Allow token authentication for insecure hosted repositories

[dtretyakov]

Hi, in the following PR #3007 was introduced support of hosted repositories, but as a result, dart client throws an exception when you're trying to add a token for repository with HTTP protocol:

url must be https://, insecure repositories cannot use authentication.

Reference:

pub/lib/src/command/token_add.dart

Line 47 in efd24e6

if (!hostedUrl.isScheme('HTTPS')) {

We're working on support of Dart packages hosting as part of our product and would like to run integration tests by using the current dart client against local service (HTTP) in CI environment. Currently, it's impossible to opt-out from that security verification check.

What we could do with that:

• Introduce the ability to disable security check as it is done in other tools, e.g. skopeo --tls-verify=false.
• Fork the client and make our own builds without HTTPS enforcement.

The first option is preferred for us, but what is the Dart team opinion about that?

[sigurdm]

We don't want a way of adding insecure hosts.

You can look into ngrok (https://ngrok.com/)
Or you can create custom token files (they are not checked at usage).

If these are not sufficient for your purposes we might accept a contribution that allows insecure hosts only if they are localhost (but with not command-line option).

[ricardoboss]

@sigurdm I also ran into this issue and created a PR following your suggestion. Can you take a look?