uv: uv pip install resulting in 401 Unauthorized with private index url
I am trying to use uv pip install with a private repository, and I am getting (401 Unauthorized errors). The same URL works completely fine with native pip, i.e. if I just remove the “uv”.
I cannot share the real URL, but there might be characters which might be raising some issues (like ‘@’), so here is a pseudo-example:
uv pip install privatepackage --index-url https://not_real@fake.com:fake_key@fake.aa.bb/path1/path2/path3/path4/path5
My current uv version is 0.1.5, and the Python env is 3.8.
About this issue
- Original URL
- State: closed
- Created 4 months ago
- Comments: 33 (13 by maintainers)
Commits related to this issue
- Ensure authentication is passed from the index url to distribution files (#1886) Closes https://github.com/astral-sh/uv/issues/1709 Closes https://github.com/astral-sh/uv/issues/1371 Tested with ... — committed to astral-sh/uv by zanieb 4 months ago
- Retain authentication when making range requests (#1902) Needs https://github.com/prefix-dev/async_http_range_reader/pull/9 Closes https://github.com/astral-sh/uv/issues/1709 — committed to astral-sh/uv by zanieb 4 months ago
@zanieb Here a standalone setup to reproduce with simple PEP 503 index and Basic Authentication.
In some folder create,
index.html
/non-existing-package/index.html
and create this fake package with
then run with node,
to get a server with basic auth.
Running uv,
fails with,
So the problem is that this simple API returns absolute URLs for package versions, and the access token is no longer part of the URL hence the 401 error. It works if the URLs are relative.
I’m not sure for other hosting services but Gitlab packages, does return such absolute URLs and consequently fail.
Unless I’m mistaken, the corresponding logic in pip is here https://github.com/pypa/pip/blob/b647ed5782e1fc5627e5e18a036130fea0b413e6/src/pip/_internal/network/auth.py#L404 to account for the fact that the package URL for a private index may not contain credentials.
Thanks for fixing it so fast ! Nice to see this projet moving forward as swiftly as it does !
These are some high-quality comments, thanks @rth.
I have the same problem. I’m using a jfrog repo. The index url looks like:
I confirm #1902 fixes the issue for JFrog!
Thanks for the (extremely quick!!!) response! I’m sorry, but I can’t share more details about the private index.
If it might be helpful, I explicitly mentioned the @ character because some of our developers had problems in the past due to ‘@’ being converted into ‘%40’ at some point depending on the setup, and I see this happening during the
uv_client::html::parsestage in verbose mode.After having installed
uv 0.1.9, I still have a403 Forbiddenissue when trying touv pip installa package hosted on a private artifactory repository.[EDIT] My bad, https://github.com/astral-sh/uv/pull/1902 is not part of
uv 0.1.9, waiting for the next release 😇I just checked out #1902 and I can confirm it now works for GitLab for me
fingers crossed! FWIW same issue on gitlab pypi registry (at uv 0.1.9, after cleaning the cache).
We’ve identified this as a problem preserving authorization headers in streamed range requests.
https://github.com/astral-sh/uv/pull/1902 should resolve this.
Trial JFrog account here I come