fix: Extract redirect-URL credentials on 401 even with --no-input#14182
Open
noklam wants to merge 2 commits into
Open
fix: Extract redirect-URL credentials on 401 even with --no-input#14182noklam wants to merge 2 commits into
noklam wants to merge 2 commits into
Conversation
When an index issues a cross-origin 302 whose Location carries embedded Basic-auth credentials, the vendored requests session strips the Authorization header, so the upstream host returns 401. handle_401 is meant to recover by reading the credentials still present in resp.url and retrying, which needs no user interaction. That recovery was gated behind use_keyring, which --no-input turns off for the default keyring provider (prompting=False). As a result --no-input silently disabled the non-interactive credential-from-URL extraction and pip returned the 401 unretried. Call _get_new_credentials() unconditionally and gate only the keyring lookup on use_keyring. The following `not self.prompting` guard still returns the 401 unchanged when no credentials are found without prompting.
ichard26
approved these changes
Jul 17, 2026
ichard26
left a comment
Member
There was a problem hiding this comment.
Thanks for digging into this!
| new_resp = auth.handle_401(resp) | ||
|
|
||
| assert new_resp.status_code == 200 | ||
| assert "Authorization" in sent_headers |
Member
There was a problem hiding this comment.
Do we want to check that the passed username and password is indeed correct?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See issue: #14181
When an index issues a cross-origin 302 whose Location carries embedded Basic-auth credentials, the vendored requests session strips the Authorization header, so the upstream host returns 401. handle_401 is meant to recover by reading the credentials still present in resp.url and retrying, which needs no user interaction.
That recovery was gated behind use_keyring, which --no-input turns off for the default keyring provider (prompting=False). As a result --no-input silently disabled the non-interactive credential-from-URL extraction and pip returned the 401 unretried.
Call _get_new_credentials() unconditionally and gate only the keyring lookup on use_keyring. The following
not self.promptingguard still returns the 401 unchanged when no credentials are found without prompting.What does this PR do?
PR Checklist:
Assisted-by: Claude Code to analyse the codebase as this is my first upstream PR.