Allow empty and `Bearer` auth schemes in `Authorization` headers #11350

Turbo87 · 2025-06-12T15:55:51Z

cargo publish was built without using an auth scheme in the Authorization header. Regular HTTP client libraries often only support either basic or bearer authentication, but not empty auth schemes.

The regular API tokens currently only support an empty auth scheme, while Trusted Publishing was (mistakenly) built in a way to only support the Bearer auth scheme.

This PR adjusts both code paths to use a shared Authorization header extractor which allows usage of an empty auth scheme, or the Bearer auth scheme, regardless of the type of token that is used or the API endpoint it is used on.

eth3lbert

Yeah, I just checked that there's even an open issue in cargo about the auth scheme. But anyway, this LGTM. I just left a small nit. Maybe we also want to add some comments in the codebase, even linking to issues, to provide context and explain why we need to support this.

src/controllers/trustpub/tokens/revoke/tests.rs

... by using the new `AuthHeader` extractor, which also slightly improves our error messages.

All of our users at this point have `&str` anyway, so we might as well operate on strings.

Turbo87 added C-bug 🐞 Category: unintended, undesired behavior C-enhancement ✨ Category: Adding new behavior or a change to the way an existing feature works A-backend ⚙️ labels Jun 12, 2025

Turbo87 requested a review from a team June 12, 2025 15:55

Turbo87 force-pushed the beware-of-the-bears branch 5 times, most recently from e7b3cb4 to 2829fb1 Compare June 13, 2025 17:25

eth3lbert approved these changes Jun 14, 2025

View reviewed changes

src/controllers/trustpub/tokens/revoke/tests.rs Outdated Show resolved Hide resolved

Turbo87 added 7 commits June 14, 2025 15:47

Extract AuthHeader for Authorization header parsing

7bf7c45

AuthHeader: Allow empty auth scheme in Authorization header

41fed8d

AuthHeader: Improve Authorization header error messages

bd3db7e

publish: Allow empty auth scheme for Trusted Publishing tokens

55000d6

... by using the new `AuthHeader` extractor, which also slightly improves our error messages.

Allow Bearer auth scheme for API tokens

4c32374

... by using the new `AuthHeader` extractor, which also slightly improves our error messages.

AccessToken: Implement FromStr trait and update parsing usages

3b69487

All of our users at this point have `&str` anyway, so we might as well operate on strings.

AccessToken: Inline from_byte_str() fn

cd28aa3

Turbo87 force-pushed the beware-of-the-bears branch from 2829fb1 to cd28aa3 Compare June 14, 2025 13:51

Turbo87 enabled auto-merge June 14, 2025 13:51

Turbo87 merged commit dec66ae into rust-lang:main Jun 14, 2025
19 of 20 checks passed

Turbo87 deleted the beware-of-the-bears branch June 14, 2025 14:18

Turbo87 mentioned this pull request Jun 14, 2025

auth-scheme missing from Authorization header when talking to registry rust-lang/cargo#4989

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Allow empty and `Bearer` auth schemes in `Authorization` headers #11350

Allow empty and `Bearer` auth schemes in `Authorization` headers #11350

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Allow empty and Bearer auth schemes in Authorization headers #11350

Allow empty and Bearer auth schemes in Authorization headers #11350

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Allow empty and `Bearer` auth schemes in `Authorization` headers #11350

Allow empty and `Bearer` auth schemes in `Authorization` headers #11350