Omitting trailing slash on some PEP 503 repositories prevents inferring the correct upload URL

[zahlman]

• Poetry version: 1.2.1
• Python version: 3.8.10
• OS version and name: Linux Mint 20.3 Una
• pyproject.toml: not applicable

• I am on the latest stable Poetry version, installed using a recommended method.
• I have searched the issues of this repo and believe that this is not a duplicate.
• I have consulted the FAQ and blog for any relevant entries or release notes.
• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option) and have included the output below. (not applicable)

Issue

Apologies for reporting essentially two issues at once, but trying to figure out the first led directly into the second for me.

The first is the same basic issue reported in #3600, now in 1.2.1 - configuring poetry config repositories.testpypi https://test.pypi.org/legacy without the trailing slash caused silent failures.

The thing is, I get silent failures this way even when using twine (or poetry run twine, as described in Issue #742) to upload instead would succeed. The only symptom is that the package does not appear on TestPyPI.

Second issue: after adding the trailing slash and trying again, I got noisy failures instead -

$ poetry config repositories.testpypi https://test.pypi.org/legacy/
$ poetry config pypi-token.testpypi <api token omitted>
$ poetry publish -r testpypi

Publishing <package name omitted> to testpypi
 - Uploading <file name omitted> FAILED

HTTP Error 403: Invalid or non-existent authentication information. See https://
test.pypi.org/help/#invalid-auth for more information. | b'<html>\n <head>\n  <t
itle>403 Invalid or non-existent authentication information. See https://test.py
pi.org/help/#invalid-auth for more information.\n \n <body>\n  <h1>403 Invalid o
r non-existent authentication information. See https://test.pypi.org/help/#inval
id-auth for more information.\n  Access was denied to this resource.<br/><br/>\n
Invalid or non-existent authentication information. See https://test.pypi.org/he
lp/#invalid-auth for more information.\n\n\n \n'

As far as I can tell, poetry config pypi-token.testpypi <API token> doesn't actually do anything, despite everything I can find in the documentation and third-party guides. There is no update to the content of ~/.config/pypoetry/config.toml, and I get the error shown above when trying to use poetry publish. (If it is supposed to write information somewhere else, I have no idea how to verify that.) It seems I am forced to specify my actual username and password explicitly on the command line. Even setting the username to __token__ and password to the API token value, as described in PyPI's help, does not seem to work.

[neersighted]

The token issue is external to Poetry -- pypi-token.<repo name> simply sets the username to __token__ and the password to <API token>. As evidenced by the fact that setting http-basic did not work, this is on the TestPyPi side.

Regarding the trailing slash, we can't really surface errors here as there is no feedback from the repository on our requests failing. The nature of these legacy/'simple' APIs is to be undiscoverable and very much "leap before you look".

It appears twine is normalizing the URL by adding a trailing slash -- it should be trivial to do the same in Poetry, if you are interested.

[zahlman]

I eventually worked out that the "unique identifier" I see on my TestPyPI account management page is not the API key, and that it cannot be recovered. I seem to have lost track of my original key while migrating to Linux and/or reinstalling Poetry, so I ended up having to generate a new one.

I had not actually tried setting http-basic, but it indeed also did not work. Although at that point, I still had the wrong pypi-token value configured, so it could be that Poetry preferred to use that.

I am still confused: Where is the configuration info stored for poetry config pypi-token.<repo name> and/or poetry config http-basic.<repo name>? Why don't I see any change in ~/.config/pypoetry/config.toml? Now that I appear to have it working with the new pypi-token config, how can I revoke the attempted http-basic information from... whereever it got stored?

[neersighted]

It's stored in auth.toml -- there's a bit of magical dynamic dispatch that tries to segregate credentials.

[zahlman]

I see that after configuring http-basic, an auth.toml was created, yes. However, it only seems to record a username. I assume the password is in some system keyring, as is the API token. How can I revoke these?

[neersighted]

You'll need to do it interactively -- poetry config --unset will work as you might expect.

[zahlman]

Looks good. I guess there is nothing more here besides what is in issue #3600, and the rest was ultimately my oversight, so I consider the matter resolved now.

[neersighted]

Issue #3600 is closed and you have a reproduction here -- I am keeping this open to track the trailing slash normalization enhancement.