fix(crates-io): list owner request unauthorized

[nathanhammond]

Problem

list_owners calls self.get:

cargo/crates/crates-io/lib.rs

Lines 259 to 262 in 113761f

	pub fn list_owners(&mut self, krate: &str) -> Result<Vec<User>> {
	let body = self.get(&format!("/crates/{}/owners", krate))?;
	Ok(serde_json::from_str::<Users>(&body)?.users)
	}

Which, surprisingly, is configured to send Auth::Authorized:

cargo/crates/crates-io/lib.rs

Lines 377 to 380 in 113761f

	fn get(&mut self, path: &str) -> Result<String> {
	self.handle.get(true)?;
	self.req(path, None, Auth::Authorized)
	}

But the endpoint does not require auth:
https://crates.io/api/v1/crates/serde/owners

Important note: list_owners is the only one that actually calls .get.

Part of #16007

[rustbot]

r? @epage

rustbot has assigned @epage.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

[weihanglo]

Thanks for the contribution!

Can we add a test for cargo owner --list demonstrating the problematic behavior? The test should pass in a standalone commit.

The second commit will contain both the fix and the test change diff, which the diff shows the behavior change.

[nathanhammond]

This PR isn't priority for me; I just noticed the issue while reading the code. Determining how to add a test for a presently untested code path is well beyond the investment I have in this getting fixed.

[weihanglo]

That is understandable. Just call that out that this PR doesn't fix #16007 because of #16008 (comment)

[weihanglo]

cargo/src/cargo/ops/registry/owner.rs

Lines 39 to 46 in 113761f

	let (mut registry, _) = super::registry(
	gctx,
	&source_ids,
	opts.token.as_ref().map(Secret::as_deref),
	opts.reg_or_index.as_ref(),
	true,
	Some(operation),
	)?;

This code path super::registry still requires a token. This may need a bit more refactor

[nathanhammond]

Nope, there is only a single instance in the entire codebase of something delegating to get. add_owners delegates to put which includes the authorization.

get is private, and list_owners is the only thing that calls it.

[weihanglo]

The code path I shown above unconditionally called before hitting get even for cargo owner --list. Granted, this PR standalone is good enough for fixing the issue in the crates-io crate.

[nathanhammond]

I just saw the token_required bit and how the read is being conflated with the owners add/remove operation.

I've caught up to you now. It's only the "back half" of the fix, and assumes that we don't throw a TokenMissing when we create the registry.

Thanks for your patience. ❤️ (Sorry, not an expert in this codebase, but you already knew that. 😜)

[weihanglo]

I am fine merging this as-is. Let me edit the title a bit to reflect that.

[epage]

See #16007

[epage]

Part of #16007

What would be left after this PR for that issue?

[epage]

Ah, my answer is in #16007 (comment)