You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: text/0000-cargo-alternative-registry-auth.md
+11-10Lines changed: 11 additions & 10 deletions
Original file line number
Diff line number
Diff line change
@@ -36,15 +36,6 @@ Authorization: <token>
36
36
## Interaction with HTTP registries
37
37
The approved (but currently unimplemeneted) [RFC2789](https://github.com/rust-lang/rfcs/pull/2789) enables Cargo to fetch the index over HTTP. When fetching `config.json` from an HTTP index, if Cargo receives an `HTTP 401` response, the request will be re-attempted with the Authorization header included. If no authorization token is available, Cargo will suggest that the user run `cargo login` to add one.
38
38
39
-
To avoid the overhead of an extra HTTP request when fetching `config.json`, the user can optionally configure Cargo locally by setting `auth-required` in the `[registries]` table. If the local `auth-required` flag is `true` then Cargo will include the Authorization token when initially fetching `config.json` over HTTP. If it is `false`, Cargo will never include the Authorization token when fetching `config.json`. If it is unset, Cargo performs the auto-detection described above.
40
-
41
-
This local configuration option does not impact other registry operations, such as API requests or downloads (which are controlled by the flag in `config.json`). It also does not impact git-based registries.
42
-
43
-
```toml
44
-
[registries]
45
-
my-registry = { index = "sparse+https://example.com/index", auth-required = true }
46
-
```
47
-
48
39
## Security
49
40
If the server responds with an HTTP redirect, the redirect would be followed, but the Authorization header would *not* be sent to the redirect target.
50
41
@@ -103,7 +94,17 @@ Alternatives:
103
94
## Credential Process
104
95
The `credential-process` system could be extended to support generating tokens rather than only storing them. This would further improve security and allow additional features such as 2FA prompts.
105
96
97
+
## Local configuration option
98
+
To avoid the overhead of an extra HTTP request when fetching `config.json`, the user could optionally configure Cargo locally by setting `auth-required` in the `[registries]` table. If the local `auth-required` flag is `true`, then Cargo could include the Authorization token when initially fetching `config.json` over HTTP. If it is `false`, Cargo would not include the Authorization token when fetching `config.json`. If it is unset, Cargo would perform the auto-detection described above.
99
+
100
+
This local configuration option would not impact other registry operations, such as API requests or downloads (which are controlled by the flag in `config.json`). It also would not impact git-based registries.
101
+
102
+
```toml
103
+
[registries]
104
+
my-registry = { index = "sparse+https://example.com/index", auth-required = true }
105
+
```
106
+
106
107
## Authentication for Git-based registries
107
108
Private registries may want to use the same Authorization header for controlling access to a git-based index over `https`, rather than letting git handle the authentication separately.
108
109
109
-
This could be enabled by the same local configuration key `auth-required = true` in the `[registries]` table. Both `libgit2` and the `git` command line have a mechanism for specifying an additional header that could be used to pass the Authorization header.
110
+
This could be enabled by the same local configuration key `auth-required = true` in the `[registries]` table. Both `libgit2` and the `git` command line have a mechanism for specifying an additional header that could be used to pass the Authorization header.
0 commit comments