Support basic auth in package-indices

[brandon-leapyear]

Please follow the steps below for reporting a bug:

Make sure that you are using the latest release (currently stack-2.5.1).
See the upgrade instructions to upgrade.

Please use the following schema for your bug report:

General summary/comments (optional)

We're trying to set up a company internal proxy for Hackage, so we're trying to set download-prefix in package-indices to https://username:[email protected].

TL;DR pantry's get function in Hackage.Security.Client.Repository.HttpLib.HttpClient

Steps to reproduce

Specify a URL in download-prefix with username/password. rm -rf stack.yaml.lock. When running stack build, check network traces and notice that username/password isn't being propagated.

Expected

It should download files from our proxy with user credentials

Actual

First problem: we get an error about root.json:

Could not deserialize <repo>/root.json: Schema error: Expected field "signed"

which is weird because if we curl the URL, we load root.json fine. With some debug statements, we found out that our proxy is actually returning a JSON object saying Authentication is required. This ticket is filed here: haskell/hackage-security#251

So after debugging the first issue, we find out that stack is somehow not propagating the basic auth credentials. Then I printed out uri in Hackage.Security.Client.Repository.Remote.getFile.download and it shows the URI with the basic auth credentials, so up to that point it keeps the basic auth around. But then it calls httpGet which pantry implements in its own implementation of Hackage.Security.Client.Repository.HttpLib.HttpClient, and there it calls setRequestHeaders, which seems to override the Authorization header set in setUri.

Stack version

Built from master

Method of installation

• Official binary, downloaded from stackage.org or fpcomplete's package repository
• Via cabal-install
• An unofficial package repository (please specify which)
• Other (please specify)

[brandon-leapyear]

✨ This is an old work account. Please reference @brandonchinn178 for all future communication ✨

---

Technically, the bug is in hackage-security/pantry, so I could cross post the issue, if you'd like. Regardless, I'll put up a PR

[brandon-leapyear]

✨ _**This is an old work account. Please reference @brandonchinn178 for all future communication**_ ✨ <!-- updated by mention_personal_account_in_comments.py -->

…

--- @snoyberg maybe this should stay open until Stack uses the new version of pantry?

On Thu, Mar 25, 2021, 9:41 PM Michael Snoyman ***@***.***> wrote: Closed #5509 <#5509> via commercialhaskell/pantry#32 <commercialhaskell/pantry#32>. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#5509 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGUC75KSIRXJE5S33DZ5FF3TFQM7TANCNFSM4ZYJPITA> .

[snoyberg]

I just opened a PR #5510. Note that I didn't intentionally close this issue, looks like it was triggered by merging that PR.

[brandon-leapyear]

✨ This is an old work account. Please reference @brandonchinn178 for all future communication ✨

---

Yeah, I figured. No worries!