Provide method of authentication for crate downloads #6843
Labels
A-registries
Area: registries
C-feature-request
Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted`
Comments
nastevens
added
the
C-feature-request
|
Is there any update on this? Including the token in the request is a relatively minor change and I can't envisage it breaking anything, crates.io just ignores extraneous authorization tokens. |
|
@tustvold There is an RFC proposal at rust-lang/rfcs#2719. |
|
#9494 includes some more ideas and discussion, see also https://internals.rust-lang.org/t/pre-rfc-cargo-alternative-registry-authentication/14794 and https://rust-lang.zulipchat.com/#narrow/stream/246057-t-cargo/topic/registry.20authentication |
|
New RFC: rust-lang/rfcs#3139 |
|
The RFC is now accepted. Closing in favor of the tracking issue at #10474. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
With the stabilization of alternative registries in Rust 1.34, it's now possible to connect to an alternative registry to provide an index. Since the alternative registry is a git repo, authentication can be handled in all the normal ways like SSH keypairs, git credential helpers, etc.
However, there doesn't currently seem to be a way to authenticate the downloads of the
.cratefiles themselves. Once a download location is pulled from the"dl"key in theconfig.jsonprovided by the index, Cargo makes a request to a URL constructed from that key. But as far as I can tell there is no way to inject any authentication information into that request. This means I need to either keep all my private.crateartifacts on a local LAN or behind some other security like VPN.I've thought of a few workaround, but all seem hacky or have security concerns:
"dl"URL that is time-bound and unique per user. This isn't great because it requires modifying the returned index for every user.Use git+ssh for all crate downloads and rely on keypair authThis actually wouldn't work because the download step requires https, http, or file URLs..cratefiles to the local filesystem and then haveconfig.jsonspecify afile://URL. This isn't good because now syncing dependencies isn't an automatic action oncargo build, etc, it's a manual and forgettable step.I think an ideal solution would extend the usage of a token obtained through
cargo loginto also be sent during crate download requests. This would need to be handled carefully so the token is only sent over secure connections and only to download URLs for the specific registry using the token.The text was updated successfully, but these errors were encountered: