Add support for bearer token auth with Composer registries

[hype09]

This PR follows from the discussion at dependabot/dependabot-core#12946.

Some composer registries, ex. packages.shopware.com, only support Bearer authentication. Dependabot currently only supports Basic Auth.

I have added a token field to the credentials which takes precedence over basic auth when a token is set and not empty.

The added tests all run on my machine, and I have tested my changes using dependabot/cli with the following configuration:

# config.yml
job:
    package-manager: composer
    allowed-updates:
      - update-type: all
    source:
        provider: github
        repo: <my-repo>
        directory: /
credentials:
  - type: git_source
    host: github.com
    username: x-access-token
    password: $GITHUB_TOKEN

  - type: composer_repository
    registry: packages.shopware.com
    token: $SHOPWARE_TOKEN

I ran it with a locally built image of the proxy as follows:

#!/bin/bash
dependabot update \
    --proxy-image dependabot-proxy-local:dev \
    -f config.yml

The log output shows that authentication has worked for packages.shopware.com:

proxy | 2026/02/07 08:24:03 [012] GET https://packages.shopware.com:443/packages.json
proxy | 2026/02/07 08:24:03 [012] * authenticating composer registry request (host: packages.shopware.com)
proxy | 2026/02/07 08:24:06 [012] 200 https://packages.shopware.com:443/packages.json

Disclaimer: My experience with Go is somewhat limited, so if there are more idiomatic ways to solve things, I'd be happy to learn! Also, I've seen a few places in dependabot-core where Composer uses basic auth. I'm unsure if we should add token support there, too? If that's the case, I'd be happy so work on a PR.

[ahtizazhasnain-hue]

M

[JamieMagee]

The log message doesn't distinguish between bearer and basic auth. The NPM handler does this (host: %s, basic auth) vs (host: %s, token auth), and it's genuinely useful when debugging why a registry is rejecting credentials. Could you split the log line so it says which auth method is being used?

[hype09]

Makes sense to me 👍

[JamieMagee]

Thanks for this change! Other than the log message, this looks good.

Also, I've seen a few places in dependabot-core where Composer uses basic auth. I'm unsure if we should add token support there, too? If that's the case, I'd be happy so work on a PR.

Nope, shouldn't be needed. The original architecture passed credentials directly to dependabot-core, but that hasn't been the case since the proxy came along. You can technically still pass credentials directly, but if you look at github/dependabot-action or dependabot/cli you'll see credentials go to the proxy and secrets are never exposed to dependabot-core.

[hype09]

I'm trying to get this running now, with the following config:

version: 2
registries:
  shopware-packages:
    type: composer-repository
    url: packages.shopware.com
    token: ${{secrets.SHOPWARE_TOKEN}}

But I'm getting the following error message:

The property '#/registries/shopware-packages/' of type object did not match one or more of the required schemas

I couldn't find where the schema for the config is defined, do we need to update it, too, to support token?

Or is perhaps my config wrong? :D

[jumoog]

I don't think it will be deployed immediately.

[hype09]

I think the issue I am encountering this not because of deployment, but rather some config validation step?

registries:
  shopware-packages:
    type: composer-repository
    url: packages.shopware.com
    token: ${{secrets.SHOPWARE_TOKEN}}

See the screenshot below:

Do you know if there's a schema defined somewhere that is used for validation?

[JamieMagee]

@hype09 @jumoog There were some internal changes required to update the schema validation. I am deploying the changes now