Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API feature to request new project-scoped upload API token #6396

Open
brainwane opened this issue Aug 8, 2019 · 16 comments
Open

API feature to request new project-scoped upload API token #6396

brainwane opened this issue Aug 8, 2019 · 16 comments
Labels
APIs/feeds blocked Issues we can't or shouldn't get to yet feature request needs discussion a product management/policy issue maintainers and users should discuss tokens Issues relating to API tokens

Comments

@brainwane
Copy link
Contributor

From @takluyver:

Is there any plan for an API to create upload tokens? E.g. I'd like to have a command-line tool prompt me once for my password & 2FA code, then obtain and store a project-scoped token to use for uploads.

This is a followup to #994.

@brainwane brainwane added feature request needs discussion a product management/policy issue maintainers and users should discuss APIs/feeds tokens Issues relating to API tokens labels Aug 8, 2019
@rachelcipkins
Copy link

I will be working on this issue next!

@rachelcipkins
Copy link

@brainwane I have a few questions regarding this issue. Should the command line tool be created in Twine? Should this tool create tokens for entire projects or should it implement the new caveats implemented in #6255 ?

@takluyver
Copy link
Contributor

As my request was a bit vague: what I'm really looking for is a public, documented HTTP interface for creating API tokens. I maintain a command line tool, which handles project uploads, and I'd like to extend it to use API tokens. But I'm not aware of any way to create them programmatically. Once the HTTP interface exists, no doubt other tools will use it too.

Thanks for working on it!

@brainwane
Copy link
Contributor Author

Sorry for the wait in replying to you @rcipkins -- I think @di or @ewdurbin would be better placed to answer you!

@di
Copy link
Member

di commented Oct 8, 2019

This may be part of (or blocked on) #284 -- we don't currently have any authenticated APIs (aside from the upload API) but it seems reasonable that this would be part of some future JSON API which could support authentication.

@graingert
Copy link
Contributor

graingert commented Sep 29, 2020

@takluyver can't you generate an unscoped macaroon and then narrow the scope of it with Caveats yourself before storing it?
ah this was already mentioned

@woodruffw
Copy link
Member

This is not the same thing as #11272, but the work there may provide a template for an API route here.

@takluyver
Copy link
Contributor

I don't suppose we're any closer to this? I guess #284 is a dependency?

We're meant to be moving in the direction of token based uploads, which absolutely makes sense, but as things stand we have to choose between a user-scoped token - which isn't much of an improvement - or project scoped tokens - which require manual click-click-click interaction for every project. Admittedly I have an unusually large number of projects, but it still seems like a poor UX even if you have just a few.

I suppose I could just mimic the requests from the browser when you log in and create a token, but I assume that's not a good idea for the long term.

@woodruffw
Copy link
Member

Yes! We're currently working on #11296, which will complement the existing API token behavior. You'll be able to register an OIDC provider for a PyPI project that doesn't exist yet, and publish from GitHub Actions (and other CI services in the future) without having to manually configure an API token.

@takluyver
Copy link
Contributor

Thanks! But for those of us old fashioned people who like to upload packages to PyPI from our local machine, rather than from CI, will this make it any easier to create a token (or get some equivalent security mechanism) programmatically, i.e. without having to go through the PyPI web interface?

@woodruffw
Copy link
Member

Not in its current form, unfortunately -- that work is mostly focused on CI providers.

@smheidrich
Copy link

Hacky interim solution: https://smheidrich.gitlab.io/pypi-token-client/

@di
Copy link
Member

di commented Apr 11, 2023

Blocked on #13409.

@di di added the blocked Issues we can't or shouldn't get to yet label Apr 11, 2023
@takluyver
Copy link
Contributor

Now that 2FA is required, storing a user-scoped token is less secure than storing a password, because the token is sufficient for uploads on its own.

The workflow I'd really like when publishing a package is that the maintainer is prompted for their PyPI password in the terminal (or it's found from a suitable password manager), then prompted to touch a security key or enter a TOTP code, and then the upload goes ahead. There are usually multiple files to upload (sdist + at least one wheel), and these prompts shouldn't be repeated for each file.

It still seems like the obvious way to achieve this is with an API to create a project-scoped upload token. From my perspective, it would also be best if the server could make the token time-limited (e.g. 1 hour) - I know I can add caveats locally, but if the indefinite token is never sent over the wire, it can never leak. Also, if the server knows it created a time-limited token, it can automatically clear it up after it expires, rather than leaving an ever-growing list of tokens behind.

@graingert
Copy link
Contributor

@takluyver my approach is to never create a token and use the direct from GitHub action authentication method instead

@takluyver
Copy link
Contributor

I'm using that on some projects, but I still kind of like being able to manage a project from my own computer, rather than relying ever more on cloud services. 😮‍💨

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
APIs/feeds blocked Issues we can't or shouldn't get to yet feature request needs discussion a product management/policy issue maintainers and users should discuss tokens Issues relating to API tokens
Projects
None yet
Development

No branches or pull requests

7 participants