Add host and username/password support to cargo registry handler by brettfo · Pull Request #140 · dependabot/proxy

brettfo · 2026-06-10T18:18:13Z

The cargo handler previously only accepted url and token credential values. This adds support for:

host as an alternative to url for matching requests (using helpers.CheckHost)
username/password as an alternative to token for authentication (sets Basic auth)

When both token and username/password are provided, token takes precedence. Credentials with neither url nor host are rejected with a warning.

Modeled after the NuGet feed handler's approach to dynamically handling these credential variants.

Tests added

Host-only matching with token auth
URL matching with username/password (basic auth)
Host matching with username/password (basic auth)
Token precedence over password
Rejection of credentials with no url or host

The cargo handler now accepts 'host' as an alternative to 'url' for matching requests, and 'username'/'password' as an alternative to 'token' for authentication (using basic auth). Token takes precedence when both are present. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot

Pull request overview

This PR extends the Cargo registry request handler to support additional credential shapes, enabling request matching by host (as an alternative to url) and authentication via username/password (Basic auth) as an alternative to a raw token, aligning behavior with other registry/feed handlers in this proxy.

Changes:

Extend cargo registry credential parsing to accept host, username, and password, while keeping token-first precedence.
Update request matching to allow host-based matching in addition to URL-based matching.
Add unit tests covering host-only matching, Basic auth behavior, token precedence, and ignoring credentials missing both url and host.

Show a summary per file

File	Description
internal/handlers/cargo_registry.go	Adds host-based matching and username/password authentication support for cargo registry requests.
internal/handlers/cargo_registry_test.go	Adds tests for host matching, Basic auth, token precedence, and rejecting incomplete credentials.

Copilot's findings

Files reviewed: 2/2 changed files
Comments generated: 2

 	for _, cred := range h.credentials {
-		if !helpers.UrlMatchesRequest(req, cred.url, true) {
+		if !helpers.UrlMatchesRequest(req, cred.url, true) && !helpers.CheckHost(req, cred.host) {
 			continue
 		}


- Only use host-based matching when url is not set, preventing credential leakage to unrelated paths on the same host - Update warning message to mention both token and password - Add regression test for url+host scoping behavior Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- Only assign host to credential struct when url is empty (clearer intent) - Update warning to say 'missing token or username/password' - Use more realistic org-scoped paths in regression test Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

brettfo requested a review from a team as a code owner June 10, 2026 18:18

Copilot AI review requested due to automatic review settings June 10, 2026 18:18

Copilot started reviewing on behalf of brettfo June 10, 2026 18:18 View session

Copilot AI reviewed Jun 10, 2026

View reviewed changes