Authorization Header is missing on cargo build for private registries

[sassman]

Problem

Given

• I have a private package registry (in my case it is a artifactory from jfrog)
• And I have configured it via <project_root>/.cargo/config like this:

  [registries.my-crates]
  index = "https://myorg.jfrog.io/artifactory/git/my-crates.git"
  
  [net]
  git-fetch-with-cli = true

• Assuming I have already published my-crate at version 0.1.1 (because this works already well)
• And I got a package dependency specified in my Cargo.toml with a registry property like:

  [dependencies]
  my-crate = { version = "0.1.1", registry = "my-crates" }

• And I got a token in my ~/.cargo/credentials.toml for exactly this registry like:

  [registries.my-crates]
  token = "Bearer XXXX"

Then

• I would expect that cargo build downloads my-crate with using the token specified in the credentials.toml

Steps

1. create a private repository
2. create the project config as above
3. create an auth token as above
4. configure the auth token via cargo login or as said above
5. specify a dependency in a new project with explicitly stating the registry property (see above)
6. call cargo build

Possible Solution(s)

IMO it would be most consitent that cargo under the given circumstances uses an Authorization header for build and download.
As it is doing it already correctly for the publish sub-command

Alternatively in the project .cargo/config one option might activate the desired behavior, maybe on the [net] config section.

Notes

No response

Version

`cargo 1.63.0-nightly (38472bc19 2022-05-31)`

[ehuss]

Authentication currently isn't supported. For updates, you can follow #10474 which tracks the implementation of that feature. Closing as a duplicate of #10474.

[Lupus]

It seems that #10474 is completed and will make it to stable release, but I still struggle with the same issue that @sassman reported. I have artifactory in my enterprise environment, I'm able to publish one crate, but when publishing another one, cargo fails with 403 error.

I'm trying with cargo 1.74.0-nightly (414d9e3a6 2023-09-22) and the following command:

cargo +nightly -Z registry-auth publish -p my-package-name

And it still does not work. Is there an instruction for dumb users like me what do I need to do to get it working? Cargo book seems to be focused on securely storing credentials in a bunch of secret managers, I can't find a recipe on how to enable auth for downloads :(

[weihanglo]

I'm able to publish one crate, but when publishing another one, cargo fails with 403 error.

What did you mean by "able to publish one, but failed on another"?

For publishing packages to alternate registries, you can have a look at https://doc.rust-lang.org/nightly/cargo/reference/registries.html#publishing-to-an-alternate-registry.

I can't find a recipe on how to enable auth for downloads

Were you stuck in uploading or downloading? I am a bit confused now…

Setting either default credential provider or registry specific provider should fix the issue. If not, please file a new issue with reproducible steps and relevant configuration. We can have a look then :)

[Lupus]

Sorry for confusion, publishing works as expected with token auth, but when publishing a package that is dependent on another already published package, Cargo is trying to download the dependent package from private repo first to validate it, and bails out with the following error:

error: failed to verify package tarball

Caused by:
  failed to download from `https://urm.example.com/artifactory/api/cargo/team-name-cargo-local/v1/crates/other-crate/0.1.0/download`

Caused by:
  failed to get successful HTTP response from `https://urm.example.com/artifactory/api/cargo/team-name-cargo-local/v1/crates/other-crate/0.1.0/download` (10.126.206.42), got 403
  body:
  {
    "errors" : [ {
      "status" : 403,
      "message" : "Download request for repo:path 'team-name-cargo-local:crates/other-crate/other-crate-0.1.0.crate' is forbidden for user: 'anonymous'."
    } ]
  }

So it fails on download, despite me having configured credentials provider and using latest nightly which should support auth:

[registry]
global-credential-providers = ["cargo:token"]

[Eh2406]

Does your registry have the flag set in its config.json?

[Lupus]

Hm, I've seen reference of some flag somewhere, but can't find it right now. My registry only has dl and api values in its config.json. Could you possibly point me to the documentation which contains information about that flag?

[Eh2406]

auth-required: indicates whether this is a private registry that requires all operations to be authenticated including API requests, crate downloads and sparse index updates.

https://doc.rust-lang.org/nightly/cargo/reference/registry-index.html#index-configuration