Look for secrets in keyring too #620
Conversation
* [ ] Update vignette Fixes #346
| @@ -134,7 +134,7 @@ test_that("can translate data", { | |||
|
|
|||
| expect_snapshot({ | |||
| curl_translate("curl http://example.com --data abcdef") | |||
| curl_translate("curl http://example.com --data abcdef -H Content-Type:text/plain") | |||
| curl_translate("curl http://example.com --data abcdef -H Content-Type:text/plain") |> | |||
General thoughts wrt keyringThere are a couple of things to work out wrt keyring usage in general. One is that it might "freeze" in a headless setup, because it starts an interactive password dialog. This is how pip deals with this: https://pip.pypa.io/en/stable/topics/authentication/#here-be-dragons Another thing is to make sure that all packages look for the same key when looking up the password for a URL. This includes keys across languages, e.g. if there is a password for PPM in the keyring, both R (pak, httr2?, etc.) and pip should find it and use it. A third thing to work out is to make everything smooth with gitcreds and git passwords in general. This is probably up to the R package. For some packages it makes sense to look at both the git credential store and also keyring natively (pak?), for others probably not. About this PRAs for this PR, maybe it would make sense to make this opt-in until we figure out some of the details? Should httr2 message the user about getting the password from the keyring? Or maybe only for 403 responses? I also wonder it we should give some advice to the user. E.g. if the HTTP response is a 403, and the keyring package was not installed, or there is no password for the site. |
|
@gaborcsardi ok, let's leave this PR sitting for now. It feels like it'll be worth spending some time on keyring this year as part of the R in production story, and we can re-look at httr2 integration once that's done. |
Fixes #346
@gaborcsardi when you get back from break, I'd appreciate your feedback on this. Do you think this is a reasonable way to add keyring support to httr2 so folks can use it instead of env vars? Should httr2 use its own keyring instead of the system default? Or add some prefix to the service name? I think the root cause of my uncertainty is that I don't understand how namespacing is supposed to work with keyrings.