Skip to content

API tokens: Remove @token and pypi: cases #6345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
woodruffw opened this issue Aug 1, 2019 · 17 comments · Fixed by #6368
Closed

API tokens: Remove @token and pypi: cases #6345

woodruffw opened this issue Aug 1, 2019 · 17 comments · Fixed by #6368

Comments

@woodruffw
Copy link
Member

woodruffw commented Aug 1, 2019

At some point in the future (perhaps at the end of the API token beta?), support for @token as a token username and pypi: as a token prefix should end in favor of __token__ and pypi-, respectively.

See #6287, #6342.

cc @brainwane @di @ewdurbin @dstufft

@brainwane
Copy link
Contributor

I'm in favor of doing this before the end of the beta, so that we can tell beta testers to try the new token usernames and prefixes, so we can find out during the beta whether the new ones cause any glitches.

@fschulze
Copy link

fschulze commented Aug 2, 2019

would it be too much to just reserve the "token" username? Is it already in use? GitHub does that for things like "issues" etc.

@hugovk
Copy link
Contributor

hugovk commented Aug 2, 2019

Looks like the token username is unused: https://pypi.org/user/token/

@graingert
Copy link
Contributor

@fschulze @hugovk you want something that other pypis eg devpi can use so you want something that was impossible to register previously

@pradyunsg
Copy link
Contributor

I’ve gone ahead and squatted that name.

Obviously, I’m cool with just removing that account or let PyPI admins do whatever they deem necessary with that name.

@graingert
Copy link
Contributor

how about '🎟' as the username? eg "\N{ADMISSION TICKETS}"

@fschulze
Copy link

fschulze commented Aug 2, 2019

@graingert what does the pypi.org username have to do with devpi? The devpi push command needs the pypi credentials anyway when used for pypi release.

@graingert
Copy link
Contributor

graingert commented Aug 2, 2019

@fschulze devpi would probably want to support this API token authentication scheme too. If an install has a user called "token" it would break that user for them. I'm thinking downstream "twine upload -r devpi" not upstream pypi

@fschulze
Copy link

fschulze commented Aug 2, 2019

@graingert it would use separate credentials anyway as it already does now. I don't see any reason accounts on pypi would interfere with devpi or the other way around.

@graingert
Copy link
Contributor

Yes but the "token" username is part of the API tokens Auth protocol

@fschulze
Copy link

fschulze commented Aug 2, 2019

@graingert yes and it doesn't matter in devpi, because the API is specific to pypi.org. Otherwise all users in devpi would conflict with pypi.org already. If we implement upload tokens in devpi, then we would handle that on the devpi side. It is pretty easy to determine whether a token was used or not. Any token user in devpi would not interfere, because we can check whether we got a token or not by inspecting or validating it. So twine would work with devpi as soon as we would add token support and we wouldn't even have to block the token user name.

@woodruffw
Copy link
Member Author

It's ultimately the maintainers' call, but I'm 👎 on plain token (or similar) for a few reasons:

  1. Semantically, tokens are not passwords, so it doesn't make sense for them to have a valid username associated with them (apart from their relationship to the bearing user). The only reason we have a "username" at all in the scheme is backwards compatibility with Authorization: basic -- IIUC, the eventual plan is to update tools like twine and setuptools to use Authorization: token <macaroon> directly.
  2. Similarly, it's especially confusing to have a valid, different username (e.g., the squatted token) built into the validation scheme for all users' tokens.
  3. ^token or similar is a lot easier to search for than token.

@brainwane brainwane added this to the OTF Security work milestone Aug 2, 2019
@graingert
Copy link
Contributor

Is there a regex of currently valid PyPI usernames so we can be more informed when picking an intentionaly invalid one?

@graingert
Copy link
Contributor

@graingert
Copy link
Contributor

so some examples:

_token, -token, .token
token_, token-, token.

and my personal favorite:
__token__

@graingert
Copy link
Contributor

graingert commented Aug 3, 2019

tokentokentokentokentokentokentokentokentokentokentoken is also an invalid username because it is too long

@pradyunsg
Copy link
Contributor

pradyunsg commented Aug 4, 2019

__token__ me likey.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants