Use private repository token to download packages

[ClementPinard]

• Poetry version: 1.4.2

• Python version: 3.10

• OS version and name: Ubuntu 22.04

• I am on the latest stable Poetry version, installed using a recommended method.

• I have searched the issues of this repo and believe that this is not a duplicate.

• I have consulted the FAQ and blog for any relevant entries or release notes.

• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option) and have included the output below.

Issue

When using a private pypi registry that uses token (i.e. credentials with a username set to __token__), setting the token with

poetry config pypi-token.<source> <token>

does not work, while

poetry config http-basic.<source> __token__ <token>

does work.

Upon investigation, it looks like setting a pypi token does not set a new entry in the auth.toml file the same way setting a "http-basic", as it can be seen here : https://github.com/python-poetry/poetry/blob/master/src/poetry/utils/password_manager.py#L166

In addition, when downloading a package from a private source, the code only ever tries to get http credentials and fails since the source is not present in the auth.toml file. It seems the token is only ever used for publishing a package and not for downloading it.

See how only the http credentials are tried for downloading : https://github.com/python-poetry/poetry/blob/master/src/poetry/utils/authenticator.py#L294

It's not a very big problem, because using the usernam __token__ just works. But it's inconsistent with the documentation, not being able to use the poetry config pypi-token.<source> is annoying.

The two obvious solutions are :

• add the __token__ username entry for <source> in auth.toml when adding a token, so that the authentiactor now believes there's a named credential with the username __token__
• Make the authenticator search for both http credentials and a pypi token.

Depends on design choice, so I'll let you discuss what would be the best.

I am personally more for the second solution because it seems more resilient to potential (albeit unlikely) changes of how tokens work in pypi, but it would also mean more implementation.

[dimbleby]

I'm not sure that this is inconsistent with the documentation. So far as I can see the only discussion of pypi-token in the docs is inside a note telling you that this is an option you can use when publishing.

I'd likely prefer to deprecate and remove pypi-token altogether, I don't see any point in having two ways to do the same thing

[dimbleby]

seems like a duplicate #2538 anyway, please close

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.