Anaconda doesn't failed on expired authentication token

[mithro]

If you try to use an access token (from https://anaconda.org/SymbiFlow/settings/access) which has expired, the output does not indicate that anything failed.

See the following output which was using the expired token;

Using Anaconda API: https://api.anaconda.org
Using "symbiflow" as upload username
Processing '/tmp/really-really-really-really-really-really-really-really-really-really-really-really-really-long-path/conda/conda-bld/linux-64/libxml2-2.9.9-h14c3975_5.tar.bz2'
Detecting file type...
File type is "conda"
Extracting conda package attributes for upload
Creating package "libxml2"
Creating release "2.9.9"
Uploading file "symbiflow/libxml2/2.9.9/linux-64/libxml2-2.9.9-h14c3975_5.tar.bz2"
Done. Your build exited with 0.

This access is also not logged in the anaconda.org security log at https://anaconda.org/SymbiFlow/settings/security_log either.

It would be much better if the anaconda client failed with an "authentication denied" or ideally "authentication token expired".

[bkreider]

You are completely correct. This is a duplicate 501 and 516 (and possibly a few others).

I don't think you want to have the security log filled with log spam of 401s from people hitting it though. IMHO, that log is more of an audit log than a security log: it logs all actions carried out under the account.

[mithro]

I assume you mean #501 and #516 ? Any idea if/when this would be fixed at all?

I think a valid but expired token appearing in the security log would be a good idea but it is less important.

[bkreider]

Sorry, @mithro. I work for Anaconda, but I'm not on this team. I heavily use anaconda-client, so I try to provide help in the form of information when I can.

This is definitely a bug, so it should be fixed at some point. It looks like there was a PR that almost fixes this but it looks like it was never updated.