Poetry config not using token correctly when reading from private PyPI

[chrismbryant]

• I am on the latest Poetry version.
• I have searched the issues of this repo and believe that this is not a duplicate.
• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

• OS version and name: MacOS 12.0.1
• Poetry version: 1.1.11
• Link of a Gist with the contents of your pyproject.toml file:

Issue

I'm trying to install a library from a private PyPI, and I followed all the documented steps for setting my token using the following (Note that the token must be in quotes because it contains non-alphanumeric characters (e.g. *):

poetry config pypi-token.pypi "<token>"

I supplied this in my pyproject.toml:

[[tool.poetry.source]]
name = "<redacted-org-name>"
url = "https://pypi.<redacted-org-name>.com/simple"

When I try to add a library from that repository, it fails with a 401 authorization error. However, it seems to start reading from the private PyPI before failing because it successfully fetched the latest version number and started "resolving dependencies" before failing. This false start only happens sometimes, though, and if I rerun the poetry add command, it fails straight away with the RepositoryError.

$ poetry add <redacted-repo-name>
Using version ^0.38.25 for <redacted-repo-name>

Updating dependencies
Resolving dependencies... (0.7s)

  RepositoryError

  401 Client Error: Unauthorized for url: https://pypi.<redacted-org-name>.com/simple/<redacted-repo-name>/

  at ~/Library/Application Support/pypoetry/venv/lib/python3.7/site-packages/poetry/repositories/legacy_repository.py:393 in _get
      389│             if response.status_code == 404:
      390│                 return
      391│             response.raise_for_status()
      392│         except requests.HTTPError as e:
    → 393│             raise RepositoryError(e)
      394│
      395│         if response.status_code in (401, 403):
      396│             self._log(
      397│                 "Authorization error accessing {url}".format(url=response.url),

I am sure the token is correct because the poetry add command does work when I supply this as my pyproject.toml instead:

[[tool.poetry.source]]
name = "<redacted-org-name>"
url = "https://read:<token>@pypi.<redacted-org-name>.com/simple"

This is not a viable long-term solution because if I include my raw token in the toml file, I cannot commit it.

For further context, I have also tried the following, all of which gave me the same error when running the poetry add command:

• Supplying credentials via poetry config http-basic.pypi "read" "<token>"
• Running poetry config repositories.pypi "https://pypi.<redacted-org-name>.com/simple
• Running poetry config repositories.pypi "https://read:<token>@pypi.<redacted-org-name>.com/simple"
• Pasting the password into the auth.toml file manually (as suggested in Does not store repository credentials #4685)
• Exporting environment variables using export POETRY_PYPI_TOKEN_PYPI="<token>", export POETRY_HTTP_BASIC_PYPI_USERNAME="read", and export POETRY_HTTP_BASIC_PYPI_PASSWORD="<token>"
• Uninstalling and reinstalling poetry (ensuring that the no other versions of poetry were installed on my machine).
• Installing an older version of poetry (1.1.7).
• Repeating the steps on another machine.

I'd appreciate any help here, since I have exhausted all the existing documentation I could find. Thanks!

[adsultana]

Hi Chris, I think you just need to make a couple of tweaks to your config:

1. PyPI tokens are only used for authenticating when publishing packages to an index. If you are just fetching a package, you need to use an http-basic.* config options instead.
2. The auth tokens are namespaced by repository i.e. http-basic.pypi corresponds to authentication for the default PyPI repository only. If you want to configure auth for a custom repository, you need to change .pypi to .<redacted-repo-name> as appropriate.

Putting these together, the following command should work:

poetry config http-basic.<redacted-repo-name> "read" "<token>"

[chrismbryant]

Thank you, @adsultana! This all stemmed from my misunderstanding of the term "repository". In my head, it was the code repository (the individual package; analogous to a GitHub repository), rather than the package repository (the repository holding many private packages). Changing http-basic.pypi to http-basic.<redacted-org-name> worked perfectly!

[andreas-vester]

Putting these together, the following command should work:

poetry config http-basic.<redacted-repo-name> "read" "<token>"

What do I need to do if I wanted to make this private repo to become my primary source (equivalent to default = true in pyproject.toml? I can't read from pypi.org at all due to corporate firewall.

Also, can I completely omit the [[tool.poetry.source]] section in my pyproject.toml given I specified the repo in the config?

poetry config repositories.my_repo https://my_repo.com/simple

Otherwise, I can't commit it.

[mateusz91t]

To sum up:

poetry source add --secondary <my_repo_name> https://my-repo-url/pypi/simple/

poetry config http-basic.<my_repo_name> "read" "<token>"

poetry add <my_repo_name>

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.