Many users expressed the interest in restricting the anonymous browsing of the registry's crates, in the effort of allowing a truly private (in the privacy sense) crate registry.
This PR adds a new boolean configuration option called login_required, which, if enabled, prevents unauthenticated users from browsing the registry using the frontend's pages.
This, however, still does not make the registry completely opaque to anonymous users by itself, due to some of Cargo's APIs not supporting authentication as of yet.
Cargo sends no token to these endpoints so we can't really require one, like:
the crate search endpoint (/api/v1/crates?<q>), used by cargo search, which can be used to list all crates in the registry.
or the crate download endpoint (/api/v1/crates/:crate/:version/download), used by cargo fetch, which can be used to download any crate in the registry.
(I talk about this situation in more depth in this issue comment, if you wonder why is it like that and what is currently planned to be done about it by the Cargo team)
So, as of today, the definitive way of preventing every kind of anonymous browsing would still be to host the registry in a private network, and require the use of VPN or a proxy (like an SSH tunnel) to access it.
Many users expressed the interest in restricting the anonymous browsing of the registry's crates, in the effort of allowing a truly private (in the privacy sense) crate registry.
This PR adds a new boolean configuration option called
login_required, which, if enabled, prevents unauthenticated users from browsing the registry using the frontend's pages.This, however, still does not make the registry completely opaque to anonymous users by itself, due to some of Cargo's APIs not supporting authentication as of yet.
Cargo sends no token to these endpoints so we can't really require one, like:
/api/v1/crates?<q>), used bycargo search, which can be used to list all crates in the registry./api/v1/crates/:crate/:version/download), used bycargo fetch, which can be used to download any crate in the registry.(I talk about this situation in more depth in this issue comment, if you wonder why is it like that and what is currently planned to be done about it by the Cargo team)
So, as of today, the definitive way of preventing every kind of anonymous browsing would still be to host the registry in a private network, and require the use of VPN or a proxy (like an SSH tunnel) to access it.