Change username & API token prefix, to make Travis auth easier

[ZaxR]

Just wanted to share a potential pain point for folks using the new PyPI API tokens for authentication via a travis.yaml. The @token username needs to be wrapped in quotes and the : after pypi needs to be escaped to work, otherwise you hit a 403 error (thanks for the help tracking this down @ewdurbin).

If you're using the environment variables through Travis' UI, the following works:

deploy:
  provider: pypi
  user: "@token"  # quotes required for travis
  # server: https://test.pypi.org/legacy/  # uncomment to do a test deploy
  password:
    secure: $PASSWORD  # stored in travis env var, with `:` after `pypi` escaped (pypi\:)
  on:
    branch: master
  skip_existing: true

If you're encrypting the token via the command line, you can just wrap your token in quotes:
travis encrypt "<your-pypi_token>" --add deploy.password [--com]

[di]

A bit unfortunate that we chose something that requires quoting as the username. It'd be nice to not have this friction when folks migrate to API keys.

Since we're still in the beta period, I think it would be reasonable to change this (but still support @token for a bit for backwards compatibility). Some options that would not require quoting:

• $token
• ^token
• =token

[ewdurbin]

@dstufft any thoughts here?

I'm +1 for updating the keys to pypi- or pypi_ prefix and changing the username to something without an @.

I'm -1 on backward compatibility for longer than a few days. We know who have provisioned API tokens and can email them to give them a headsup 24 hours before disabling the older grammar.

[di]

Yeah, I should be clear: I meant backwards compatibility until ~the end of the beta period.

[brainwane]

I'm +1 for updating keys & username, and -1 on backward compatibility for longer than a few days.

@woodruffw heads-up.

[woodruffw]

Thanks for the ping! I'll make a PR for these changes now.

[ewdurbin]

We have updated the token username and prefix:

username: @token => __token__
password/token: pypi:<base64 token body> => pypi-<base64 token body>

These changes should alleviate the need for escaping heroics.

The previous format will continue to work for now, but users will be notified to update their configurations to match the new syntax before the beta period is over.

[ZaxR]

Just made the change, and __token__ is working well with Travis, but just an FYI that the hyphen in the token (pypi-xxx...) still needs to be escaped for Travis.

[hugovk]

@ZaxR Did you encrypt the token? I recommend you do, so only your repo can upload.

I didn't need to escape anything when encrypting:

• Created a new API token on Test PyPI
• Updated .travis.yml to use user: __token__ (no quotes this time)
• Created the password with travis encrypt pypi-A... (again no quotes this time) and put in .travis.yml as password: secure: "S..."
• Pushed a commit, and it deployed successfully to Test PyPI

https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/44?u=hugovk

[pfaion]

@ZaxR

I just puy the token into travis without escaping anything and it works. I don't think the hyphen is a special character in bash?

[ZaxR]

Just wanted to close the loop on my final comment: The hyphen does NOT need escaping. The issue I was facing was with setting the env var via the travis UI. The instructions @hugovk work well. For folks interested in a complete example: https://github.com/ZaxR/bulwark/blob/master/.travis.yml