2FA usability on PyPI and with packaging tools

pitrou · November 7, 2023, 4:48pm

Hello,

I have recently tried to upload a package to PyPI with 2FA enabled and would like to share my experience.

More or less at random, I elected to use hatch for this package. However, using hatch publish gave mystifying errors (it doesn’t help that hatch seems to use home-grown mechanisms to store credentials?).

I then switched to twine, which gave me a slightly more helpful error message…

User XXX has two factor auth enabled, an API Token or Trusted Publisher must be used to upload in place of password.

… but only slightly, since it didn’t tell me how to actually use an API token (it also didn’t tell me how to create a token, but I figured that must be done from the PyPI account settings).

I then created an API token, and thought that I could try hatch publish again, just by pasting the API token in the “credentials” prompt instead of my PyPI password (by the way why does it say “credentials” instead of a more explicit “password” or “token”?). Which didn’t work.

Switching to twine again, I copied the snippet from the API token creation results into my .pypirc and manually changed the required information such as the project name (a tedious operation, I have to say). I also noticed that the special username __token__ was used for that purpose instead of my regular username.

Now I can upload using twine upload -r my_project_name ..., which works, but I have to remember to pass -r my_project_name. The project name actually refers to an entry in .pypirc that contains the project-specific API token, and pretends to be a separate repository entry…

However, I still don’t know how I could do all the above using hatch instead (should I have gone with something else from the start?).

I would add that neither twine nor hatch publish ever mention 2FA in their respective command-line helps. The hatch online docs revolve around classic password auth (I admit I haven’t checked the twine online docs). This is unfortunate since 2FA is strongly recommended these days.

Side note: at first I had to create an account-wide API token, since the project I wanted to upload didn’t exist yet. Once I managed to create the project by uploading, I deleted the account-wide API token and created project-specific one. I then had to reconfigure .pypirc a second time…

Side note #2: I just wanted to actually register the project so as to reserve the name. It is obviously not possible (why?), so I had to upload a version and immediately delete it…

jeanas · November 7, 2023, 5:40pm

Just enter __token__ for the user name and the token as password. You don’t need .pypirc, you don’t need to leave hatch.

I just tested this with hatch publish on test.pypi.org and it just worked.

IMO, instead of “Enter your username:”, Hatch should write “Enter your username, or __token__ to use an API token:”. @ofek WDYT?

jeanas · November 7, 2023, 5:43pm

I also find it interesting that this is mentioned in the PyPI documentation here, but you were looking for it in the Hatch or twine documentation instead.

pitrou · November 7, 2023, 5:44pm

Thanks. Will hatch also remember the per-project token (meaning if I set up another project, it won’t confuse the two)?

jeanas · November 7, 2023, 6:01pm

It doesn’t look like it does, unfortunately.

ofek · November 7, 2023, 6:25pm

Can you please open a feature request?

pitrou · November 8, 2023, 9:34am

For the record, it also seems unfortunate that, when 2FA is enabled, you are required to use token authentication for package uploads. Token authentication effectively bypasses 2FA…

pitrou · November 8, 2023, 2:15pm

It turns out an issue was already opened for the 2FA discoverability and usability issues, so I just expanded in a comment there:

github.com/pypa/hatch

Docs: publishing > authentication > API tokens

opened 07:25PM - 10 Apr 23 UTC

soxofaan

https://hatch.pypa.io/latest/publish/#authentication mainly discusses user+passw…ord auth. Last week I used user+password auth to publish a project, and got this email from pypi: > ... However, your account has two-factor authentication (2FA) enabled. In the near future, PyPI will begin prohibiting uploads using basic authentication for accounts with two-factor authentication enabled. Instead, we will require API tokens to be used. I guess the Hatch documentation could use a bit of finetuning to cover API tokens better, because now it just mentions it as a recommendation for automated releases: > For automated releasing to PyPI, it is recommended that you use per-project [API tokens](https://pypi.org/help/#apitoken). Also relevant here: when one creates an API token, one has to pick the token's scope (all projects or an individual project). So that means that a developer might ends up with multiple "token passwords" (one for each projecct), which might not play well with the user/password caching mechanism described in the authentication docs.

As for the ability to remember per-project API tokens, I only use hatch on a single project for now so I’d rather let @jeanas open an issue themselves.

dustin · November 8, 2023, 3:05pm

You’re correct that using API-token based authentication bypasses 2FA, but this is because we need a solution that works in commonly used non-interactive environments (like GitHub Actions) where waiting for user input is not possible. 2FA also primarily helps protect against credential stuffing (reusing leaked username/passwords from other websites) and phishing attacks (WebAuthn only) which are less of a concern for API tokens.

That said, using API tokens without 2FA is still a significant security improvement over username/passwords:

API tokens can’t be used to log into PyPI and change settings, only to upload packages;
API tokens can be fine-grained and scoped to individual packages, reducing the ‘blast radius’ if they were compromised;
API tokens can be automatically detected and revoked if/when they leak.

Finally, what we (PyPI) would really like you to do rather than upload with username/password or API tokens is use Trusted Publishing as alluded to in the original error message, because his removes the need to store long-lived credentials entirely. Currently we only support GitHub Actions, but we plan to add more providers in the future – this is relatively new, so I’d be interested to hear if you think this would work for you!

pitrou · November 8, 2023, 3:27pm

Hmm, I am not planning to add any automation on this package, so it probably wouldn’t help in this case.

dustin · November 8, 2023, 3:53pm

Not trying to change your decision, but just want to make sure you’re aware: if you’re already using GitHub, it’s fairly easy to do with https://github.com/marketplace/actions/pypi-publish, which will use Trusted Publishing automatically if configured for the project.

EpicWink · November 9, 2023, 9:17am

I could see a future where PyPI and twine support interactive authentication, eg Microsoft’s auth code flow

In fact, it seems that’s most of the way there according to PyPI’s docs

pitrou · November 9, 2023, 9:26am

This is basically what @dustin pointed to above, right?

But it would be nice if there was also a solution for manual uploads, such as:

$ hatch publish --token-auth
API token for project 'project': ...

Your package has been uploaded successfully.
However, it is now pending validation before being published.
Please use the following link for two-factor authentication:
https://pypi.org/2fa-validate?some_magic_args....

or:

$ hatch publish --token-auth
API token for project 'project': ...

Your package has been uploaded successfully.
However, it is now pending validation before being published.
Registered project maintainers will receive a validation link by e-mail,
which they can click to undergo two-factor authentication.

dustin · November 9, 2023, 4:35pm

This feature is specifically not an interactive flow. It’s also complete.

What your describing sounds like https://github.com/pypi/warehouse/issues/726.

pitrou · November 9, 2023, 4:46pm

I do not see any mention of two-factor auth there?

LtWorf · November 12, 2023, 8:35am

Is the issue of “needing to create a global token to create a new project” getting forgotten here?

dustin · November 13, 2023, 12:33am

This is already resolved by using Trusted Publishing, see https://docs.pypi.org/trusted-publishers/creating-a-project-through-oidc/.

LtWorf · November 13, 2023, 10:49am

In data lunedì 13 novembre 2023 01:43:34 CET, hai scritto:

This is already resolved by using Trusted Publishing, see
https://docs.pypi.org/trusted-publishers/creating-a-project-through-oidc/

The link seems specific to projects on github.

Does the method work in general?

pf_moore · November 13, 2023, 11:00am

I agree, this seems to be an issue. While it doesn’t matter to me personally right now - all my projects are on github - I am concerned if we are tying the most secure publishing methods for PyPI to a single source code hosting provider^[1]. Apart from giving github a privileged position, we risk a situation where a major issue with github leaves project maintainers with no fallback (we had a similar situation with travis CI in the past, and that was simply the community favourite approach, not something explicitly supported by our infrastructure).

Whether that “tying” is a result of only supporting that provider, or making support for other providers a “build it yourself” approach, isn’t the point - “build it yourself” means people can make mistakes and introduce vulnerabilities. ↩︎

pitrou · November 13, 2023, 11:12am

Also, this assumes that people want to automate project creation, which seems a bit weird and overkill.