hashicorp
fix: retry download without Authorization header on 401 for public boxes
![hashicorp-cla-app[bot] avatar](https://avatars.githubusercontent.com/in/865473?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi there,
Apologies for the delayed response—I’ve been considering the best way to address this issue. Currently, when an auth token has expired, vagrant continues to send it as a header, which leads to authentication failures. Ideally, public boxes shouldn’t require authentication, but since the expired token is still being sent, the registry attempts to validate it.
There are two main issues here:
vagrantis sending an auth token even when it’s not necessary.- The vagrant public registry is trying to authenticate every request, even for public boxes.
While this fix will address the immediate problem, I’m concerned it might create new issues for users who logged in previously and now have expired tokens. In the case of public boxes, this could mean two requests per download, which would cause users to hit rate limits more quickly.
One idea I’ve been considering is introducing something like a --no-auth flag to the CLI. Most users downloading public boxes will likely know if authentication is required, but adding this flag could disrupt current workflows.
I will discuss these options with the team to determine the best solution. As for the release timeline, there’s no set date for 2.4.10 yet, but if we resolve this beforehand, I’ll make sure it’s included in that release.
Thanks!
can the vagrant public registry be updated to ignore auth for public boxes?