Fix authentication with JFrog artifactories (#2592)

Closes #2566 We were storing the username e.g. `charlie@astral.sh` as a percent-encoded string `charlie%40astral.sh` which resulted in different headers and broke JFrog's artifactory which apparently does not decode usernames. Tested with a JFrog artifactory and AWS CodeArtifact although it is worth noting that AWS does _not_ have a username with an `@` — it'd be nice to test another artifactory with percent-encoded characters in the username and/or password.
astral-sh · Mar 21, 2024 · 7ee90dc · 7ee90dc
1 parent 2375008
commit 7ee90dc
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 1 deletion.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/uv-auth/Cargo.toml b/crates/uv-auth/Cargo.toml
@@ -14,6 +14,7 @@ task-local-extensions = { workspace = true }
 thiserror = { workspace = true }
 tracing = { workspace = true }
 url = { workspace = true }
+urlencoding = { workspace = true }
 once_cell = { workspace = true }
 
 [dev-dependencies]

diff --git a/crates/uv-auth/src/store.rs b/crates/uv-auth/src/store.rs
@@ -100,7 +100,13 @@ impl AuthenticationStore {
             return;
         }
         let auth = UrlAuthData {
-            username: url.username().to_string(),
+            // Using the encoded username can break authentication when `@` is converted to `%40`
+            // so we decode it for storage; RFC7617 does not explicitly say that authentication should
+            // not be percent-encoded, but the omission of percent-encoding from all encoding discussion
+            // indicates that it probably should not be done.
+            username: urlencoding::decode(url.username())
+                .expect("An encoded username should always decode")
+                .into_owned(),
             password: url.password().map(str::to_string),
         };
         credentials.insert(netloc, Some(Credential::UrlEncoded(auth)));