Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove support for passwords in upload API #13770

Closed
Tracked by #14010
dstufft opened this issue May 26, 2023 · 3 comments · Fixed by #15182
Closed
Tracked by #14010

Remove support for passwords in upload API #13770

dstufft opened this issue May 26, 2023 · 3 comments · Fixed by #15182
Assignees
@miketheman
Labels
2FA feature request security Security-related issues and pull requests

Comments

@dstufft
Copy link
Member

dstufft commented May 26, 2023

With the push to 2FA we should eventually just remove the ability to authenticate with username/password in uploads all together and just require an API token.

Ideally this comes after #13769.

This differs from #7265 in that #7265 only applies to people who have 2FA on their account, this applies to everyone.
@dstufft dstufft added feature request security Security-related issues and pull requests 2FA labels May 26, 2023
@ewdurbin
Copy link
Member

ewdurbin commented Jun 1, 2023

duplicate of #7265

@ewdurbin ewdurbin closed this as completed Jun 1, 2023
@ewdurbin ewdurbin reopened this Jun 1, 2023
@ewdurbin
Copy link
Member

ewdurbin commented Jun 1, 2023

ope sorry :)

@di di mentioned this issue Jun 23, 2023
Closed
22 tasks
@miketheman miketheman self-assigned this Jan 2, 2024
@miketheman miketheman mentioned this issue Jan 2, 2024
Merged
@miketheman
Copy link
Member

A message will now be returned to users attempting to upload with basic auth.

We should eventually remove most of the associated code in the policy and simplify the logic to return the message regardless of whether the account works or not. Leaving this open as a reminder for that.

miketheman added a commit to miketheman/warehouse that referenced this issue Jan 10, 2024
@miketheman
chore: remove most of basic auth code
6206fb7 
Now that the active policies are Session (for web) and Macaroon (for
upload), remove the bulk of the BasicAuth policy.

Move the logic farther up the chain, so that there's no extra work put
in before telling the user that they should migrate to API Tokens.

Resolves pypi#13770

Signed-off-by: Mike Fiedler <miketheman@gmail.com>
@miketheman miketheman mentioned this issue Jan 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@miketheman miketheman

Labels
2FA feature request security Security-related issues and pull requests
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: remove most of basic auth code miketheman/warehouse
3 participants
@dstufft @miketheman @ewdurbin