Conversation
There was a problem hiding this comment.
Using the netrc file is the more correct tool for authenticating tarball downloads rather than just guessing on access token formatting, but that also will only handle HTTP basic auth, not bearer tokens
If we need to authenticate with specific APIs instead of generalized builtins.fetchTarball downloads, then I believe builtins.fetchTree is the better tool for the job and already will authenticate with the given input type (and we should probably consider moving usage of builtins.fetchTarball that is giving us issues to that before making API-specific changes to non-API functions)
I also worry this change might cause libcurl not to use the netrc if an access-token is defined for a host, but that admittedly might be a niche case that won't affect us
| auto & host = parsedUrl.authority->host; | ||
| auto tokens = settings.accessTokens.get(); | ||
| if (auto token = get(tokens, host)) { | ||
| headers.push_back({"Authorization", fmt("token %s", *token)}); |
There was a problem hiding this comment.
GitHub supports Authorization: Bearer[1] so for more generalized support (since most forges require that), we should use Bearer
| headers.push_back({"Authorization", fmt("token %s", *token)}); | |
| headers.push_back({"Authorization", fmt("Bearer %s", *token)}); |
2 participants
Fix auth headers