Add extra headers option to enhance HTTP requests #8030
Conversation
Users can supply --extra-headers='{...}' option to pip commands that enhances the
PipSession object with custom headers.
This enables use of private PyPI servers that use token-based authentication.
Example:
```
pip install \
--extra-headers='{"Authorization": "..."}' \
--index-url https://secure.pypi.example.com/simple \
--trusted-host secure.pypi.example.com \
fizz==1.2.3
```
| @@ -335,6 +335,17 @@ def exists_action(): | |||
| ) # type: Callable[..., Option] | |||
|
|
|||
|
|
|||
| def extra_headers(): | |||
There was a problem hiding this comment.
You need to add it to the install and download (and to probably more ones that I don't remember) CLI. You should add it as a req file option
There was a problem hiding this comment.
thanks for the hints, I wasn't quite sure where to drop this code.
There was a problem hiding this comment.
Would it be okay to put it in the general_group?
There was a problem hiding this comment.
Forgive my ignorance, but what do you mean "You should add it as a req file option"?
There was a problem hiding this comment.
For the req file- see SUPPORTED_VERSIONS in req_file.py
About the general- it does not makes sense as there are pip commands which do not make any requests at all, you can add to install cmd, download cmd, etc...
|
I like the idea, but definitely don’t agree with the syntax. A syntax more similar to cURL’s |
|
Does this create a risk of sending extra headers to unwanted hosts? I'm thinking of cases where there are multiple indexes, --find-links, direct urls. Should there be a mechanism to associate additional headers to specific hosts? |
I can update the syntax to be more like cURL's for sure. I may need guidance on how to add it to the CLI, but I'll take a whack at it. |
Yes that is probably a valid concern—I'm not an expert on pip's internals, so I'm not sure how safeguarding against that would work. Would restricting In my use case, I have some code that sets up a private PyPI index on AWS that uses API Gateway to front an S3 bucket, where I keep my pips. I can secure it with some custom code to implement Basic Auth, but I want to use AWS' built-in Cognito. Of course in order to do that I'd need to pass an Authorizer token in the header. Since I expect to be using a combination of public and private pips, I might set up a And that way I'm only ever sending the auth token to my private index (I think!). |
|
One other option to address this use case would be to use a local unauthenticated proxy to the authenticated backend. Having to start the proxy before using pip is inconvenient, conceded, but it gives you much greater control over precisely what you send, as well as likely supporting a much greater range of situations. You could even write a small wrapper script:
if you don't want the overhead/admin/risk of having a proxy running any longer than necessary. Having said all of this, I don't object to the original idea, I just wonder how complex it could become (different headers for different indexes, etc.) |
|
A companion option like |
pradyunsg
added
state: needs discussion
|
puts on release manager hat To set expectations early, this is definitely not going to be on pip 20.1 release, since there's definitely a lot of discussion needed here and this is basically a PR for adding a new feature to pip. takes off release manager hat
What about hosts that want different headers, due to different |
|
@pradyunsg that sounds perfectly reasonable. I think all the feedback on is PR is definitely warranted & I appreciate the discussion! Maybe I should close this PR and open an issue where different implementation options can be discussed. Sound good? |
|
That sounds great! |
|
Pushed discussion to #8042 |
lock
bot
added
the
auto-locked
Users can supply
--extra-headers='{...}'option to pip commands that enhances the PipSession object with custom headers.This enables use of private PyPI servers that use token-based authentication.
Example: