Check token validity when loading registry config #15127
Conversation
rustbot
added
A-interacts-with-crates.io
kornelski
force-pushed
the
token-early-check
branch
from
a3aedb6 to
441fd35
Compare
| if let Some(RegistryConfig { | ||
| token: Some(token), .. | ||
| }) = &cfg | ||
| { | ||
| check_token(&token.val.as_deref().expose()).with_context(|| { | ||
| format!( | ||
| "Token for {sid} is invalid (defined in {})", | ||
| token.definition | ||
| ) | ||
| })?; | ||
| } |
There was a problem hiding this comment.
This is moving the check from
- token credential provider
To
- token credential provider
- paseto credential provider
- the enumeration of all credential providers
I'd want to better understand if its a good idea to be running this check in all of those other situations
CC @arlosi
There was a problem hiding this comment.
Construction of RegistryConfig is closer to TOML deserialization of credentials.toml than to implementation of credential providers. The token here is the input for downstream users of the registry config, and does not touch output token of credential providers (that's CredentialResponse).
Paseto uses secret_key and secret_key_subject fields, not token.
This field is only read by TokenCredential, apart from code that warns when cargo::token is not enabled.
kornelski
force-pushed
the
token-early-check
branch
from
441fd35 to
9ef2dd1
Compare
rustbot
added
A-registries
|
I've found another case where extra Fixed in e70f340 (the tests and released builds of Cargo report this error slightly differently, presumably because the tests use a custom mock HTTP server). |
kornelski
force-pushed
the
token-early-check
branch
from
9ef2dd1 to
e70f340
Compare
This change checks validity of registry tokens earlier, when they're read from the config. Previously Cargo would check the token only when sending a request.
This makes the error message more helpful, because it can tell how the token has been defined. This is especially helpful when users do something like: