Sketch of improved error messages.

Author: nathanhammond

src/cargo/sources/registry/http_remote.rs

@@ -100,6 +100,9 @@ pub struct HttpRegistry<'gctx> {
     /// Should we include the authorization header?
     auth_required: bool,
 
+    /// The scheme of the included authorization header, if any.
+    authorization_scheme: Option<auth::AuthorizationScheme>,
+
     /// Url to get a token for the registry.
     login_url: Option<Url>,
 
@@ -231,6 +234,7 @@ impl<'gctx> HttpRegistry<'gctx> {
             fetch_started: false,
             registry_config: None,
             auth_required: false,
+            authorization_scheme: None,
             login_url: None,
             auth_error_headers: vec![],
             quiet: false,
@@ -604,6 +608,7 @@ impl<'gctx> RegistryData for HttpRegistry<'gctx> {
                             self.source_id,
                             self.login_url.clone(),
                             auth::AuthorizationErrorReason::TokenRejected,
+                            self.authorization_scheme.clone(),
                         )?;
                         return Poll::Ready(err.context(auth_error));
                     } else {
@@ -663,6 +668,14 @@ impl<'gctx> RegistryData for HttpRegistry<'gctx> {
                 self.auth_error_headers.clone(),
                 true,
             )?;
+            let (scheme, _token) = authorization
+                .split_once(" ")
+                .unwrap_or(("", &authorization));
+            self.authorization_scheme = match scheme.to_ascii_lowercase().as_str() {
+                "basic" => Some(auth::AuthorizationScheme::Basic),
+                "bearer" => Some(auth::AuthorizationScheme::Bearer),
+                _ => Some(auth::AuthorizationScheme::Unrecognized),
+            };
             headers.append(&format!("Authorization: {}", authorization))?;
             trace!(target: "network", "including authorization for {}", full_url);
         }

src/cargo/util/auth/mod.rs

@@ -387,6 +387,23 @@ impl fmt::Display for AuthorizationErrorReason {
     }
 }
 
+#[derive(Clone, Debug, PartialEq)]
+pub enum AuthorizationScheme {
+    Basic,
+    Bearer,
+    Unrecognized,
+}
+
+impl fmt::Display for AuthorizationScheme {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            AuthorizationScheme::Basic => write!(f, "Basic"),
+            AuthorizationScheme::Bearer => write!(f, "Bearer"),
+            AuthorizationScheme::Unrecognized => write!(f, "unrecognized"),
+        }
+    }
+}
+
 /// An authorization error from accessing a registry.
 #[derive(Debug)]
 pub struct AuthorizationError {
@@ -400,6 +417,8 @@ pub struct AuthorizationError {
     reason: AuthorizationErrorReason,
     /// Should `cargo login` and the `_TOKEN` env var be included when displaying this error?
     supports_cargo_token_credential_provider: bool,
+    /// What authorization scheme was specified in the token, if any?
+    scheme: Option<AuthorizationScheme>,
 }
 
 impl AuthorizationError {
@@ -408,6 +427,7 @@ impl AuthorizationError {
         sid: SourceId,
         login_url: Option<Url>,
         reason: AuthorizationErrorReason,
+        scheme: Option<AuthorizationScheme>,
     ) -> CargoResult<Self> {
         // Only display the _TOKEN environment variable suggestion if the `cargo:token` credential
         // provider is available for the source. Otherwise setting the environment variable will
@@ -422,6 +442,7 @@ impl AuthorizationError {
             login_url,
             reason,
             supports_cargo_token_credential_provider,
+            scheme,
         })
     }
 }
@@ -461,6 +482,19 @@ impl fmt::Display for AuthorizationError {
                     "\nYou may need to log in using this registry's credential provider"
                 )?;
             }
+            if let Some(scheme) = &self.scheme {
+                write!(
+                    f,
+                    "Your registry token is prefixed with an embedded {} authentication scheme. Is this correct?",
+                    scheme,
+                )?;
+            } else {
+                write!(
+                    f,
+                    "Your registry token is not prefixed with an embedded authorization scheme (e.g. `Bearer `).\n\
+                    Does this registry require an authentication scheme?",
+                )?;
+            }
             Ok(())
         } else if self.reason == AuthorizationErrorReason::TokenMissing {
             write!(
@@ -624,6 +658,7 @@ pub fn auth_token(
             *sid,
             login_url.cloned(),
             AuthorizationErrorReason::TokenMissing,
+            None,
         )?
         .into()),
     }