I've recently added a Gmail to my Google account (I haven't had a Gmail in my Google account before, since it was an old migrated YouTube account). I wasn't aware that would change the main mail linked with my Google account, so now it won't let me publish package updates to Pub, because of this new mail address.
UnauthorizedAccess: Unauthorized user: [email protected] is not allowed to upload versions to package signalr2..
Any idea on how to proceed? Can you guys maybe change the uploader mail address for all my packages?
@rinukkusu You should be able to add an uploader to the package via pub uploader add <email> and pub uploader remove <email>.
The currently used e-mail is in the file ~/.pub-cache/credentials.json, and you if you have multiple e-mails to upload, you probably want to save the file to a different location, re-authorize your other e-mail address, and save that somewhere else. With the two versions saved, you can always override the credentials.json with the desired version.
@isoos thanks for chiming in!
When trying to add my new mail I just get a bland Unauthorized request. in the terminal.
My credentials.json doesn't contain an e-mail, it rather has the following structure:
{
"accessToken": "...",
"refreshToken": "...",
"tokenEndpoint": "https://accounts.google.com/o/oauth2/token",
"scopes": ["https://www.googleapis.com/auth/userinfo.email"],
"expiration": 123456789
}
I tried reauthenticating, but it still yielded the same error message like in my original post.
Looks great! Are you ready to upload your package (y/n)? y
Pub needs your authorization to upload packages on your behalf.
In a web browser, go to https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&response_type=code&client_id=.....
Then click "Allow access".
Waiting for your authorization...
Authorization received, processing...
Successfully authorized.
Uploading... (2.5s)
UnauthorizedAccess: Unauthorized user: [email protected] is not allowed to upload versions to package signalr2..
I get the feeling this is solely mail address based on pub's side, not google account based. :(
My credential files works the same way, it doesn't have the e-mail address unencrypted.
credentials.jsonpub uploader add <new-email>credentials.jsonThe problem is, that this is my only Google account - I can't use a different e-mail or old e-mail - it's the same account. Google just attached the new Gmail e-mail [email protected] to it as its main e-mail and set the old e-mail [email protected] as alternative e-mail.
So I can't decide for myself which one I want to use.
I have the same issue. I last published my library in 2015 and now I'm unable to publish a new version of the library because the email on pub is my alternative email on the google account instead of the primary one.
See https://github.com/Atrox/haikunatordart/pull/1#issuecomment-411724762
@isoos Do you know who to pull into this conversation? I am not able to push package updates for over 1.5 months now and I really want to update them to Dart SDK 2.0. 馃樃
@sortie @nex3 any idea here?
Unclear. It sounds like the google account has an alternate email, which owns the package. When pub authenticates with the google account, it gets the primary mail listed, which is refused because it's not the alternate mail that owns the package.
Do we have a way of canonicalizing alternate emails? Does the authentication of the google account provide us with alternative emails that we can also check? We might need to talk to the google accounts team.
If we can authenticate that @rinukkusu is indeed the owner of the package signalr2, then we can transfer ownership to the new package. We can do the same for @Atrox. This doesn't give us a lasting solution though.
I would prefer to keep my alternate email listed on pub because I don't want to publicly list my primary google email. So I personally would highly prefer a way for pub to also check the alternate emails, if possible.
Thanks for checking in on this issue @sortie.
Hi @rinukkusu, sorry for the delay, I had you mixed up with @Atrox who is asking for something we can't deliver right now. I've transferred the signalr2 package to your new email address. Pub is authenticating people with their email address rather than a permanent token associated with your google account, renaming your account will cause this problem. That's bad and we'd like to fix this problem in the future. Hopefully everything should be working on your end now and I hope you enjoy Dart 2.
Hi @Atrox. Pub does not have a private email mode at this time. We'd like to add domain name validation in the future so you can use ownership of a domain as your identity, but that's not available right now. At this time, you'll need to have an email listed. At this time, that must be the primary email address of your google account. @jonasfj, do you think it's possible we can check for alternative email addresses associated with the google account when using oauth2? I can transfer ownership of your package to your new primary email (please open a new issue about that). If you don't want that, you can potentially try to make a new google account for the purpose of publishing packages.
I'll close this issue now. @rinukkusu please reopen if it doesn't work for you. @Atrox please open a new issue about your particular case.
do you think it's possible we can check for alternative email addresses associated with the google account when using oauth2?
I suspect it could easily introduce security concerns if secondary addresses aren't properly validated.
Hi @sortie, thanks for helping me out - and yes I'd need the transfer also for the following packages:
Thanks a lot in advance!! 馃槃
Done! :)
Most helpful comment
Unclear. It sounds like the google account has an alternate email, which owns the package. When pub authenticates with the google account, it gets the primary mail listed, which is refused because it's not the alternate mail that owns the package.
Do we have a way of canonicalizing alternate emails? Does the authentication of the google account provide us with alternative emails that we can also check? We might need to talk to the google accounts team.
If we can authenticate that @rinukkusu is indeed the owner of the package signalr2, then we can transfer ownership to the new package. We can do the same for @Atrox. This doesn't give us a lasting solution though.