twine: use API tokens by default on PyPI

[woodruffw]

This is still a work in progress.

See #561.

[woodruffw]

I think this is good for an initial look. Key behavioral changes:

• When the index is PyPI, username is unconditionally set to __token__ regardless of any configuration, environment, or CLI settings. The user is never prompted, if the setting is interactive.
• When the index is PyPI, the behavior remains essentially unchanged except that the password prompt now asks for an API token instead.
• I moved repository URL normalization into get_repository_from_config, to ensure that the PyPI URL check is always performed against the normalized URL.

Some design questions:

• Should we do the same for TestPyPI? I'm not sure if it's also 2FA mandated; CC @miketheman
• Should we emit warnings about username being ignored?
• Are configuration/CLI changes needed/warranted? At the moment everything is still username and password; having a token alias for password might make sense. On the other hand, that might be an unnecessary complication.

[miketheman]

• Should we do the same for TestPyPI? I'm not sure if it's also 2FA mandated

It is!

[woodruffw]

I'm on my phone so I may be wrong, but it looks like we don't have tests for repositories other than pypi which means we don't have a way of verifying things don't break for non-PyPI users. Is that right?

Yep, that's right -- I'll add those complementing tests tonight!

[woodruffw]

I've added mirror PyPI/non-PyPI tests for the testcases that diverged with these changes.

I've also manually confirmed that the prompt gets specialized as expected, e.g.:

$ twine upload -r testpypi dist/twine-0.1.dev1105+g6e94d20.tar.gz
Uploading distributions to https://test.pypi.org/legacy/
Enter your API token:

[190488]

This is still a work in progress.

See #561.

Correlation Id: df1b91f7ccc14a179c323bfcf542ec6b Timestamp: 2024-09-15T21:26:26.704Z

[190488]

Correlation Id: df1b91f7ccc14a179c323bfcf542ec6b Timestamp: 2024-09-15T21:26:26.704Z