Warehouse: [Non-prefixed API tokens] may cause HTTP 500 Internal Server Error
Describe the bug
Following this Tweeter thread https://twitter.com/cedrickrier/status/1156922196213805056?s=19 it seems like using a @token username and a non-prefixed token as a password results in HTTP 500 response which probably means a traceback in the backend logs.
Needs to be verified tho.
Expected behavior
HTTP 403
To Reproduce
N/A
My Platform
N/A
Additional context
N/A
webknjaz
All 10 comments
cc @cedk who reported this.
brainwane
on 4 Aug 2019
Per our conversation in a planning meeting a few days ago, some of our upcoming fixes will probably address this -- I'll keep an eye on it.
brainwane
on 5 Aug 2019
I think the real issue here is that folks are interpreting the pypi: prefix as not part of the token. Changing the prefix may not resolve that issue.
di
on 5 Aug 2019
Totally! I think that maybe some warning âš there would be helpful.
webknjaz
on 5 Aug 2019
But still the HTTP error code shouldn't be 500.
webknjaz
on 5 Aug 2019
Agreed, @woodruffw can we do a better job of catching this issue?
di
on 6 Aug 2019
Yep, we can. I'll take a look at it tomorrow!
woodruffw
on 6 Aug 2019
Just tried reproducing this on master by dropping pypi- from the token, but didn't receive a 500 error (got the expected 403).
My steps:
- Create a new token with "user" scope
- Copy the token, minus
pypi-prefix, to my.pypirc twine upload --repository localhost dist/*
@webknjaz Do you have any additional information that could help me repro here?
woodruffw
on 6 Aug 2019
Sorry, I only know what's in that Twitter thread.
webknjaz
on 6 Aug 2019
Fixed in #6384.
di
on 7 Aug 2019
Related issues
nlhkabu
·
4Comments
NathanBnm
·
3Comments
gautamkrishnar
·
4Comments
nlhkabu
·
4Comments
zt2
·
4Comments