unauthorized when publishing to pypi package registry #13457

New Issue

GiteaMirror · 2025-11-02T10:42:56-06:00

GiteaMirror commented

2025-11-02 10:42:56 -06:00

Originally created by @imgurbot12 on GitHub (Sep 5, 2024).

Description

Hello, after following the instructions provided for pushing packages to pypi registry I'm encountering a troublesome error when attempting to push using twine.

I've provided a username and password set to an application-token with the packages permission set to read/write

Here's an example log of twine's output:

INFO     Using configuration from /home/imgurbot12/.pypirc
Uploading distributions to https://demo.gitea.com/api/packages/PyTestOrg1/pypi
INFO     dist/pyderive3-0.0.6-py3-none-any.whl (49.3 KB)
INFO     dist/pyderive3-0.0.6.tar.gz (38.8 KB)
INFO     username set from config file
INFO     password set from config file
INFO     username: 'imgurbot12'
INFO     password: <hidden>
Uploading pyderive3-0.0.6-py3-none-any.whl
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 56.8/56.8 kB • 00:00 • 194.7 MB/s
INFO     Response from https://demo.gitea.com/api/packages/PyTestOrg1/pypi:
         401 Unauthorized
INFO     authGroup.Verify

ERROR    HTTPError: 401 Unauthorized from https://demo.gitea.com/api/packages/PyTestOrg1/pypi
         Unauthorized

On the server side I can see the following in the gitea runtime logs:

2024/09/05 09:21:12 .../api/packages/api.go:87:func1() [E] Failed to verify user: user does not exist [uid: 0, name: 'imgurbot12']
2024/09/05 09:21:12 ...eb/routing/logger.go:102:func1() [I] router: completed POST /api/packages/Itatem/pypi for 1.2.3.4:0, 401 Unauthorized in 12.3ms @ packages/api.go:83(packages.verifyAuth)

Gitea Version

Gitea version 1.22.1 built with GNU Make 4.3, go1.22.5 : bindata, sqlite, sqlite_unlock_notify

Can you reproduce the bug on the Gitea demo site?

Yes

Git Version

git version 2.43.0

Operating System

Linux (Ubuntu 24.04)

How are you running Gitea?

self-hosted

Database

SQLite

Originally created by @imgurbot12 on GitHub (Sep 5, 2024). ### Description Hello, after following the [instructions provided](https://docs.gitea.com/usage/packages/pypi) for pushing packages to pypi registry I'm encountering a troublesome error when attempting to push using twine. I've provided a username and password set to an application-token with the `packages` permission set to `read/write` Here's an example log of twine's output: ``` INFO Using configuration from /home/imgurbot12/.pypirc Uploading distributions to https://demo.gitea.com/api/packages/PyTestOrg1/pypi INFO dist/pyderive3-0.0.6-py3-none-any.whl (49.3 KB) INFO dist/pyderive3-0.0.6.tar.gz (38.8 KB) INFO username set from config file INFO password set from config file INFO username: 'imgurbot12' INFO password: <hidden> Uploading pyderive3-0.0.6-py3-none-any.whl 100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 56.8/56.8 kB • 00:00 • 194.7 MB/s INFO Response from https://demo.gitea.com/api/packages/PyTestOrg1/pypi: 401 Unauthorized INFO authGroup.Verify ERROR HTTPError: 401 Unauthorized from https://demo.gitea.com/api/packages/PyTestOrg1/pypi Unauthorized ``` On the server side I can see the following in the gitea runtime logs: ``` 2024/09/05 09:21:12 .../api/packages/api.go:87:func1() [E] Failed to verify user: user does not exist [uid: 0, name: 'imgurbot12'] 2024/09/05 09:21:12 ...eb/routing/logger.go:102:func1() [I] router: completed POST /api/packages/Itatem/pypi for 1.2.3.4:0, 401 Unauthorized in 12.3ms @ packages/api.go:83(packages.verifyAuth) ``` ### Gitea Version Gitea version 1.22.1 built with GNU Make 4.3, go1.22.5 : bindata, sqlite, sqlite_unlock_notify ### Can you reproduce the bug on the Gitea demo site? Yes ### Git Version git version 2.43.0 ### Operating System Linux (Ubuntu 24.04) ### How are you running Gitea? self-hosted ### Database SQLite

GiteaMirror added the type/bug label 2025-11-02 10:42:56 -06:00

GiteaMirror closed this issue

2025-11-02 10:42:56 -06:00

GiteaMirror commented

2025-11-02 10:42:57 -06:00

@imgurbot12 commented on GitHub (Sep 5, 2024):

In further testing, trying to login with a users password directly does not work either, neither does using an email as the username as it returns a similar error:

2024/09/05 19:29:32 ...rvices/auth/basic.go:130:Verify() [E] UserSignIn: Email address does not exist [email: 'imgurbot12@example.com']
2024/09/05 19:29:32 .../api/packages/api.go:87:func1() [E] Failed to verify user: Email address does not exist [email: 'imgurbot12@example.com']

authenticating to read from the pypi does work as intended with both the access-token and basic password so clearly the credentials do work and the account exists.

pip install --index-url https://imgurbot12:<token>@gitea.example.com/api/packages/imgurbot12/pypi/simple --no-deps test

@imgurbot12 commented on GitHub (Sep 5, 2024): In further testing, trying to login with a users password directly does not work either, neither does using an email as the username as it returns a similar error: ``` 2024/09/05 19:29:32 ...rvices/auth/basic.go:130:Verify() [E] UserSignIn: Email address does not exist [email: 'imgurbot12@example.com'] 2024/09/05 19:29:32 .../api/packages/api.go:87:func1() [E] Failed to verify user: Email address does not exist [email: 'imgurbot12@example.com'] ``` authenticating to _read_ from the pypi does work as intended with both the access-token and basic password so clearly the credentials do work and the account exists. ``` pip install --index-url https://imgurbot12:<token>@gitea.example.com/api/packages/imgurbot12/pypi/simple --no-deps test ```

GiteaMirror commented

2025-11-02 10:42:57 -06:00

@imgurbot12 commented on GitHub (Sep 6, 2024):

BRUH, you've got to be kidding me. As it turns out, adding quotations around the username and password fields in the pypirc get included in the actual request.

This is what my pypirc looked like:

[distutils]
index-servers = gitea

[gitea]
repository = https://demo.gitea.com/api/packages/PyTestOrg1/pypi
username   = '{username}'
password   = '{password}'

I only realized it was an issue when i added quotes to the url as well and got the following error during testing:

requests.exceptions.InvalidSchema: No connection adapters were found for "'http://localhost:3000/api/packages/TestOrg/pypi'"

It is imperative these are not included since as soon as I removed them authentication worked as intended.
That's so ridiculous. Apologies for the inconvenience.

@imgurbot12 commented on GitHub (Sep 6, 2024): **BRUH**, you've got to be kidding me. As it turns out, adding quotations around the username and password fields in the `pypirc` get included in the actual request. This is what my pypirc looked like: ``` [distutils] index-servers = gitea [gitea] repository = https://demo.gitea.com/api/packages/PyTestOrg1/pypi username = '{username}' password = '{password}' ``` I only realized it was an issue when i added quotes to the url as well and got the following error during testing: ``` requests.exceptions.InvalidSchema: No connection adapters were found for "'http://localhost:3000/api/packages/TestOrg/pypi'" ``` It is imperative these are not included since as soon as I removed them authentication worked as intended. That's so ridiculous. Apologies for the inconvenience.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#13457