Unhelpful cloudfront error when using bad API token #11571
Labels
A-diagnostics
Area: Error and warning messages generated by Cargo itself.
A-interacts-with-crates.io
Area: interaction with registries
A-registry-authentication
Area: registry authentication and authorization (authn authz)
C-bug
Category: bug
E-easy
Experience: Easy
Comments
|
The most direct fix is that cargo should escape characters that have special meanings in HTTP before putting in ill formed authentication token into CUrl, I'm honestly a little surprised that CUrl does not have this escaping already. More generally, we should probably make a breaking change banning these kinds of control characters from tokens in general. We recently made a similar "breaking" change to ban empty tokens. |
|
@Eh2406 should we move this to the |
|
Done. |
|
Out of curiosity, does crates.io allow control characters in tokens? |
weihanglo
added
C-bug
|
I don't believe any of the tokens generated by crates.io have control characters. I believe they are all ASCII. |
bors
added a commit
that referenced
this issue
Feb 16, 2023
Error on invalid alphanumeric token for crates.io ref #11571 When using `cargo login` and calling an api which requires authentification there will be an error if the given token is not a valid alphanumerical string. This check is only enabled for crates.io because only for that registry we can be certain, that the generated token should have been alphanumeric, see [the code here](https://github.com/rust-lang/crates.io/blob/7ea41e9d345f05566ee776b7cbb62e46ccf6b393/src/util/token.rs#L15). So if I'm not mistaken, this should not be a breaking change, since crates.io only generates fitting tokens. (Should I add a comment to the crates.io code that modifying this logic can break cargo?) I'm not sure if the fix works and is enough to close the issue, please say if you have any corrections or improvements! I don't know if the check should also be enabled for other registries and it would be really bad if the check is too strict. In the linked issue it was recommended to encode invalid characters, but I don't know in which encoding. I saw in [this http rfc](https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4) that only the ISO-8859-1 charset is allowed and everything else must be [encoded](https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4) but this seems somewhat complex and hard to implement. There is a crate `rust-encoding` which should be capable doing this (from a first look), but I don't know if a new dependency only for this is justified. There seems to be `percent encoding` already in the dependency tree but I have no idea if it would be correct and work. If you have any idea about this encoding, please say so. r? `@Eh2406` (since you suggested the encoding part)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current Behavior
I (unintentionally and without noticing) entered a bad API token via
cargo login(see below). Thencargo publishandcargo owner, includingcargo owner --list, give the following error:The
credentialsfile ended up looking like this after I hitCtrl+Vto insert my token on the command line (and at first I didn't notice that this didn't work correctly):Expected Behavior
A more helpful error message that tells me that my API token is wrong or ill-formed.
Steps To Reproduce
No response
Environment
Windows 10, using PowerShell within Windows Terminal or VS Code
Anything else?
No response
The text was updated successfully, but these errors were encountered: