Send authentication credentials to private registry to fetch config.json

[seschall]

Problem

Please reopen and fix issue #13574

Currently, cargo will always send an unauthenticated request to a private registry to initially fetch the config.json. However, there is no deterministic behavior how a private registry respond to an unauthenticated request. Artifactory respond sometimes with a 403 error. Other systems may respond with a 404 to avoid revealing to unauthenticated users that the page exists.

Problem: security

Current workarounds go in the direction to lower the security of a private registry by allowing anonymous access.

Problem: usability

1. For me as a user it is very difficult to unterstand why I get these error messages even though I am using correct credentials.
2. If I am not able change the behavior of the registry I must download the config.json and place it into the cache manually.

Steps

see issue 13574

Possible Solution(s)

Don't send unauthenticated requests when authentication is already configured for a private repository.

Notes

No response

Version

cargo 1.82.0
release: 1.82.0
host: aarch64-apple-darwin
libgit2: 1.8.3 (sys:0.19.0 system)
libcurl: 8.7.1 (sys:0.4.74+curl-8.9.0 system ssl:(SecureTransport) LibreSSL/3.3.6)
os: Mac OS 14.7.2 [64-bit]

[arlosi]

However, there is no deterministic behavior how a private registry respond to an unauthenticated request

This would be a bug in the private registry implementation, not Cargo. The Cargo sparse registry protocol requires private registries to respond with HTTP 401 if authentication is required.

If the registry wishes to prevent users from determining whether a name exists or not, it should respond with HTTP 401 for all registry names, regardless of whether they exist or not.