Support credentials in configuration for private PyPI

[prokopst]

Right now credentials for index-url in the configuration are stored in the url itself. I propose to somehow support credentials directly (or explicitly) in the configuration for private PyPIs because of following reasons:

1. Right now credentials are leaked on multiple places. With this configuration:

[global]
index-url = https://thisis:[email protected]/simple
[search]
index = https://thisis:[email protected]/pypi

pip install --help shows:

Package Index Options (including deprecated options):
-i, --index-url Base URL of Python Package Index (default https://thisis:[email protected]/simple). This should point to a repository compliant with PEP 503 (the simple repository API) or a local directory laid out in the same format.

pip search --help shows:

Search Options:
-i, --index Base URL of Python Package Index (default https://thisis:[email protected]/pypi)

2. With more exotic characters in the password it's not possible to use credentials in url at all:

[global]
index-url = https://username:pass/@[email protected]/simple
[search]
index = https://username:pass/@[email protected]/pypi

3. AFAIK NuGet, mvn and npm support explicit auth since it's a good practice.

[zmt]

Also see #4475.

[chrahunt]

The situation is slightly better if using ~/.netrc e.g.

machine pypi.python.org
login username
password pass/@word

However netrc does not support spaces in the username or password fields. This would be fixed by python/cpython#127.

[cjerdonek]

Independent of adding separate fields for the credentials, the passwords should not be leaking. PR #5773 (now merged) should help with addressing that issue: #5773

[cjerdonek]

2. With more exotic characters in the password it's not possible to use credentials in url at all:

Regarding (2), have you tried percent-encoding the username and password prior to including it in the URL (e.g. using Python 3's urllib.parse.quote()? On inspection, it looks like this should already be working in the currently released pip. If not, it would be good to know for sure. You can see that pip is unquoting these values in the download code here:

pip/src/pip/_internal/download.py

Lines 218 to 222 in 4ccea7e

	userinfo = netloc.rsplit("@", 1)[0]
	if ":" in userinfo:
	user, pwd = userinfo.split(":", 1)
	return (urllib_unquote(user), urllib_unquote(pwd))
	return urllib_unquote(userinfo), None

[chrahunt]

The best proposal we have for an improvement in this area right now is #4263, so I will close this issue in favor of that one.

As mentioned by @cjerdonek, there should be no credentials leaking in log output or otherwise. If anyone is seeing this, please check for and file if issue if not already present.