Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2FA not prompted on package upload? #5815

Closed
vidartf opened this issue May 8, 2019 · 7 comments
Closed

2FA not prompted on package upload? #5815

vidartf opened this issue May 8, 2019 · 7 comments

Comments

@vidartf
Copy link

vidartf commented May 8, 2019

Describe the bug
After having just enabled 2FA on the test server, I tried uploading a new package with twine upload --repository-url https://test.pypi.org/legacy/ dist/*. I was prompted for username and password as normal, and it then uploaded the packages successfully. It never prompted for a 2FA key.

Expected behavior
Either it should prompt for a 2FA key, or it should fail.

My Platform

  • Windows 10
  • twine version 1.13.0 (pkginfo: 1.5.0.1, requests: 2.21.0, setuptools: 40.6.3, requests-toolbelt: 0.9.1, tqdm: 4.31.1)

Xref #5661
@alex
Copy link
Member

alex commented May 8, 2019

This is a known behavior. The solution here is that we're going to be moving to API keys for uploads.

@vidartf
Copy link
Author

vidartf commented May 8, 2019

Thanks for the reply. Not entirely sure what is meant by an API key (https://stackoverflow.com/questions/1453073/what-is-an-api-key#1453082). Is this some long lasting token, or a one-time key?

@alex
Copy link
Member

alex commented May 8, 2019 via email

@jezdez
Copy link
Contributor

jezdez commented May 9, 2019

The issue in question is #994.

@vidartf
Copy link
Author

vidartf commented May 9, 2019

Neat. So I assume that means 2FA push to prod is blocked on #994, and that uploads through any route will fail if:

  • 2FA is enabled.
  • No 2FA-circumventing token is used.

Will there be a non-browser upload method supporting 2FA?

@woodruffw
Copy link
Member

Will there be a non-browser upload method supporting 2FA?

Probably not. We discussed some schemes early on that would allow users to embed e.g. a TOTP token alongside their password, but the ultimate goal is to remove password authentication for package upload entirely and go with well-scoped API keys instead.

@vidartf vidartf closed this as completed May 16, 2019
@brainwane
Copy link
Contributor

@vidartf per #994 (comment) , although we do not plan to enable 2FA for package upload, we do plan to use API keys to better secure package upload (such as via twine).

@vidartf vidartf mentioned this issue Jun 28, 2019
Open
8 tasks
@brainwane brainwane mentioned this issue Aug 8, 2019
Closed
@EwoutH EwoutH mentioned this issue Oct 22, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alex @jezdez @vidartf @brainwane @woodruffw