-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move API token into the separate file. #3978
Conversation
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @alexcrichton (or someone else) soon. If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes. Please see the contribution instructions for more information. |
07ec0d9
to
9f28a8a
Compare
Thanks for the PR! Looking good to me! Some thoughts:
|
cc @matklad (just to make you aware) |
What are your thoughts on
I think we definitely should remove support for old token location some time in the future, because leaving security-related backwards comparability code paths is not the right thing. |
Oh right sorry forgot to mention that. Yeah let's issue a warning if |
Got it. I'll update the PR by the end of the week |
☔ The latest upstream changes (presumably #3991) made this pull request unmergeable. Please resolve the merge conflicts. |
After diving into the code I found that it's a bit tricky to operate both tokens (from So I propose the next options:
|
Perhaps the token could be handled specially? We don't necessarily want to load it from all possible config files, right? Just the home dir? |
0edcf8b
to
3b43bba
Compare
@alexcrichton thank you for advice and sorry for a long delay. I've updated the code according to your recommendations. I'll introduce tests on the next week. |
Thanks @dethoter! One thing I just remembered (sorry for the runaround here) is that let's actually hold off on the warning for now. Users which use Cargo across multiple channels (stable/beta/nightly) would otherwise have no way to not get warnings, so let's wait for this support to hit stable and then we can enable warnings. |
I am now reading rust-lang/rfcs#2006 which proposes to add alternative registers to crates.io, which can be super useful in corporate scenarios. One of the issues there is that when there are multiple registers, you probably want to use different access tokens for them. I wonder if we can future proof this pull request for that sort of requirements changes. What if we use TOML for credentials, and store them like
? That way, we'll be able to add additional keys in the future easily. |
cc #3365 |
Seems reasonable to me! |
@alexcrichton no problem. I'll remove the code that warns. @matklad good proposal! It should be easy to switch file to TOML one. But there are some questions about compatibility. The old config supports just one registry, so users ask for token like A new one consists from different tokens for different registries. For example I'll store them like:
How can I handle a backward compatibility? Should a user now ask for a concrete token like: |
Cargo as a library is not Then, in the PR implementing #3365 we can switch API to Or do you think than it'd be easier to add multiple hosts from the start here? I am not super familiar with implementation here :) |
I believe it's the best option for now. I'll submit an update in a few days. |
☔ The latest upstream changes (presumably #4090) made this pull request unmergeable. Please resolve the merge conflicts. |
Now the token is stored in ~/.cargo/credentials (with 600 permissions on unix-like systems).
Now cargo looks for credentials and stores them in $CARGO_HOME/credentials. If credentials for requested host are not found cargo will try to get them from $CARGO_HOME/config, but it's temporary behavior. It should be disabled after users start to use a new config file).
a94d201
to
29960d2
Compare
During the implementation, I decided that it'd be better to return the old token if cargo couldn't find a token for a host. Returning the first from the map is actually a bad idea because it's associated with another host. If you have any better idea I'll be happy to discuss it. |
👍 |
Ok but to be clear we don't even know what the "url of a registry" is today. The url we currently use in lots of places, the index, seems clearly inferior to the actual url like "https://crates.io". What I'm worried about is that trying to preemptively support multiple registries when we don't actually know what it will look like will drive us into a corner which is very difficult to support in the future. Let's say we encode the index url today, but we'd rather "https://crates.io" tomorrow? We now have to support both urls! What if we decide to use bare identifiers for all registries instead of urls? I find |
Hm, an excellent point! So yeah, it makes sense to support a single token only in this PR, and implement multiple registers support later. Fixing #3365 is not really important now, because it affects only crates.io maintainers. Aslo, Unrelated, but we might want to change token location in the docs over here: https://github.com/rust-lang/cargo/blob/master/src/doc/crates-io.md#before-your-first-publish. |
@alexcrichton you're right, I'll remove support for multiple hosts from this PR.
@matklad thank you for advice, it's already done in 7c515a0. |
@alexcrichton @matklad seems like appveyor build is failed due to nmake issue. Could you please restart the build or point me how can I fix it? |
Ah no worries that should hopefully be fixed by the time this reaches the head of the queue. Thanks again @dethoter! @bors: r+ |
📌 Commit 1ccdc8b has been approved by |
Move API token into the separate file. Fix of #3748. BTW, it's not clear what to do with old config. Should I add a check for old config and try to remove [repository.token] field from it every time user add a new token? Or should I just prefer to use a token field from a new config over the old one?
☀️ Test successful - status-appveyor, status-travis |
@alexcrichton @matklad thank you for supporting. |
@dethoter, the |
Because |
@dethoter, but why can't credentials be local too? If the local |
AFAIK cargo will not support unnamed registries. So there is no reason to handle credentials per project. |
The precise design for multiple registries is still up in the air, but I think it's reasonable to consider loading any |
Fix of #3748. BTW, it's not clear what to do with old config.
Should I add a check for old config and try to remove [repository.token] field from it every time user add a new token?
Or should I just prefer to use a token field from a new config over the old one?