Properly handle authentication for 302 redirect URLs #12920
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
konstin
approved these changes
Apr 16, 2025
Member
konstin
left a comment
There was a problem hiding this comment.
Looks good!
I've added some personal taste style comments and some real review comment, i've put a star on the latter ones to differentiate.
crates/uv-client/src/base_client.rs
Outdated
|
|
||
| /// Executes a request. If a 302 response is encountered, tries the request again through | ||
| /// the entire middleware pipeline with the redirect URL from the 302. | ||
| pub async fn execute_with_redirect_handling( |
Member
There was a problem hiding this comment.
(*) How did you decide which callers use execute_with_redirect_handling and which use for_host?
Contributor
Author
There was a problem hiding this comment.
I was trying to avoid covering too much of the reqwest surface area in this PR, but on reflection I think it is too easy to do the wrong thing when building requests (in particular, to accidentally circumvent the redirect policy). I've refactored to store RedirectClientWithMiddleware on BaseClient and to wrap reqwest_middleware::RequestBuilder to ensure that the configured redirect policy is applied consistently.
zanieb
added a commit
that referenced
this pull request
Apr 22, 2025
See https://github.com/astral-sh/uv/actions/runs/14583501775/job/40904734786?pr=13034 cc @jtfmumm I'm not sure why this changed in #12920 but please be careful of snapshots with the uv version. We might want to filter that out. cc @konstin regarding if there are less brittle ways snapshot here.
zanieb
added a commit
that referenced
this pull request
Apr 22, 2025
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Apr 26, 2025
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [astral-sh/uv](https://github.com/astral-sh/uv) | patch | `0.6.11` -> `0.6.16` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>astral-sh/uv (astral-sh/uv)</summary> ### [`v0.6.16`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0616) [Compare Source](astral-sh/uv@0.6.15...0.6.16) ##### Bug fixes - Revert "Properly handle authentication for 302 redirect URLs" ([#​13041](astral-sh/uv#13041)) ### [`v0.6.15`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0615) [Compare Source](astral-sh/uv@0.6.14...0.6.15) This release includes preliminary support for the `pylock.toml` file format, as standardized in [PEP 751](https://peps.python.org/pep-0751/). `pylock.toml` is an alternative resolution output format intended to replace `requirements.txt` (e.g., in the context of `uv pip compile`, whereby a "locked" `requirements.txt` file is generated from a set of input requirements). `pylock.toml` is standardized and tool-agnostic, such that in the future, `pylock.toml` files generated by uv could be installed by other tools, and vice versa. As of this release, `pylock.toml` is supported in the following commands: - To export a `uv.lock` to the `pylock.toml` format, run: `uv export -o pylock.toml` - To generate a `pylock.toml` file from a set of requirements, run: `uv pip compile -o pylock.toml -r requirements.in` - To install from a `pylock.toml` file, run: `uv pip sync pylock.toml` or `uv pip install -r pylock.toml` ##### Enhancements - Add PEP 751 support to `uv pip compile` ([#​13019](astral-sh/uv#13019)) - Add `uv export` support for PEP 751 ([#​12955](astral-sh/uv#12955)) - Accept `requirements.txt` (verbatim) as a format on the CLI ([#​12957](astral-sh/uv#12957)) - Add `UV_NO_EDITABLE` environment variable to set `--no-editable` on all invocations ([#​12773](astral-sh/uv#12773)) - Add `pylock.toml` to `uv pip install` and `uv pip sync` ([#​12992](astral-sh/uv#12992)) - Add a brief sleep before sending `SIGINT` to child processes ([#​13018](astral-sh/uv#13018)) - Add upload time to `uv.lock` ([#​12968](astral-sh/uv#12968)) - Allow updating Git sources by name ([#​12897](astral-sh/uv#12897)) - Cache `which git` in `uv init` ([#​12893](astral-sh/uv#12893)) - Enable `--dry-run` with `--locked` / `--frozen` for `uv sync` ([#​12778](astral-sh/uv#12778)) - Infer output type in `uv export` ([#​12958](astral-sh/uv#12958)) - Make `uv init` resilient against broken git ([#​12895](astral-sh/uv#12895)) - Respect build constraints for `uv run --with` dependencies ([#​12882](astral-sh/uv#12882)) - Split UV_INDEX on all whitespace ([#​12820](astral-sh/uv#12820)) - Support build constraints in `uv tool` and PEP723 scripts. ([#​12842](astral-sh/uv#12842)) - Use suffix from `uvx` binary when searching for uv binary ([#​12923](astral-sh/uv#12923)) - Update version formatting to use cyan color ([#​12943](astral-sh/uv#12943)) - Add debug logs for version file search ([#​12951](astral-sh/uv#12951)) - Fix `SourceNotAllowed` error message during Python discovery ([#​13012](astral-sh/uv#13012)) - Obfuscate password in credentials debug messages ([#​12944](astral-sh/uv#12944)) - Obfuscate possible tokens in URL logs ([#​12969](astral-sh/uv#12969)) - Validate that PEP 751 entries don't include multiple sources ([#​12993](astral-sh/uv#12993)) ##### Preview features - Build backend: Add reference docs and schema ([#​12803](astral-sh/uv#12803)) ##### Bug fixes - Align supported `config-settings` with example in docs ([#​12947](astral-sh/uv#12947)) - Ensure virtual environment is compatible with interpreter on sync ([#​12884](astral-sh/uv#12884)) - Fix `PythonDownloadRequest` parsing for partial keys ([#​12925](astral-sh/uv#12925)) - Fix pre-release exclusive comparison operator in `uv-pep440` ([#​12836](astral-sh/uv#12836)) - Forward additional signals to the child process in `uv run` ([#​13017](astral-sh/uv#13017)) - Omit PEP 751 version for source trees ([#​13030](astral-sh/uv#13030)) - Patch `CC` and `CCX` entries in sysconfig for cross-compiled `aarch64` Python distributions ([#​12239](astral-sh/uv#12239)) - Properly handle authentication for HTTP 302 redirect URLs ([#​12920](astral-sh/uv#12920)) - Set 4MB stack size for all threads, introduce `UV_STACK_SIZE` ([#​12839](astral-sh/uv#12839)) - Show PyPy downloads during `uv python list` ([#​12915](astral-sh/uv#12915)) - Add `subdirectory` to Direct URL for local directories ([#​12971](astral-sh/uv#12971)) - Prefer stable releases over pre-releases in `uv python install` ([#​12194](astral-sh/uv#12194)) - Write requested Python variant to pin file in `uv init` ([#​12870](astral-sh/uv#12870)) ##### Documentation - Fix CLI reference with code block ([#​12807](astral-sh/uv#12807)) - Fix lockfile note ([#​12793](astral-sh/uv#12793)) - Fix typo in a reference ([#​12858](astral-sh/uv#12858)) - Improve docs for `uv python list --only-downloads` and `--only-installed` ([#​12916](astral-sh/uv#12916)) - Update note on lack of musl distributions to ARM-only ([#​12825](astral-sh/uv#12825)) - Add section on shebangs for scripts ([#​11553](astral-sh/uv#11553)) - Display aliases for long and short args in the CLI reference ([#​12824](astral-sh/uv#12824)) - Fix highlight line in explicit index documentation ([#​12887](astral-sh/uv#12887)) - Add explicit source (matching PyTorch guide) ([#​12844](astral-sh/uv#12844)) - Fix link to issue ([#​12823](astral-sh/uv#12823)) - Fix grammatical error in FastAPI guide ([#​12908](astral-sh/uv#12908)) - Add `--locked` to `uv sync` in GitHub Actions guide ([#​12819](astral-sh/uv#12819)) - Improve formatting for `"all"` `default-groups` setting documentation ([#​12963](astral-sh/uv#12963)) - Replace `--frozen` with `--locked` in Docker integration guide ([#​12818](astral-sh/uv#12818)) ### [`v0.6.14`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0614) [Compare Source](astral-sh/uv@0.6.13...0.6.14) ##### Python versions The following Python versions have been added: - CPython 3.13.3 - CPython 3.12.10 - CPython 3.11.12 - CPython 3.10.17 - CPython 3.9.22 See the [`python-build-standalone` release notes](https://github.com/astral-sh/python-build-standalone/releases/tag/20250409) for more details. ##### Enhancements - Add `uv-build` and `uv_build` aliases to `uv init --build-backend` ([#​12776](astral-sh/uv#12776)) - Emit dedicated error message for Conda `environment.yml` files ([#​12669](astral-sh/uv#12669)) ##### Preview features - Build backend: Check module dir exists for sdist build ([#​12779](astral-sh/uv#12779)) - Build backend: Fix sdist with long directories ([#​12764](astral-sh/uv#12764)) ##### Performance - Avoid querying GitHub on repeated install invocations ([#​12767](astral-sh/uv#12767)) ##### Bug fixes - Error when `tool.uv.sources` is set in system-level configuration file ([#​12757](astral-sh/uv#12757)) - Split workspace members onto their own lines in `uv init` ([#​12756](astral-sh/uv#12756)) ##### Documentation - Add lockfile note about PEP 751 ([#​12732](astral-sh/uv#12732)) - Extend the reference documentation for `uv pip sync` ([#​12683](astral-sh/uv#12683)) - Fix mismatched pip interface header / nav titles ([#​12640](astral-sh/uv#12640)) ### [`v0.6.13`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0613) [Compare Source](astral-sh/uv@0.6.12...0.6.13) ##### Enhancements - Add `--show-version` to `uv python find` ([#​12376](astral-sh/uv#12376)) - Remove `--no-config` warning from `uv pip compile` and `uv pip sync` ([#​12642](astral-sh/uv#12642)) - Skip repeated directories in `PATH` when searching for Python interpreters ([#​12367](astral-sh/uv#12367)) - Unset `SCRIPT_PATH` in relocatable activation script ([#​12672](astral-sh/uv#12672)) - Add `UV_PYTHON_DOWNLOADS_JSON_URL` to set custom managed python sources ([#​10939](astral-sh/uv#10939)) - Reject `pyproject.toml` files in `uv pip compile -o` ([#​12673](astral-sh/uv#12673)) - Respect the `--offline` flag for Git operations ([#​12619](astral-sh/uv#12619)) ##### Bug fixes - Warn instead of error if CRC appears to be missing ([#​12722](astral-sh/uv#12722)) - Avoid infinite loop in `uv export` with conflicts ([#​12726](astral-sh/uv#12726)) ##### Rust API - Update MSRV to 1.84 ([#​12670](astral-sh/uv#12670)) ### [`v0.6.12`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0612) [Compare Source](astral-sh/uv@0.6.11...0.6.12) ##### Enhancements - Report the queried executable path in `uv python list` ([#​12628](astral-sh/uv#12628)) - Improve archive unpack error messages ([#​12627](astral-sh/uv#12627)) ##### Bug fixes - Respect `authenticate` when using `explicit = true` ([#​12631](astral-sh/uv#12631)) - Normalize extra and group names in `uv add` and `uv remove` ([#​12586](astral-sh/uv#12586)) - Enforce CRC-32 checks when unpacking archives ([#​12623](astral-sh/uv#12623)) - Fix parsing of `python-platform` in settings files ([#​12592](astral-sh/uv#12592)) ##### Documentation - Add note about `uv build` to `package = false` ([#​12608](astral-sh/uv#12608)) - Add index fallback note to `authenticate = always` documentation ([#​12498](astral-sh/uv#12498)) - Fix invalid 'kind' reference in flat index docs ([#​12583](astral-sh/uv#12583)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNTEuMCIsInVwZGF0ZWRJblZlciI6IjM5LjI1My41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Apr 29, 2025
## 0.6.17 ### Preview features - Add PyTorch v2.7.0 to GPU backend ([#13072](astral-sh/uv#13072)) ### Bug fixes - Avoid panic for invalid Python versions ([#13077](astral-sh/uv#13077)) - Block scripts from overwriting `python` ([#13051](astral-sh/uv#13051)) - Check distribution names to handle invalid redirects ([#12917](astral-sh/uv#12917)) - Check for mismatched package and distribution names on resolver thread ([#13088](astral-sh/uv#13088)) - Fix panic with invalid last character in PEP 508 name ([#13105](astral-sh/uv#13105)) - Reject `requires-python` even if not listed on the index page ([#13086](astral-sh/uv#13086)) ## 0.6.16 ### Bug fixes - Revert "Properly handle authentication for 302 redirect URLs" ([#13041](astral-sh/uv#13041)) ## 0.6.15 This release includes preliminary support for the `pylock.toml` file format, as standardized in [PEP 751](https://peps.python.org/pep-0751/). `pylock.toml` is an alternative resolution output format intended to replace `requirements.txt` (e.g., in the context of `uv pip compile`, whereby a "locked" `requirements.txt` file is generated from a set of input requirements). `pylock.toml` is standardized and tool-agnostic, such that in the future, `pylock.toml` files generated by uv could be installed by other tools, and vice versa. As of this release, `pylock.toml` is supported in the following commands: - To export a `uv.lock` to the `pylock.toml` format, run: `uv export -o pylock.toml` - To generate a `pylock.toml` file from a set of requirements, run: `uv pip compile -o pylock.toml -r requirements.in` - To install from a `pylock.toml` file, run: `uv pip sync pylock.toml` or `uv pip install -r pylock.toml` ### Enhancements - Add PEP 751 support to `uv pip compile` ([#13019](astral-sh/uv#13019)) - Add `uv export` support for PEP 751 ([#12955](astral-sh/uv#12955)) - Accept `requirements.txt` (verbatim) as a format on the CLI ([#12957](astral-sh/uv#12957)) - Add `UV_NO_EDITABLE` environment variable to set `--no-editable` on all invocations ([#12773](astral-sh/uv#12773)) - Add `pylock.toml` to `uv pip install` and `uv pip sync` ([#12992](astral-sh/uv#12992)) - Add a brief sleep before sending `SIGINT` to child processes ([#13018](astral-sh/uv#13018)) - Add upload time to `uv.lock` ([#12968](astral-sh/uv#12968)) - Allow updating Git sources by name ([#12897](astral-sh/uv#12897)) - Cache `which git` in `uv init` ([#12893](astral-sh/uv#12893)) - Enable `--dry-run` with `--locked` / `--frozen` for `uv sync` ([#12778](astral-sh/uv#12778)) - Infer output type in `uv export` ([#12958](astral-sh/uv#12958)) - Make `uv init` resilient against broken git ([#12895](astral-sh/uv#12895)) - Respect build constraints for `uv run --with` dependencies ([#12882](astral-sh/uv#12882)) - Split UV_INDEX on all whitespace ([#12820](astral-sh/uv#12820)) - Support build constraints in `uv tool` and PEP723 scripts. ([#12842](astral-sh/uv#12842)) - Use suffix from `uvx` binary when searching for uv binary ([#12923](astral-sh/uv#12923)) - Update version formatting to use cyan color ([#12943](astral-sh/uv#12943)) - Add debug logs for version file search ([#12951](astral-sh/uv#12951)) - Fix `SourceNotAllowed` error message during Python discovery ([#13012](astral-sh/uv#13012)) - Obfuscate password in credentials debug messages ([#12944](astral-sh/uv#12944)) - Obfuscate possible tokens in URL logs ([#12969](astral-sh/uv#12969)) - Validate that PEP 751 entries don't include multiple sources ([#12993](astral-sh/uv#12993)) ### Preview features - Build backend: Add reference docs and schema ([#12803](astral-sh/uv#12803)) ### Bug fixes - Align supported `config-settings` with example in docs ([#12947](astral-sh/uv#12947)) - Ensure virtual environment is compatible with interpreter on sync ([#12884](astral-sh/uv#12884)) - Fix `PythonDownloadRequest` parsing for partial keys ([#12925](astral-sh/uv#12925)) - Fix pre-release exclusive comparison operator in `uv-pep440` ([#12836](astral-sh/uv#12836)) - Forward additional signals to the child process in `uv run` ([#13017](astral-sh/uv#13017)) - Omit PEP 751 version for source trees ([#13030](astral-sh/uv#13030)) - Patch `CC` and `CCX` entries in sysconfig for cross-compiled `aarch64` Python distributions ([#12239](astral-sh/uv#12239)) - Properly handle authentication for HTTP 302 redirect URLs ([#12920](astral-sh/uv#12920)) - Set 4MB stack size for all threads, introduce `UV_STACK_SIZE` ([#12839](astral-sh/uv#12839)) - Show PyPy downloads during `uv python list` ([#12915](astral-sh/uv#12915)) - Add `subdirectory` to Direct URL for local directories ([#12971](astral-sh/uv#12971)) - Prefer stable releases over pre-releases in `uv python install` ([#12194](astral-sh/uv#12194)) - Write requested Python variant to pin file in `uv init` ([#12870](astral-sh/uv#12870)) ### Documentation - Fix CLI reference with code block ([#12807](astral-sh/uv#12807)) - Fix lockfile note ([#12793](astral-sh/uv#12793)) - Fix typo in a reference ([#12858](astral-sh/uv#12858)) - Improve docs for `uv python list --only-downloads` and `--only-installed` ([#12916](astral-sh/uv#12916)) - Update note on lack of musl distributions to ARM-only ([#12825](astral-sh/uv#12825)) - Add section on shebangs for scripts ([#11553](astral-sh/uv#11553)) - Display aliases for long and short args in the CLI reference ([#12824](astral-sh/uv#12824)) - Fix highlight line in explicit index documentation ([#12887](astral-sh/uv#12887)) - Add explicit source (matching PyTorch guide) ([#12844](astral-sh/uv#12844)) - Fix link to issue ([#12823](astral-sh/uv#12823)) - Fix grammatical error in FastAPI guide ([#12908](astral-sh/uv#12908)) - Add `--locked` to `uv sync` in GitHub Actions guide ([#12819](astral-sh/uv#12819)) - Improve formatting for `"all"` `default-groups` setting documentation ([#12963](astral-sh/uv#12963)) - Replace `--frozen` with `--locked` in Docker integration guide ([#12818](astral-sh/uv#12818))
jtfmumm
added a commit
that referenced
this pull request
Jun 18, 2025
…ble (#13754) This PR factors out and updates the redirect handling logic from #13595. It handles a few new cases: * If a 303 redirect is received for any method other than GET or HEAD, converts it to a GET. Unlike `reqwest`, it does not do this conversion for 301s or 302s (which is not required by RFC 7231 and was not the original intention of the spec). * If the original request did not have a Referer header, does not include a Referer header in the redirect request. * If the redirect is a cross-origin request, removes sensitive headers to avoid leaking credentials to untrusted domains. * * This change had the side effect of breaking mock server tests that redirected from `localhost` to `pypi-proxy.fly.dev`. I have added a `CrossOriginCredentialsPolicy` enum with a `#[cfg(test)]`-only `Insecure` variant. This allows existing tests to continue to work while still making it impossible to propagate credentials on cross-origin requests outside of tests. * * I've updated the main redirect integration test to check if cross-origin requests fail (there is, by design, no way to configure an insecure cross-origin policy from the command line). But critically, netrc credentials for the new location can still be successfully fetched on a cross-origin redirect (tested in `pip_install_redirect_with_netrc_cross_origin`). * One of the goals of the refactor was to make the redirect handling logic unit-testable. This PR adds a number of unit tests checking things like proper propagation of credentials on redirects on the same domain (and removal on cross-origin) and HTTP 303 POST-to-GET conversion. The following table illustrates the different behaviors on current `main`, the initial (reverted) redirect handling PR (#12920), the PR that restores #12920 and fixes the 303s bug (#13595), and this PR (#13754). We want to propagate credentials on same-origin but not cross-origin redirects, and we want to look up netrc credentials on redirects. | Behavior | main | reverted #12920 | fix #13595 | update #13754 | |---------------------------------------|------|--------------|-------------|----------------| | Propagate credentials on same-origin redirects | No | Yes | Yes | Yes | | Propagate credentials on cross-origin redirects | No | Yes | Yes | No | | Look up netrc credentials on redirects | No | Yes | Yes | Yes | | Handle 303s without failing | Yes | No | Yes | Yes | Depends on #13595.
jtfmumm
added a commit
that referenced
this pull request
Jun 18, 2025
…ble (#13754) This PR factors out and updates the redirect handling logic from #13595. It handles a few new cases: * If a 303 redirect is received for any method other than GET or HEAD, converts it to a GET. Unlike `reqwest`, it does not do this conversion for 301s or 302s (which is not required by RFC 7231 and was not the original intention of the spec). * If the original request did not have a Referer header, does not include a Referer header in the redirect request. * If the redirect is a cross-origin request, removes sensitive headers to avoid leaking credentials to untrusted domains. * * This change had the side effect of breaking mock server tests that redirected from `localhost` to `pypi-proxy.fly.dev`. I have added a `CrossOriginCredentialsPolicy` enum with a `#[cfg(test)]`-only `Insecure` variant. This allows existing tests to continue to work while still making it impossible to propagate credentials on cross-origin requests outside of tests. * * I've updated the main redirect integration test to check if cross-origin requests fail (there is, by design, no way to configure an insecure cross-origin policy from the command line). But critically, netrc credentials for the new location can still be successfully fetched on a cross-origin redirect (tested in `pip_install_redirect_with_netrc_cross_origin`). * One of the goals of the refactor was to make the redirect handling logic unit-testable. This PR adds a number of unit tests checking things like proper propagation of credentials on redirects on the same domain (and removal on cross-origin) and HTTP 303 POST-to-GET conversion. The following table illustrates the different behaviors on current `main`, the initial (reverted) redirect handling PR (#12920), the PR that restores #12920 and fixes the 303s bug (#13595), and this PR (#13754). We want to propagate credentials on same-origin but not cross-origin redirects, and we want to look up netrc credentials on redirects. | Behavior | main | reverted #12920 | fix #13595 | update #13754 | |---------------------------------------|------|--------------|-------------|----------------| | Propagate credentials on same-origin redirects | No | Yes | Yes | Yes | | Propagate credentials on cross-origin redirects | No | Yes | Yes | No | | Look up netrc credentials on redirects | No | Yes | Yes | Yes | | Handle 303s without failing | Yes | No | Yes | Yes | Depends on #13595.
jtfmumm
added a commit
that referenced
this pull request
Jun 18, 2025
…ble (#13754) This PR factors out and updates the redirect handling logic from #13595. It handles a few new cases: * If a 303 redirect is received for any method other than GET or HEAD, converts it to a GET. Unlike `reqwest`, it does not do this conversion for 301s or 302s (which is not required by RFC 7231 and was not the original intention of the spec). * If the original request did not have a Referer header, does not include a Referer header in the redirect request. * If the redirect is a cross-origin request, removes sensitive headers to avoid leaking credentials to untrusted domains. * * This change had the side effect of breaking mock server tests that redirected from `localhost` to `pypi-proxy.fly.dev`. I have added a `CrossOriginCredentialsPolicy` enum with a `#[cfg(test)]`-only `Insecure` variant. This allows existing tests to continue to work while still making it impossible to propagate credentials on cross-origin requests outside of tests. * * I've updated the main redirect integration test to check if cross-origin requests fail (there is, by design, no way to configure an insecure cross-origin policy from the command line). But critically, netrc credentials for the new location can still be successfully fetched on a cross-origin redirect (tested in `pip_install_redirect_with_netrc_cross_origin`). * One of the goals of the refactor was to make the redirect handling logic unit-testable. This PR adds a number of unit tests checking things like proper propagation of credentials on redirects on the same domain (and removal on cross-origin) and HTTP 303 POST-to-GET conversion. The following table illustrates the different behaviors on current `main`, the initial (reverted) redirect handling PR (#12920), the PR that restores #12920 and fixes the 303s bug (#13595), and this PR (#13754). We want to propagate credentials on same-origin but not cross-origin redirects, and we want to look up netrc credentials on redirects. | Behavior | main | reverted #12920 | fix #13595 | update #13754 | |---------------------------------------|------|--------------|-------------|----------------| | Propagate credentials on same-origin redirects | No | Yes | Yes | Yes | | Propagate credentials on cross-origin redirects | No | Yes | Yes | No | | Look up netrc credentials on redirects | No | Yes | Yes | Yes | | Handle 303s without failing | Yes | No | Yes | Yes | Depends on #13595.
jtfmumm
added a commit
that referenced
this pull request
Jun 19, 2025
…ble (#13754) This PR factors out and updates the redirect handling logic from #13595. It handles a few new cases: * If a 303 redirect is received for any method other than GET or HEAD, converts it to a GET. Unlike `reqwest`, it does not do this conversion for 301s or 302s (which is not required by RFC 7231 and was not the original intention of the spec). * If the original request did not have a Referer header, does not include a Referer header in the redirect request. * If the redirect is a cross-origin request, removes sensitive headers to avoid leaking credentials to untrusted domains. * * This change had the side effect of breaking mock server tests that redirected from `localhost` to `pypi-proxy.fly.dev`. I have added a `CrossOriginCredentialsPolicy` enum with a `#[cfg(test)]`-only `Insecure` variant. This allows existing tests to continue to work while still making it impossible to propagate credentials on cross-origin requests outside of tests. * * I've updated the main redirect integration test to check if cross-origin requests fail (there is, by design, no way to configure an insecure cross-origin policy from the command line). But critically, netrc credentials for the new location can still be successfully fetched on a cross-origin redirect (tested in `pip_install_redirect_with_netrc_cross_origin`). * One of the goals of the refactor was to make the redirect handling logic unit-testable. This PR adds a number of unit tests checking things like proper propagation of credentials on redirects on the same domain (and removal on cross-origin) and HTTP 303 POST-to-GET conversion. The following table illustrates the different behaviors on current `main`, the initial (reverted) redirect handling PR (#12920), the PR that restores #12920 and fixes the 303s bug (#13595), and this PR (#13754). We want to propagate credentials on same-origin but not cross-origin redirects, and we want to look up netrc credentials on redirects. | Behavior | main | reverted #12920 | fix #13595 | update #13754 | |---------------------------------------|------|--------------|-------------|----------------| | Propagate credentials on same-origin redirects | No | Yes | Yes | Yes | | Propagate credentials on cross-origin redirects | No | Yes | Yes | No | | Look up netrc credentials on redirects | No | Yes | Yes | Yes | | Handle 303s without failing | Yes | No | Yes | Yes | Depends on #13595.
jtfmumm
added a commit
that referenced
this pull request
Jun 20, 2025
…ts (#14126) This PR is a combination of #12920 and #13754. Prior to these changes, following a redirect when searching indexes would bypass our authentication middleware. This PR updates uv to support propagating credentials through our middleware on same-origin redirects and to support netrc credentials for both same- and cross-origin redirects. It does not handle the case described in #11097 where the redirect location itself includes credentials (e.g., `https://user:pass@redirect-location.com`). That will be addressed in follow-up work. This includes unit tests for the new redirect logic and integration tests for credential propagation. The automated external registries test is also passing for AWS CodeArtifact, Azure Artifacts, GCP Artifact Registry, JFrog Artifactory, GitLab, Cloudsmith, and Gemfury.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
uv was failing to authenticate on 302 redirects when credentials were available. This was because it was relying on
reqwest_middleware's default redirect behavior which bypasses the middleware pipeline when trying the redirect request (and hence bypasses our authentication middleware). This PR updates uv to retrigger the middleware pipeline when handling a 302 redirect, correctly using credentials from the URL, the keyring, or.netrc.Closes #5595
Closes #11097