Skip to content

fix: resolve registry auth tokens for cargo upgrade#960

Open
r0wdiggity wants to merge 2 commits into
killercup:masterfrom
r0wdiggity:fix/registry-auth-token
Open

fix: resolve registry auth tokens for cargo upgrade#960
r0wdiggity wants to merge 2 commits into
killercup:masterfrom
r0wdiggity:fix/registry-auth-token

Conversation

@r0wdiggity
Copy link
Copy Markdown

@r0wdiggity r0wdiggity commented May 15, 2026
edited
Loading

Summary

cargo upgrade in 0.13.10 fails with 401 Unauthorized when dependencies come from private registries (e.g. AWS CodeArtifact) because tame_index's reqwest client never reads auth tokens from any of Cargo's token sources.

This PR adds token resolution that checks (in priority order):

  1. Environment variable CARGO_REGISTRIES_<NAME>_TOKEN
  2. credentials.toml
  3. credential-provider command (cargo:token-from-stdout)
  4. token field in config.toml

It also fixes two related issues:

  • Dependencies using the default registry with source replacement (replace-with) were skipped entirely because they have no explicit registry source
  • Tokens are cached per registry to avoid repeated credential-provider command invocations

Fixes #931

Changes

  • src/registry.rs: Add registry_token(), resolve_registry_name(), read_config_auth(), read_credentials_token(), run_credential_command() + 18 unit tests
  • src/index.rs: Add token storage to IndexCache and inject Authorization header in RemoteIndex::krate()
  • src/bin/upgrade/upgrade.rs: Wire up token resolution with per-registry caching
  • Cargo.toml: Add tempfile dev dependency for tests

Testing

  • 18 new unit tests covering all token resolution paths, precedence rules, source replacement, hyphenated registry names, and local config precedence over global
  • Verified end-to-end against AWS CodeArtifact private registry with credential-provider = "cargo:token-from-stdout aws codeartifact get-authorization-token ..."

This PR was written with the assistance of Claude

@r0wdiggity r0wdiggity force-pushed the fix/registry-auth-token branch from 7bcfe2c to b975138 Compare May 15, 2026 18:40
@r0wdiggity
fix: resolve registry auth tokens for cargo upgrade
ff8583c 
cargo-edit 0.13.10 uses tame_index with its own reqwest client that
never reads auth tokens from Cargo's credential-provider, credentials.toml,
or environment variables. This causes 401 Unauthorized errors when
upgrading dependencies from private registries (e.g. AWS CodeArtifact).

This commit:
- Adds registry_token() to resolve tokens from env vars, credentials.toml,
  credential-provider commands, and config.toml (in priority order)
- Injects resolved tokens into RemoteIndex Authorization headers
- Treats dependencies with no explicit source as default registry deps,
  so source-replaced crates-io deps are also authenticated
- Caches tokens per registry to avoid repeated credential-provider calls

Fixes killercup#931
@r0wdiggity r0wdiggity force-pushed the fix/registry-auth-token branch from b975138 to ff8583c Compare May 15, 2026 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

cargo upgrade returns 401 consistently even after changing registry token

1 participant

@r0wdiggity