Retain authentication when making range requests (#1902)

Needs https://github.com/prefix-dev/async_http_range_reader/pull/9
Closes https://github.com/astral-sh/uv/issues/1709

Cargo.lock

@@ -203,9 +203,9 @@ dependencies = [
 
 [[package]]
 name = "async_http_range_reader"
-version = "0.6.1"
+version = "0.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5143aaae4ec035a5d7cfda666eab896fe5428a2a8ab09ca651a2dce3a8f06912"
+checksum = "cf8eeab30c68da4dc2c51f3afc4327ab06fe0f3f028ca423f7ca398c7ed8c5e7"
 dependencies = [
  "bisection",
  "futures",

Cargo.toml

@@ -21,7 +21,7 @@ anstream = { version = "0.6.5" }
 anyhow = { version = "1.0.79" }
 async-compression = { version = "0.4.6" }
 async-trait = { version = "0.1.77" }
-async_http_range_reader = { version = "0.6.1" }
+async_http_range_reader = { version = "0.7.0" }
 async_zip = { git = "https://github.com/charliermarsh/rs-async-zip", rev = "d76801da0943de985254fc6255c0e476b57c5836", features = ["deflate"] }
 base64 = { version = "0.21.7" }
 cachedir = { version = "0.3.1" }

crates/uv-client/src/registry_client.rs

@@ -7,6 +7,7 @@ use std::str::FromStr;
 use async_http_range_reader::AsyncHttpRangeReader;
 use futures::{FutureExt, TryStreamExt};
 
+use http::HeaderMap;
 use reqwest::{Client, ClientBuilder, Response, StatusCode};
 use reqwest_retry::policies::ExponentialBackoff;
 use reqwest_retry::RetryTransientMiddleware;
@@ -440,12 +441,26 @@ impl RegistryClient {
             Connectivity::Offline => CacheControl::AllowStale,
         };
 
+        let client = self.client_raw.clone();
+        let req = self
+            .client
+            .uncached()
+            .head(url.clone())
+            .build()
+            .map_err(ErrorKind::RequestError)?;
+
+        // Copy authorization headers from the HEAD request to subsequent requests
+        let mut headers = HeaderMap::default();
+        if let Some(authorization) = req.headers().get("authorization") {
+            headers.append("authorization", authorization.clone());
+        }
+
         // This response callback is special, we actually make a number of subsequent requests to
         // fetch the file from the remote zip.
-        let client = self.client_raw.clone();
         let read_metadata_range_request = |response: Response| {
             async {
-                let mut reader = AsyncHttpRangeReader::from_head_response(client, response)
+                let mut reader =
+                    AsyncHttpRangeReader::from_head_response(client, response, headers)
                         .await
                         .map_err(ErrorKind::AsyncHttpRangeReader)?;
                 trace!("Getting metadata for {filename} by range request");
@@ -463,12 +478,6 @@ impl RegistryClient {
             .instrument(info_span!("read_metadata_range_request", wheel = %filename))
         };
 
-        let req = self
-            .client
-            .uncached()
-            .head(url.clone())
-            .build()
-            .map_err(ErrorKind::RequestError)?;
         let result = self
             .client
             .get_serde(