DO NOT MERGE: Require an organization key and store short-lived tokens#1181
Draft
ericmj wants to merge 1 commit into
Draft
DO NOT MERGE: Require an organization key and store short-lived tokens#1181ericmj wants to merge 1 commit into
ericmj wants to merge 1 commit into
Conversation
ericmj
changed the title
mix hex.organization auth now requires --key; the key is exchanged for a short-lived token immediately and only the token is stored, never the key. Organization repositories no longer authenticate with a stored API key — they use the cached short-lived token or the user's OAuth authentication — and HEX_REPOS_KEY no longer grants access to organization repositories. For development, mix hex.user auth grants access to all your organizations. The base hexpm repository (including trusted mirrors authenticated with HEX_REPOS_KEY) is unchanged.
ericmj
force-pushed
the
organization-short-lived-tokens
branch
from
5c94711 to
dbe0b86
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to the deprecations in #1179 — this is the breaking change that removes the deprecated paths. It must ship in a release after the one that carries the deprecation warnings, not together with them. Draft until then.
What changes
mix hex.organization auth ORGANIZATIONnow requires--key. Without it, the task raises and points tomix hex.user auth(development) ormix hex.organization key … generate(CI).mix hex.organization auth ORGANIZATION --key KEYnow exchanges the key for a short-lived token immediately and stores only the token, never the key. The exchange also verifies the key grants access to the organization.auth --key) or, failing that, the user'smix hex.user authauthentication. A storedauth_keyleft inhex.configby an older client is ignored.HEX_REPOS_KEYno longer grants access to organization repositories — authenticate per organization withauth --keyinstead.Scope / compatibility
hexpmrepository is unchanged, including trusted mirrors authenticated withHEX_REPOS_KEY. Full removal ofHEX_REPOS_KEYis intentionally out of scope here because it is also used for mirror authentication.client_credentialsexchange itself is unchanged, so CI keeps working: a job runsmix hex.organization auth ORGANIZATION --key $KEYand fetches with the resulting token. Since that exchange issues no refresh token, the token must be re-obtained after it expires (~30 min) — fine for a typical CI job, and the intended friction for a human pasting a key on a workstation.Follow-up (separate, later)
The hexpm server should eventually reject the exchange of a user-owned key for repository scopes (returning
invalid_scope), so the constraint reaches clients that are pinned to old Hex versions. That is deliberately deferred — it is a server-side breaking change to be timed against customer comms, and it is not part of this PR.