frostming / unearth

A utility to fetch and download python packages
https://unearth.readthedocs.io
MIT License
142 stars 18 forks source link

unearth asks for the username whereas provided in the index url #72

Closed deronnax closed 1 year ago

deronnax commented 1 year ago

Describe the bug

unearth asks for the login whereas it's provided in the index url:

./venv/bin/python -m unearth  --index-url 'https://__token__@gitlab.privaterepo.net/api/v4/projects/privateproject/p
ackages/pypi/simple' privatepackage --verbose
DEBUG: Collecting links from https://***@gitlab.privaterepo.net/api/v4/projects/privateproject/packages/pypi/simple/privatepackage/
DEBUG: Found index url https://__token__@gitlab.privaterepo.net/api/v4/projects/privateproject/packages/pypi/simple
DEBUG: Found index url https://__token__@gitlab.privaterepo.net/api/v4/projects/privateproject/packages/pypi/simple
User for gitlab.privaterepo.net:

We found out the root cause, see additional context

To Reproduce

Expected behavior unearth should not ask for the login and use the provided username

Screenshots If applicable, add screenshots to help explain your problem.

System (please complete the following information):

irrelevant

Additional context

We found out why it happens: At first, _get_new_credentials is called, with allow_netrc and allow_keyring set to false. Then unearth will receive a 401, and retry in handle_400s, but getting the url from the Response object, from which the username will have been stripped away from the url (see foot note). We found out that changing the first call to _get_new_credentials to set allow_netrc/allow_keyring to True works as expected (the username is extracted from the netrc/keyring and the query succeed without prompting the user). So, possible fixes are :

https://github.com/frostming/unearth/blob/66b32c9c1bd68b7cd3ce630b4fb2166c02366f51/src/unearth/auth.py#L238

frostming commented 1 year ago

First, the credentials in the URL are provided incorrectly and unearth rejects them, you should include a : to split username and password, even any part is empty.

And if the credentials in the URL are not valid, there is no need to extract them from the URL again, that's why it is OK to use resp.url with the auth part stripped.

  • either _get_new_credetials should be called first with allow_netrc/allow_keyring set to True

Yes, that is done in #75