Paket Push to VSTS returns (401) Unauthorized

[varon]

Description

I'm attempting to migrate my packages out of my TeamCity server onto a Visual Studio Team Services package feed.

Documentation is pretty sparse, and I'm pretty lost as to how to correctly authenticate here.

I've ensured the feed (Test2) exists and that my account has permissions. I then created a new personal access token with full permissions.

Repro steps

1. Add credentials for the NuGet Feed

> ./paket.exe config add-credentials https://placeholder.pkgs.visualstudio.com/_packaging/Test2/nuget/v2
Paket version 3.29.1
Username: placeholder
Password: ************

Here the password is my personal access token created above.

I can confirm that after step 1, I have a valid paket.config file in the expected location.

2. Push a package to VSTS

./paket.exe -v push apikey VSTS file placeholder.nupkg url https://placeholder.pkgs.visualstudio.com/_packaging/Test2/nuget/v2

According to VSTS documentation, the api key can be any non-empty string.

Expected behavior

I would expect it to authorize correctly, or provide some information about WHY it failed to authorize.

Actual behavior

A (401) Unauthorized error is received.

Could not push placeholder.nupkg: The remote server returned an error: (401) Unauthorized.

Known workarounds

None

[Stift]

I cannot give an answer but I made some observations:

1. You use the v2 endpoint. When you want to authenticate to that you may have to follow these instructions: https://www.visualstudio.com/en-us/docs/package/nuget/nuget-2x (see also at the end of that page)
2. You should be able to use the v3 endpoint: https://placeholder.pkgs.visualstudio.com/_packaging/Test2/nuget/v3/index.json

Regarding the first point, I assume that paket detects this as a v2 source and doesn't use the credentials. Unfortunately my subscription does not support packages currently.

[varon]

Thanks, @Stift. I wasn't sure of whether or not Paket supported the v3 API yet.

I'll give this a bash and report back.

[varon]

@Stift

1. I've carefully read that page, was, and am still currently trying to use a personal access token.
2. I deleted my credentials file, and repeated the above steps, replacing /v2 with v3/index.json. No luck, same error.

[Stift]

Ok. I just managed to setup pkg management on my subscription.

I think this gets very complicated.
I was only able to push sth with the nuget.exe when I setup the alternate authentication method or the PAT method (my account has 2FA enabled, and I cannot use the credentials directly). nuget.exe downgrades the request to a v2 request magically.

The following matrix we have to investigate whether we cover these with paket completely:

Method	v2	v3
Credentials	N/A	N/A
Credentials with 2FA	N/A (should not work)	N/A (should not work)
Personal Access Token	N/A	N/A
Alternate authentication Method	N/A	N/A

As I have also problems with add the investigation has to be extended to other commands as well. I'll try to look into this the next days, but it's some work.

[varon]

@Stift Thanks man! That's an incredibly helpful matrix.

I'm happy to help out investigating, as this is very high priority to get running. Is there any way to get more informative output?

[Stift]

You can use the --verbose switch to see more.
I currently just investigated the nuget.exe to understand how it should work, and tried to forge a workflow with paket. Maybe everything is working and we just have to update some documentation.
If you want to investigate I normally start paket in debug mode (latest master via VS) and try to reach the point where it fails to see where it can be improved or what has to be fixed.

[varon]

Looks like I've made some progress!
It seems as though the push operation only includes the API key, and doesn't actually include any authorization headers. Manually adding them at the source code got past the 401.

As soon as I've figured out the endpoint values, I'll PR the fix in.