Retain passwords in Git URLs (#1717)

Fixes handling of GitHub PATs in HTTPS URLs, which were otherwise dropped. We now supporting the following authentication schemes: ``` git+https://<user>:<token>/... git+https://<token>/... ``` On Windows, the username is required. We can consider adding a special-case for this in the future, but this just matches libgit2's behavior. I tested with fine-grained tokens, OAuth tokens, and "classic" tokens. There's test coverage for fine-grained tokens in CI where we use a real private repository and PAT. Yes, the PAT is committed to make this test usable by anyone. It has read-only permissions to the single repository, expires Feb 1 2025, and is in an isolated organization and GitHub account. Does not yet address SSH authentication. Related: - https://github.com/astral-sh/uv/issues/1514 - https://github.com/astral-sh/uv/issues/1452
2025-07-07 21:35:00 +00:00 · 2024-02-20 18:12:56 -06:00 · 2024-02-20 18:12:56 -06:00 · d07b587f3f
commit d07b587f3f
parent 2e60c1d734
6 changed files with 161 additions and 5 deletions
--- a/crates/cache-key/src/canonical_url.rs
+++ b/crates/cache-key/src/canonical_url.rs
@ -109,8 +109,12 @@ impl RepositoryUrl {

        // If a Git URL ends in a reference (like a branch, tag, or commit), remove it.
        if url.scheme().starts_with("git+") {
-            if let Some((prefix, _)) = url.as_str().rsplit_once('@') {
-                url = prefix.parse().unwrap();
+            if let Some(prefix) = url
+                .path()
+                .rsplit_once('@')
+                .map(|(prefix, _suffix)| prefix.to_string())
+            {
+                url.set_path(&prefix);
            }
        }