401 Installing from Internal Index due to .netrc #2323
Comments
hmc-cs-mdrissi
changed the title
|
Yeah this sounds like a mistake. Thanks for reporting. |
|
Perhaps @zanieb can take a look when they're back since they've been owning auth. |
|
I did one extra test and main works if I include index url without auth. So it's using netrc + index-url well if index-url doesn't also have authenication data in it. But if they both have it even if it's same password/login, then it fails. |
|
I can try to take a look at it tomorrow. |
|
The code for the netrc middleware is actually pretty small, and I'm surprised it's failing to handle this. It does look like it would override the credentials though. I'm not sure what's expected. |
|
It looks like pip does explicitly prioritize existing credentials: pypa/pip#10998. I'm still not sure why it would fail here though since the credentials are exactly the same, right? |
|
Oh wait, it was then reverted: pypa/pip#11134. |
|
The credentials are identical. At work we have some script that we need to run daily to refresh our credentials. That script updates both .netrc and pip.conf with same credentials. I then manually copy the index url in pip.conf and pass it to uv. |
|
Makes sense. You could try running with |
|
Okay, the error I get when I provide both sets of credentials is: |
|
I think the problem is that we now send up two authorization headers. |
|
I can confirm there's two headers for me too when it fails. I added the logs from this pr you did before. I also tried For my use case it does not really matter which of the two credentials you pick. My personal intuition though is if url has credentials it'd be used first over a separate file. |
|
Just trying to figure out how to replace a header with reqwest, the API doesn't seem to want you to do this... |
|
@zanieb - I think this might be impossible to do with middleware, because the reqwest middleware seems to be purely additive. We might need to remove this middleware, and add a |
|
Think I figured out a way to do it with the middleware API. |
|
Should be fixed in #2325, thanks for filing and sorry about that regression. |
|
I’ll test the PR in ~1 hour when I’m back home. The diagnosis makes full sense to me. |
|
No rush! I’m going to bed anyway. |
|
I've tested it and confirmed your fix resolves the issue. Installation works well trying both internal and public packages. |
## Summary The netrc middleware we added in #2241 has a slight problem. If you include credentials in your index URL, _and_ in the netrc file, the crate blindly adds the netrc credentials as a header. And given the `ReqwestBuilder` API, this means you end up with _two_ `Authorization` headers, which always leads to an invalid request, though the exact failure can take different forms. This PR removes the middleware crate in favor of our own middleware. Instead of using the `RequestInitialiser` API, we have to use the `Middleware` API, so that we can remove the header on the request itself. Closes #2323. ## Test Plan - Verified that running against a private index with credentials in the URL (but no netrc file) worked without error. - Verified that running against a private index with credentials in the netrc file (but not the URL) worked without error. - Verified that running against a private index with a mix of credentials in both _also_ worked without error.
I was excited by the work done in this issue, so I tried checking out main and testing uv to see if it improved performance on 1 package I found slow. Instead I found that using main uv now gives me a 401 error for installing any internal package with index server. Packages that previously worked to install now fail. I've bisected commits to find the first commit that fails is this commit.
The exact command being run is
cargo run -- pip install --index-url=SOME_URL numpy. The url has credentials in it. I do have .netrc file, but they are not intended for this installation especially when --index-url has all credentials needed already and did work prior to that pr. Similarly pip works for similar commandpip install --index-url=SOME_URL numpyand I'd guess is sticking to credentials inside index-url over mixing it with .netrc.Here's the verbose logs from the first failing commit,
Logs
Like before, I'm happy to test out any specific commands/extra log statements that would be helpful.
edit: Credentials in netrc are not wrong though and maybe could be used somehow. The netrc looks like,
while --index-url passed is
https://LCAv1:password@registry.snapchat.com/python/virtual. Login and password are same either way, but guessing the two aren't mixing as expected. I wonder if/python/virtualpart is lost.The text was updated successfully, but these errors were encountered: