Poetry: 1.1.0rc1: POETRY_HTTP_BASIC_ environment variables are ignored for private repositories

Created on 11 Aug 2020 · 2Comments · Source: python-poetry/poetry

[x] I am on the latest Poetry version.
[x] I have searched the issues of this repo and believe that this is not a duplicate.
[x] If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

OS version and name: OSX 10.14.6 (Mojave); also on a recent Ubuntu
Poetry version: 1.1.0b2 (also 1.1.0a3)
Link of a Gist with the contents of your pyproject.toml file: https://gist.github.com/dclayh/6325891755faa4215e288082491f8f4b

Issue

Downloading wheels from an Azure Devops feed fails with a 401 Unathorized error using http-basic authorization. This is true whether creds are set with poetry config or env vars. Version collection still succeeds from the private repo. This is a bug (or undocumented interface change?) with the 1.1.0 prereleases, since everything works fine with 1.0.5.

Snippet of poetry update -vvv output:

Package operations: 0 installs, 1 update, 0 removals

  • Updating data-utils (0.7.0 -> 0.6.20): Pending...
  • Updating data-utils (0.7.0 -> 0.6.20): Failed

HTTPError

401 Client Error: Unauthorized for url: https://guycarp.pkgs.visualstudio.com/9fb36d55-4aac-44bd-9e13-0d2773f027b9/_packaging/c31f3100-0441-4ca7-8b74-4f948c9eb523/pypi/download/data-utils/0.6.20/data_utils-0.6.20-py3-none-any.whl#sha256=40ba0db196547929b735f3aee626be3ebdc990c929d1f5c0623ba6affd129588

Bug Repository

Source

dclayh

👍4

Most helpful comment

I've been trying to debug this and the issue seems to be the following:

The install executor do_execute asks the chooser to pick a url for the package to download
The LegacyRepository returns a list of urls without basic auth credentials in the url from find_links_for_package
The install executor tries to download the link without any credentials or session information.

The LegacyRepository has a _get but this is not used and contains a reference to self._url instead of self.authenticated_url which might be a bug in and of itself?

bneijt on 11 Aug 2020

👍2

All 2 comments

I've been trying to debug this and the issue seems to be the following:

The install executor do_execute asks the chooser to pick a url for the package to download
The LegacyRepository returns a list of urls without basic auth credentials in the url from find_links_for_package
The install executor tries to download the link without any credentials or session information.

The LegacyRepository has a _get but this is not used and contains a reference to self._url instead of self.authenticated_url which might be a bug in and of itself?

bneijt on 11 Aug 2020

👍2

I ran into the same issue. Do you also set credentials via environment variables? See if #2955 solves it for you as well.