Do not search for a password for requests with a token attached already (#15772)

zanieb · web-flow · commit b2c59a8ace9b · 2025-09-10T13:52:09.000-05:00
diff --git a/crates/uv-auth/src/cache.rs b/crates/uv-auth/src/cache.rs
@@ -148,8 +148,8 @@ impl CredentialsCache {
 
         let mut realms = self.realms.write().unwrap();
 
-        // Always replace existing entries if we have a password
-        if credentials.password().is_some() {
+        // Always replace existing entries if we have a password or token
+        if credentials.is_authenticated() {
             return realms.insert(key, credentials.clone());
         }
 
diff --git a/crates/uv-auth/src/credentials.rs b/crates/uv-auth/src/credentials.rs
@@ -141,6 +141,16 @@ impl Credentials {
         }
     }
 
+    pub fn is_authenticated(&self) -> bool {
+        match self {
+            Self::Basic {
+                username: _,
+                password,
+            } => password.is_some(),
+            Self::Bearer { token } => !token.is_empty(),
+        }
+    }
+
     pub(crate) fn is_empty(&self) -> bool {
         match self {
             Self::Basic { username, password } => username.is_none() && password.is_none(),
diff --git a/crates/uv-auth/src/middleware.rs b/crates/uv-auth/src/middleware.rs
@@ -328,7 +328,7 @@ impl Middleware for AuthMiddleware {
                 request = credentials.authenticate(request);
 
                 // If it's fully authenticated, finish the request
-                if credentials.password().is_some() {
+                if credentials.is_authenticated() {
                     trace!("Request for {url} is fully authenticated");
                     return self
                         .complete_request(None, request, extensions, next, auth_policy)
@@ -420,7 +420,7 @@ impl Middleware for AuthMiddleware {
         .or(credentials);
 
         if let Some(credentials) = credentials.as_ref() {
-            if credentials.password().is_some() {
+            if credentials.is_authenticated() {
                 trace!("Retrying request for {url} with credentials from cache {credentials:?}");
                 retry_request = credentials.authenticate(retry_request);
                 return self
@@ -529,7 +529,7 @@ impl AuthMiddleware {
         let credentials = Arc::new(credentials);
 
         // If there's a password, send the request and cache
-        if credentials.password().is_some() {
+        if credentials.is_authenticated() {
             trace!("Request for {url} already contains username and password");
             return self
                 .complete_request(Some(credentials), request, extensions, next, auth_policy)

Original file line number	Diff line number	Diff line change
`@@ -148,8 +148,8 @@ impl CredentialsCache {`
`148`	`148`
`149`	`149`	`let mut realms = self.realms.write().unwrap();`
`150`	`150`
`151`		`- // Always replace existing entries if we have a password`
`152`		`- if credentials.password().is_some() {`
	`151`	`+ // Always replace existing entries if we have a password or token`
	`152`	`+ if credentials.is_authenticated() {`
`153`	`153`	`return realms.insert(key, credentials.clone());`
`154`	`154`	`}`
`155`	`155`