Skip to content

Allow empty and Bearer auth schemes in Authorization headers #11350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jun 14, 2025
Merged

Allow empty and Bearer auth schemes in Authorization headers #11350

merged 7 commits into from
Jun 14, 2025

Conversation

@Turbo87
Copy link
Member

@Turbo87 Turbo87 commented Jun 12, 2025
edited
Loading

cargo publish was built without using an auth scheme in the Authorization header. Regular HTTP client libraries often only support either basic or bearer authentication, but not empty auth schemes.

The regular API tokens currently only support an empty auth scheme, while Trusted Publishing was (mistakenly) built in a way to only support the Bearer auth scheme.

This PR adjusts both code paths to use a shared Authorization header extractor which allows usage of an empty auth scheme, or the Bearer auth scheme, regardless of the type of token that is used or the API endpoint it is used on.

Related:

@Turbo87 Turbo87 added C-bug 🐞 Category: unintended, undesired behavior C-enhancement ✨ Category: Adding new behavior or a change to the way an existing feature works A-backend ⚙️ labels Jun 12, 2025
@Turbo87 Turbo87 requested a review from a team June 12, 2025 15:55
@Turbo87 Turbo87 force-pushed the beware-of-the-bears branch 5 times, most recently from e7b3cb4 to 2829fb1 Compare June 13, 2025 17:25
eth3lbert
eth3lbert approved these changes Jun 14, 2025
View reviewed changes
Copy link
Contributor

@eth3lbert eth3lbert left a comment
edited by Turbo87
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I just checked that there's even an open issue in cargo about the auth scheme. But anyway, this LGTM. I just left a small nit. Maybe we also want to add some comments in the codebase, even linking to issues, to provide context and explain why we need to support this.

Turbo87 added 7 commits June 14, 2025 15:47
@Turbo87
Extract AuthHeader for Authorization header parsing
7bf7c45
@Turbo87
AuthHeader: Allow empty auth scheme in Authorization header
41fed8d
@Turbo87
AuthHeader: Improve Authorization header error messages
bd3db7e
@Turbo87
publish: Allow empty auth scheme for Trusted Publishing tokens
55000d6 
... by using the new `AuthHeader` extractor, which also slightly improves our error messages.
@Turbo87
Allow Bearer auth scheme for API tokens
4c32374 
... by using the new `AuthHeader` extractor, which also slightly improves our error messages.
@Turbo87
AccessToken: Implement FromStr trait and update parsing usages
3b69487 
All of our users at this point have `&str` anyway, so we might as well operate on strings.
@Turbo87
AccessToken: Inline from_byte_str() fn
cd28aa3
@Turbo87 Turbo87 force-pushed the beware-of-the-bears branch from 2829fb1 to cd28aa3 Compare June 14, 2025 13:51
@Turbo87 Turbo87 enabled auto-merge June 14, 2025 13:51
@Turbo87 Turbo87 merged commit dec66ae into rust-lang:main Jun 14, 2025
19 of 20 checks passed
@Turbo87 Turbo87 deleted the beware-of-the-bears branch June 14, 2025 14:18
@Turbo87 Turbo87 mentioned this pull request Jun 14, 2025
Open
@nathanhammond nathanhammond mentioned this pull request Sep 20, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eth3lbert eth3lbert eth3lbert approved these changes

Assignees

No one assigned

Labels

A-backend ⚙️ C-bug 🐞 Category: unintended, undesired behavior C-enhancement ✨ Category: Adding new behavior or a change to the way an existing feature works

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Trusted Publishing: Access tokens are only accepted with Bearer auth scheme

2 participants

@Turbo87 @eth3lbert