Fail with specific error message when no password on auth always (#12313)

This addresses a small part of #12280, namely when you have `authenticate` set to `always`, it will output a distinct error message for the case where you have a username but are missing a password.
2025-10-18 14:29:57 +00:00 · 2025-03-19 17:43:45 +01:00 · 2025-03-19 17:43:45 +01:00 · 615cd6e045
commit 615cd6e045
parent f7d9b0e2fa
2 changed files with 55 additions and 7 deletions
--- a/crates/uv-auth/src/middleware.rs
+++ b/crates/uv-auth/src/middleware.rs
@ -196,6 +196,7 @@ impl Middleware for AuthMiddleware {
                        extensions,
                        next,
                        &url,
+                        auth_policy,
                    )
                    .await;
            }
@ -212,7 +213,9 @@ impl Middleware for AuthMiddleware {
                // If it's fully authenticated, finish the request
                if credentials.password().is_some() {
                    trace!("Request for {url} is fully authenticated");
-                    return self.complete_request(None, request, extensions, next).await;
+                    return self
+                        .complete_request(None, request, extensions, next, auth_policy)
+                        .await;
                }

                // If we just found a username, we'll make the request then look for password elsewhere
@ -286,7 +289,7 @@ impl Middleware for AuthMiddleware {
                trace!("Retrying request for {url} with credentials from cache {credentials:?}");
                retry_request = credentials.authenticate(retry_request);
                return self
-                    .complete_request(None, retry_request, extensions, next)
+                    .complete_request(None, retry_request, extensions, next, auth_policy)
                    .await;
            }
        }
@ -300,7 +303,13 @@ impl Middleware for AuthMiddleware {
            retry_request = credentials.authenticate(retry_request);
            trace!("Retrying request for {url} with {credentials:?}");
            return self
-                .complete_request(Some(credentials), retry_request, extensions, next)
+                .complete_request(
+                    Some(credentials),
+                    retry_request,
+                    extensions,
+                    next,
+                    auth_policy,
+                )
                .await;
        }

@ -309,7 +318,7 @@ impl Middleware for AuthMiddleware {
                trace!("Retrying request for {url} with username from cache {credentials:?}");
                retry_request = credentials.authenticate(retry_request);
                return self
-                    .complete_request(None, retry_request, extensions, next)
+                    .complete_request(None, retry_request, extensions, next, auth_policy)
                    .await;
            }
        }
@ -334,13 +343,16 @@ impl AuthMiddleware {
        request: Request,
        extensions: &mut Extensions,
        next: Next<'_>,
+        auth_policy: AuthPolicy,
    ) -> reqwest_middleware::Result<Response> {
        let Some(credentials) = credentials else {
            // Nothing to insert into the cache if we don't have credentials
            return next.run(request, extensions).await;
        };
-
        let url = request.url().clone();
+        if matches!(auth_policy, AuthPolicy::Always) && credentials.password().is_none() {
+            return Err(Error::Middleware(format_err!("Missing password for {url}")));
+        }
        let result = next.run(request, extensions).await;

        // Update the cache with new credentials on a successful request
@ -363,6 +375,7 @@ impl AuthMiddleware {
        extensions: &mut Extensions,
        next: Next<'_>,
        url: &str,
+        auth_policy: AuthPolicy,
    ) -> reqwest_middleware::Result<Response> {
        let credentials = Arc::new(credentials);

@ -370,7 +383,7 @@ impl AuthMiddleware {
        if credentials.password().is_some() {
            trace!("Request for {url} is already fully authenticated");
            return self
-                .complete_request(Some(credentials), request, extensions, next)
+                .complete_request(Some(credentials), request, extensions, next, auth_policy)
                .await;
        }

@ -402,7 +415,7 @@ impl AuthMiddleware {
        };

        return self
-            .complete_request(credentials, request, extensions, next)
+            .complete_request(credentials, request, extensions, next, auth_policy)
            .await;
    }

--- a/crates/uv/tests/it/edit.rs
+++ b/crates/uv/tests/it/edit.rs
@ -10081,6 +10081,41 @@ fn add_auth_policy_always_without_credentials() -> Result<()> {
    Ok(())
 }

+/// In authentication "always", authenticated requests with a username but
+/// no discoverable password will fail.
+#[test]
+fn add_auth_policy_always_with_username_no_password() -> Result<()> {
+    let context = TestContext::new("3.12");
+
+    let pyproject_toml = context.temp_dir.child("pyproject.toml");
+    pyproject_toml.write_str(indoc! { r#"
+        [project]
+        name = "foo"
+        version = "1.0.0"
+        requires-python = ">=3.11, <4"
+        dependencies = []
+
+        [[tool.uv.index]]
+        name = "my-index"
+        url = "https://public@pypi.org/simple"
+        authenticate = "always"
+        default = true
+        "#
+    })?;
+
+    uv_snapshot!(context.add().arg("anyio"), @r"
+    success: false
+    exit_code: 2
+    ----- stdout -----
+
+    ----- stderr -----
+    error: Failed to fetch: `https://pypi.org/simple/anyio/`
+      Caused by: Missing password for https://pypi.org/simple/anyio/
+    "
+    );
+    Ok(())
+}
+
 /// In authentication "never", even if the correct credentials are supplied
 /// in the URL, no authenticated requests will be allowed.
 #[test]