Skip to content

Check token validity when loading registry config #15127

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Check token validity when loading registry config #15127

wants to merge 4 commits into from

Conversation

kornelski
Copy link
Contributor

This change checks validity of registry tokens earlier, when they're read from the config. Previously Cargo would check the token only when sending a request.

This makes the error message more helpful, because it can tell how the token has been defined. This is especially helpful when users do something like:

export CARGO_REGISTRIES_FOO_TOKEN=$(misconfigured tool printing error messages)

@rustbot
Copy link
Collaborator

rustbot commented Jan 31, 2025

r? @epage

rustbot has assigned @epage.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

@rustbot rustbot added A-interacts-with-crates.io Area: interaction with registries A-registry-authentication Area: registry authentication and authorization (authn authz) S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Jan 31, 2025
epage
epage reviewed Jan 31, 2025
View reviewed changes
epage
epage reviewed Jan 31, 2025
View reviewed changes
src/cargo/util/auth/mod.rs
Comment on lines +240 to +253
if let Some(RegistryConfig {
token: Some(token), ..
}) = &cfg
{
check_token(&token.val.as_deref().expose()).with_context(|| {
format!(
"Token for {sid} is invalid (defined in {})",
token.definition
)
})?;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is moving the check from

  • token credential provider

To

  • token credential provider
  • paseto credential provider
  • the enumeration of all credential providers

I'd want to better understand if its a good idea to be running this check in all of those other situations

CC @arlosi

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Construction of RegistryConfig is closer to TOML deserialization of credentials.toml than to implementation of credential providers. The token here is the input for downstream users of the registry config, and does not touch output token of credential providers (that's CredentialResponse).

Paseto uses secret_key and secret_key_subject fields, not token.

This field is only read by TokenCredential, apart from code that warns when cargo::token is not enabled.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arlo I'd be interested in your thoughts on this

@rustbot rustbot added A-registries Area: registries A-sparse-registry Area: http sparse registries A-testing-cargo-itself Area: cargo's tests labels Feb 3, 2025
@kornelski
Copy link
Contributor Author

kornelski commented Feb 3, 2025
edited
Loading

I've found another case where extra \n in the token causes an internal error:

Caused by:
  download of config.json failed

Caused by:
  failed to download from `[…]/index/config.json`

Caused by:
  [43] A libcurl function was given a bad argument

Fixed in e70f340 (the tests and released builds of Cargo report this error slightly differently, presumably because the tests use a custom mock HTTP server).

@rustbot

This comment has been minimized.

Sign in to view
epage
epage reviewed Aug 26, 2025
View reviewed changes
tests/testsuite/credential_process.rs
.alternative()
.no_configure_token()
.credential_provider(&["cargo:token-from-stdout", "true"])
.credential_provider(&["cargo:token-from-stdout", "echo", "incorrect token"])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this test being changed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes the test more precise, because it requires the token to be accepted syntactically, and rejected only by the server. true creates an empty string, which effectively skips per-byte checks of the token's content.

epage
epage reviewed Aug 26, 2025
View reviewed changes
tests/testsuite/registry_auth.rs
Comment on lines +393 to +394
#[cargo_test]
fn syntactically_invalid_token() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a reminder, we generally prefer tests to be added in their own commit, showing the current behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@epage epage epage left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@epage epage

Labels

A-interacts-with-crates.io Area: interaction with registries A-registries Area: registries A-registry-authentication Area: registry authentication and authorization (authn authz) A-sparse-registry Area: http sparse registries A-testing-cargo-itself Area: cargo's tests S-waiting-on-review Status: Awaiting review from the assignee but also interested parties.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kornelski @rustbot @epage