Auto merge of #11952 - ehuss:check-token-publish, r=weihanglo

Validate token on publish.

The `publish` path was not validating the token like the other API routes were (like owner, or yank). This does not appear to be intentional from what I can tell. This consolidates the relevant code so that it is shared with all the API calls.

cc #11600

Closes #11571

Author: bors

crates/crates-io/lib.rs

@@ -219,6 +219,15 @@ impl Registry {
         self.token = token;
     }
 
+    fn token(&self) -> Result<&str> {
+        let token = match self.token.as_ref() {
+            Some(s) => s,
+            None => bail!("no upload token found, please run `cargo login`"),
+        };
+        check_token(token)?;
+        Ok(token)
+    }
+
     pub fn host(&self) -> &str {
         &self.host
     }
@@ -278,16 +287,12 @@ impl Registry {
 
         let url = format!("{}/api/v1/crates/new", self.host);
 
-        let token = match self.token.as_ref() {
-            Some(s) => s,
-            None => bail!("no upload token found, please run `cargo login`"),
-        };
         self.handle.put(true)?;
         self.handle.url(&url)?;
         self.handle.in_filesize(size as u64)?;
         let mut headers = List::new();
         headers.append("Accept: application/json")?;
-        headers.append(&format!("Authorization: {}", token))?;
+        headers.append(&format!("Authorization: {}", self.token()?))?;
         self.handle.http_headers(headers)?;
 
         let started = Instant::now();
@@ -390,12 +395,7 @@ impl Registry {
         headers.append("Content-Type: application/json")?;
 
         if self.auth_required || authorized == Auth::Authorized {
-            let token = match self.token.as_ref() {
-                Some(s) => s,
-                None => bail!("no upload token found, please run `cargo login`"),
-            };
-            check_token(token)?;
-            headers.append(&format!("Authorization: {}", token))?;
+            headers.append(&format!("Authorization: {}", self.token()?))?;
         }
         self.handle.http_headers(headers)?;
         match body {

tests/testsuite/publish.rs

@@ -2908,3 +2908,44 @@ You may press ctrl-c to skip waiting; the crate should be available shortly.
 
     p.cargo("check").with_status(0).run();
 }
+
+#[cargo_test]
+fn invalid_token() {
+    // Checks publish behavior with an invalid token.
+    let registry = RegistryBuilder::new().http_api().http_index().build();
+
+    let p = project()
+        .file(
+            "Cargo.toml",
+            r#"
+                [package]
+                name = "foo"
+                version = "0.0.1"
+                authors = []
+                license = "MIT"
+                description = "foo"
+                documentation = "foo"
+            "#,
+        )
+        .file("src/main.rs", "fn main() {}")
+        .build();
+
+    p.cargo("publish --no-verify")
+        .replace_crates_io(registry.index_url())
+        .env("CARGO_REGISTRY_TOKEN", "\x16")
+        .with_stderr(
+            "\
+[UPDATING] crates.io index
+[PACKAGING] foo v0.0.1 ([ROOT]/foo)
+[PACKAGED] 4 files, [..]
+[UPLOADING] foo v0.0.1 ([ROOT]/foo)
+error: failed to publish to registry at http://127.0.0.1:[..]/
+
+Caused by:
+  token contains invalid characters.
+  Only printable ISO-8859-1 characters are allowed as it is sent in a HTTPS header.
+",
+        )
+        .with_status(101)
+        .run();
+}