fix(auth); add auth scheme hint to token rejected error for alt

registries

Author: enricobolzonello

src/cargo/util/auth/mod.rs

@@ -400,6 +400,8 @@ pub struct AuthorizationError {
     reason: AuthorizationErrorReason,
     /// Should `cargo login` and the `_TOKEN` env var be included when displaying this error?
     supports_cargo_token_credential_provider: bool,
+    /// Whether the cached token appears to lack an authentication scheme (no space found).
+    token_lacks_scheme: Option<bool>,
 }
 
 impl AuthorizationError {
@@ -416,12 +418,17 @@ impl AuthorizationError {
             credential_provider(gctx, &sid, false, false)?
                 .iter()
                 .any(|p| p.first().map(String::as_str) == Some("cargo:token"));
+        let cache = gctx.credential_cache();
+        let token_lacks_scheme = cache
+            .get(sid.canonical_url())
+            .map(|entry| !entry.token_value.as_deref().expose().contains(' '));
         Ok(AuthorizationError {
             sid,
             default_registry: gctx.default_registry()?,
             login_url,
             reason,
             supports_cargo_token_credential_provider,
+            token_lacks_scheme,
         })
     }
 }
@@ -461,6 +468,15 @@ impl fmt::Display for AuthorizationError {
                     "\nYou may need to log in using this registry's credential provider"
                 )?;
             }
+
+            if self.reason == AuthorizationErrorReason::TokenRejected {
+                if self.token_lacks_scheme == Some(true) {
+                    write!(
+                        f,
+                        "\nnote: the token does not include an authentication scheme"
+                    )?;
+                }
+            }
             Ok(())
         } else if self.reason == AuthorizationErrorReason::TokenMissing {
             write!(

tests/testsuite/registry_auth.rs

@@ -225,6 +225,7 @@ fn bad_environment_token_with_asymmetric_subject() {
 Caused by:
   token rejected for `alternative`, please run `cargo login --registry alternative`
   or use environment variable CARGO_REGISTRIES_ALTERNATIVE_TOKEN
+  [NOTE] the token does not include an authentication scheme
 
 Caused by:
   failed to get successful HTTP response from `http://127.0.0.1:[..]/index/config.json`, got 401
@@ -260,6 +261,7 @@ fn bad_environment_token_with_asymmetric_incorrect_subject() {
 Caused by:
   token rejected for `alternative`, please run `cargo login --registry alternative`
   or use environment variable CARGO_REGISTRIES_ALTERNATIVE_TOKEN
+  [NOTE] the token does not include an authentication scheme
 
 Caused by:
   failed to get successful HTTP response from `http://127.0.0.1:[..]/index/config.json`, got 401
@@ -298,6 +300,7 @@ fn bad_environment_token_with_incorrect_asymmetric() {
 Caused by:
   token rejected for `alternative`, please run `cargo login --registry alternative`
   or use environment variable CARGO_REGISTRIES_ALTERNATIVE_TOKEN
+  [NOTE] the token does not include an authentication scheme
 
 Caused by:
   failed to get successful HTTP response from `http://127.0.0.1:[..]/index/config.json`, got 401
@@ -380,6 +383,7 @@ fn incorrect_token() {
 Caused by:
   token rejected for `alternative`, please run `cargo login --registry alternative`
   or use environment variable CARGO_REGISTRIES_ALTERNATIVE_TOKEN
+  [NOTE] the token does not include an authentication scheme
 
 Caused by:
   failed to get successful HTTP response from `http://127.0.0.1:[..]/index/config.json`, got 401