cargo icon indicating copy to clipboard operation
cargo copied to clipboard
verified publisher icon rust-lang

Allow passing a `credentials.toml` file path as a CLI arg for `cargo login` and `cargo publish`

Open DeflateAwning opened this issue 1 year ago • 2 comments

Problem

Publishing crates with multiple accounts is a common-enough practice. It would be nice if one could run cargo publish --cred ~/account1/cargo_cred.toml to use account1's credentials.

This feature should be added for both cargo login and cargo publish (and any other subcommands I'm forgetting).

Proposed Solution

Python's PyPI supports this functionality via the --config <path> arg (but --config is already in use for cargo). --cred <path.toml> is probably the next best option.

Notes

No response

DeflateAwning avatar May 19 '24 00:05 DeflateAwning

We support credentials from multiple sources, not just credentials.toml and I think there is a preference for deprecating cargo:token as it stores the credential in plain text.

epage avatar May 19 '24 00:05 epage

Good to know! Unless there's a solid plan and a deprecation date picked for removing credentials.toml support, I still think that there should be a way to pick the credential storage file via an arg.

All those other methods seem very good once they're implemented, but they seem like a pain to get right, and a pain to make sure the right credentials are used for the job.

DeflateAwning avatar May 20 '24 02:05 DeflateAwning

Unless there's a solid plan and a deprecation date picked for removing credentials.toml support,

The plain text credential is all but deprecated. Tote that deprecation is separate from removal. This isn't so bad that we expect to break compatibility. However, i see it unlikely for us to add new features specific to plain text token management. The finishing of the deprecation is dependent on a documentation audit (and improving small workflow issues found along the way).

All those other methods seem very good once they're implemented, but they seem like a pain to get right, and a pain to make sure the right credentials are used for the job.

We have other credential managers today.

epage avatar May 20 '24 13:05 epage

See also https://github.com/rust-lang/cargo/issues/13623 for some possible approaches we might want for de-emphasizing plain text login.

weihanglo avatar May 20 '24 13:05 weihanglo

Since we tend to deprecate and discourage the usage, for me I wouldn't add more features for plaintext credentials.

For implementing custom credential providers, the protocol accepts additional arguments so shouldn't be too complicated to roll out out something like cargo login -- --cred <path> by hands.

weihanglo avatar May 20 '24 14:05 weihanglo

Credentials like token are just regular config files. The --config CLI option should work to specify a file that has your token values.

However, as stated above, it is probably not a good idea to store your credentials in an unencrypted plain file.

ehuss avatar May 20 '24 17:05 ehuss

Second. Close.

weihanglo avatar May 21 '24 20:05 weihanglo