Hello. I'm making a mitm proxy that prevents pip artifacts downloading when the critical vulnerability was found. I was faced with the fact that the protocol does not have the ability to distinguish between anonymous requests without mandatory authorization.
I noticed that container image registries always assign a token even to anonymous users to solve this problem. I would like to have similar behavior in the protocol for downloading pip artifacts, because during the download process it recreates the http connection several times and the server has no way to understand which client the chain of requests came from.
Describe the solution you'd like
Issue any kind of session id or token for the user.
Alternative Solutions
Tracking connection id, but they will close frequently on successive requests.
Additional context
The custom registry (or proxy like nexus) needs to learn to understand that one chain of requests from pip to download artifact is different from another.
What's the problem this feature will solve?
Hello. I'm making a mitm proxy that prevents pip artifacts downloading when the critical vulnerability was found. I was faced with the fact that the protocol does not have the ability to distinguish between anonymous requests without mandatory authorization. I noticed that container image registries always assign a token even to anonymous users to solve this problem. I would like to have similar behavior in the protocol for downloading pip artifacts, because during the download process it recreates the http connection several times and the server has no way to understand which client the chain of requests came from.
Describe the solution you'd like
Issue any kind of session id or token for the user.
Alternative Solutions
Tracking connection id, but they will close frequently on successive requests.
Additional context
The custom registry (or proxy like nexus) needs to learn to understand that one chain of requests from pip to download artifact is different from another.
Code of Conduct