Approach for resolving #6232 #6353
Conversation
There was a problem hiding this comment.
LGTM, although we could possibly use the message passed in each Denied instance (and pull the underlying error out from V1Caveat) instead of using isinstance to test the class of allowed. That might be a little easier to test + allow more error message reuse, but this approach is also fine.
|
@dstufft do you have a preference for which approach to take here? |
|
Offered another approach based on feedback from @dstufft, though I'm still feeling really icky about how much we're having to bubble through. |
|
This item is a beta blocker https://github.com/pypa/warehouse/milestone/17 so it'd be nice to address this month so we can send out a pypi-announce email around Halloween (security is spooky!). |
|
I would like to wrap up the beta of the API token feature and email out an announcement to get more people using the feature. Thus: @ewdurbin could you please rebase this, and then @dstufft could you review it, so we can finish getting this merged and then get more people uploading with API tokens? Thanks. |
|
IMO fixing this is still a blocker for coming out of beta #5661 (comment) -- @ewdurbin @di @woodruffw @yeraydiazdiaz could we finish this PR within the next few weeks so we can announce the feature on pypi-announce, increase adoption, and better secure PyPI packages? |
ewdurbin
force-pushed
the
approach_for_6232
branch
from
3bcbe69
to
7910534
Compare
Will need review from @dstufft and @woodruffw If they approve... needs tests/etc
still unsure about the approach
ewdurbin
force-pushed
the
approach_for_6232
branch
from
792df7d
to
f55fc17
Compare
|
I think this is ready for review. |
Fixes #6232.
Resulting error messages:
Invalid Username/Password:
Invalid API Token:
Valid Username/Password that does not have permission:
Valid API Token missing scope for project: