fix(manager/nuget): Enforce basic authentication for NuGet restore co…

…mmand (#25502)

docs/usage/nuget.md

@@ -113,6 +113,7 @@ If you're using Azure DevOps, you can set `matchHost` to `pkgs.dev.azure.com`.
 !!! note
     Only Basic HTTP authentication (via username and password) is supported.
     For Azure DevOps, you can use a PAT with `read` permissions on `Packaging` plus an empty username.
+    The generated `nuget.config` enforces basic authentication and cannot be overridden externally!
 
 ## Future work
 

lib/modules/manager/nuget/config-formatter.spec.ts

@@ -112,6 +112,13 @@ describe('modules/manager/nuget/config-formatter', () => {
           ?.attr['value']
       ).toBe('some-password');
 
+      expect(
+        myRegistryCredentials?.childWithAttribute(
+          'key',
+          'ValidAuthenticationTypes'
+        )?.attr['value']
+      ).toBe('basic');
+
       const myRegistry2Credentials = xmlDocument.descendantWithPath(
         'packageSourceCredentials.myRegistry2'
       );
@@ -122,6 +129,13 @@ describe('modules/manager/nuget/config-formatter', () => {
         myRegistry2Credentials?.childWithAttribute('key', 'ClearTextPassword')
           ?.attr['value']
       ).toBe('some-password');
+
+      expect(
+        myRegistry2Credentials?.childWithAttribute(
+          'key',
+          'ValidAuthenticationTypes'
+        )?.attr['value']
+      ).toBe('basic');
     });
 
     it('escapes registry credential names containing special characters', () => {

lib/modules/manager/nuget/config-formatter.ts

@@ -98,6 +98,8 @@ function formatPackageSourceCredentialElement(
     packageSourceCredential += `<add key="ClearTextPassword" value="${credential.password}" />\n`;
   }
 
+  packageSourceCredential += `<add key="ValidAuthenticationTypes" value="basic" />`;
+
   packageSourceCredential += `</${escapedName}>\n`;
 
   return packageSourceCredential;