Open fsavy-tehtris opened 11 months ago
Hi, thank you for notifying me about this.
The credential-process
RFC is rather specific to Cargo (on the user's machine) and doesn't need any changes on the side of the registries.
But the registry-auth
RFC (which has been stabilised alongside credential-process
in rust-lang/cargo#12649) does specify how registries can communicate to Cargo to send the Authorization
header for every endpoints (like crate search and crate download).
They seem to have done this about two weeks ago and I completely missed it, thanks again for the notification.
As a first approach, I think you are right to propose a new configuration option, similar to the login_required
one in [frontend]
(maybe a new auth_required
option in [general]
?).
Implementation-wise, this would mean to make the previously-unauthenticated endpoints take in an Option<Auth>
argument and make the relevant checks in the body, in the same manner that the frontend does it with login_required
:
Actually, now that there is a new auth-required
option in the crate index's config.json
file, one way to implement this could be to have the registry read out this value when starting up, instead of having a new configuration option of our own which could get out of sync with that config.json
file.
We could even make the frontend.login_required
option be optional and make it inherit from that auth-required
option from the crate index if it is omitted.
With the stabilization of credential-process in
cargo
, more routes can be protected with a token thatcargo
can provide. (this is kinda related to #93)Are there any plans to add authentication to these other routes (I'm mostly interested in
download
)?From a quick glance, I believe this could be achieved by adding an
Auth
parameter like it's done inpublish
: https://github.com/Hirevo/alexandrie/blob/4813442d0bc4ff419725c1684ffff94960d2cce7/crates/alexandrie/src/api/crates/publish.rs#L195-L197We also probably need an additional configuration value to let users enable or disable this feature. Would you welcome a PR with such modifications?