able to access this registry using the API token, rather than username/password

I guess i'm asking if some part of the API token authentication implementation is hardcoded to the public pypi registry?

If it is intended that this should work, what diagnostic information can I provide, or debugging steps can I follow?

(note that i'm lagging a couple of releases on the poetry version. Please let me know if there's any changes that could affect this that are undocumented in the changelog)

[Persedes]

we have a similar setup and poetry (>=1) works fine with a PAT.
You can use the following command:

poetry config http-basic.foo $PAT "" (where pat goes in place of the user name)

https://python-poetry.org/docs/repositories/

[danieleades]

@Persedes if that works that is a massive help!

I'm going to tentatively say that this is still a bug. there's a documented solution using the api token that doesn't work-

poetry config pypi-token.$REPO $TOKEN

and an undocumented solution which allegedly does work

poetry config http-basic.$REPO $TOKEN ""

[jdeyton]

@danieleades I'm of the opinion the documentation is a little unclear. However it seems to work for multiple users:

There are steps provided here in #910, specifically #910 (comment)

For what it's worth, I was able to get a poetry to publish to a pywharf container backed by the local filesystem using this approach, with the exception that I provide the repo name as the username, e.g., with the repo "mypypi" and secret "foo":

user@host > poetry config repositories.mypypi http://localhost:8888/simple/                                                                                                                                                          
user@host > poetry config http-basic.mypypi mypypi foo
user@host > poetry publish -r mypypi

[matt-long-92]

I have encountered this issue also. Is anybody planning to work on resolving this?

[CarloDePieri]

I could not make poetry (v1.1.14) authenticate with private repo api token by using the cli either.

My current workaround is:

• adding the repo with poetry config repositories.myrepo https://youraddress
• manually edit the poetry global auth file (mine is at ~/.config/pypoetry/auth.toml) by adding this section:

[http-basic]

# possibly other repos are here

[http-basic.myrepo]
username = "__token__"  # literally this, it's not a placeholder
password = "mysecrettoken"  # the api token goes here

After that poetry can authenticate successfully and without further user interaction.

I could not replicate this working config by any combination of http-basic / pypi-token.

[charterchap]

For jfrog artifiactory specifically try generating a token for your user

[http-basic]
[http-basic.ag-dev]
username = "USERNAME"
password = "YOUR_TOKEN"