Error: API Token or Trusted Publisher must be used to upload in place of password

[kolibril13]

A few months ago, hatch publish worked fine for me. Now, I get the error:

jan-hendrik@Jan-Hendriks-MacBook-Air ipymafs % hatch publish
dist/ipymafs-0.1.2.tar.gz ... failed
Error uploading to repository: https://upload.pypi.org/legacy/ - Client error '401 User kolibril13 has two factor auth enabled,
an API Token or Trusted Publisher must be used to upload in place of password.' for url 'https://upload.pypi.org/legacy/'
For more information check: https://httpstatuses.com/401

I've already generated a token on pypi that looks like thispypi-AgEIdffx********************************************************* How can I feed this token to hatch, so that I can publish my packages? I'm grateful for any help!

[ofek]

Set the username to __TOKEN__

[kolibril13]

Hi @ofek, I think I need more context: I can't find a reference how to set "username" in the docs.

I've also tried hatch publish --user pypi-AgEIdffx******************************************** and then put the token again in the field for Enter your credentials: but that did not work as well.

Thanks for your help!

[ofek]

You are entering the token into the user field it appears

[kolibril13]

thanks for the follow up-suggestion. I have now tried hatch publish --user but that gives Error: Option '--user' requires an argument.

I have then tried to hatch publish --user kolibril13, that opens this pop-up, but it there the pypi token does not work, only my system password is working there.

If you have the bandwidth to give me more hints, I'd be very grateful for that!

[ofek]

Yes, Hatch uses your system's credential manager to store previous authentication info and that might require you entering your password. Did the upload work after that?

[kolibril13]

ahh, now I got the solution! I had to type hatch publish --user __token__ and then in the second step Enter your credentials: I pasted the pypi-AgEIdffx**************************** token including the pypi- prefix.

Maybe this info can be added to https://hatch.pypa.io/latest/publish/#authentication

[kolibril13]

Follow-up question: For security reasons, I've deleted the old pypi-AgEIdffx******** and generated a new token on Pypi. How can I update this token now on hatch? Because when I now type hatch publish --user __token__ , I don't have the option Enter your credentials: anymore. Re-installation of hatch also did not work.

[ofek]

Use the flags of the publish command to set both the username and authentication info. The --initialize-auth flag might work also, let me know.

[kolibril13]

Thanks for the hint. I've tried hatch publish --initialize-auth but that did not work.

Here are the other options:

hatch publish -h               
Usage: hatch publish [OPTIONS] [ARTIFACTS]...

  Publish build artifacts.

Options:
  -r, --repo TEXT       The repository with which to publish artifacts [env
                        var: `HATCH_INDEX_REPO`]
  -u, --user TEXT       The user with which to authenticate [env var:
                        `HATCH_INDEX_USER`]
  -a, --auth TEXT       The credentials to use for authentication [env var:
                        `HATCH_INDEX_AUTH`]
  --ca-cert TEXT        The path to a CA bundle [env var:
                        `HATCH_INDEX_CA_CERT`]
  --client-cert TEXT    The path to a client certificate, optionally
                        containing the private key [env var:
                        `HATCH_INDEX_CLIENT_CERT`]
  --client-key TEXT     The path to the client certificate's private key [env
                        var: `HATCH_INDEX_CLIENT_KEY`]
  -n, --no-prompt       Disable prompts, such as for missing required fields
  --initialize-auth     Save first-time authentication information even if
                        nothing was published
  -p, --publisher TEXT  The publisher plugin to use (default is `index`) [env
                        var: `HATCH_PUBLISHER`]
  -o, --option TEXT     Options to pass to the publisher plugin. This may be
                        selected multiple times e.g. `-o foo=bar -o baz=23`
                        [env var: `HATCH_PUBLISHER_OPTIONS`]
  -y, --yes             Confirm without prompting when the plugin is disabled
  -h, --help            Show this message and exit.

which one of these can I try?

[ofek]

Use the flags of the publish command to set both the username and authentication info.

[kolibril13]

I've now tried to use a few flags of the publish command to set both the username and authentication info, but that all did not work:

hatch publish --user __token__

-> ❌

hatch publish --initialize-auth

-> ❌

hatch publish --client-cert pypi-********

-> ❌

any further ideas how I can update the pypi token? Any suggestions are much appreciated!

[ofek]

Let's start from the top. To authenticate you need credentials and your username. Which flags do you think correspond to each one?

[kolibril13]

I'm still a bit confused with the flags and their usage. I have tried --initialize-auth , --auth and --user but they all did not work. Could you possibly provide a step-by-step instruction or a direct command example for updating the token in hatch? I'm sure this would help me immensely in resolving the issue.

Thanks again for your support!

[ofek]

Try both the user and auth flags at the same time

[kolibril13]

now I've tried

hatch publish  --auth --user
hatch publish  --user --auth
hatch publish  ---user __token__ --auth
hatch publish  --auth --user __token__
hatch publish  --user --auth __token__

but non of these worked. Is there a way to delete my old token and the corresponding Pypi-key on my machine?

[ofek]

hatch publish --user __TOKEN__ --auth this_is_your_token

[kolibril13]

I appreciate your patience! 🌻 Unfortunately hatch publish --user __TOKEN__ --auth pypi-AgEIcH*********** gives me as well Client error '403 Invalid or non-existent authentication information.

Any other ideas?

[ofek]

Try to make a different token.

[kolibril13]

I just generated a new token and tried that, but did not work as well.

[ofek]

Try hatch publish --user __token__ --auth this_is_your_token

[kolibril13]

Hey @ofek , thanks for this hint! hatch publish --user __token__ --auth pypi-***************** is working now! 🎉

And I'd like to ask a follow-up question: Is there also a way to store the credentials, so that I don't have to always copy+paste my token?

[ofek]

I think it should be saved after it works once, try again?

[kolibril13]

Thanks for the idea, but when I type just hatch publish, I still get this error:

[ofek]

Can you please try removing https://hatch.pypa.io/latest/config/hatch/#cache and do it again?

[kolibril13]

After running rm -r ~/Library/Caches/hatch I now get this: Enter your username input field.

but then comes this error message when I leave the `__TOKEN__` default.

[ofek]

Well yes but if you fix the username does it work I mean. Try again but this time fix the token variable (sorry about that)

[kolibril13]

I see! When I use __token__ username in lowercase instead, I don't get the field Enter your credentials input field. Instead, I get directly the 403 Invalid or non-existent authentication information. message, as seen in this screenshot:

For debugging, I tried to use another random username hellllowoooorld, and there I get the Enter your credentials input field.

So my suspicion is, that there's somewhere an old key cached that is not working anymore.

Do you have an idea where I could find and delete this old cached key?

[ofek]

Could you modify the code of your Hatch installation to add some print statements?

[kolibril13]

I must admit that I don't know how that can be done. Can you guide me where I can find the code of the hatch installation, and where exactly I can add these print statemetents?

[ofek]

How did you install it?