Authentication

How it works

We use a custom NGINX image that embeds the auth_request_module.

Each request made to the server launches a sub-request to a dedicated Flask app, that runs in a container next to NGINX, that is responsible for checking if initial request is authorized or not.

The authentication protocol is HTTP Basic Auth, as imposed by the PyPi specs.

Source of truth

Usernames and passwords are stored in the spice cloud database holding the user data. This db is currently hosted at Scaleway as a managed Postgres instance.

The Flask app is responsible for comparing a given password with passwords stored encrypted in this source of truth.

Why using encryption instead of hashing

Passwords are stored encrypted in their table, using the AES-256 encryption protocol. We chose this solution (2-way) instead of hashing (1-way) because we need to be able to retrieve the actual password value, so we can show it to the user when he reads the Installation part of the documentation.

Usage

To get their credentials, users must visit this URL.

Credentials can be used this way:

$ pip install spice --extra-index-url https://{user}:{password}@pypi.nibble.ai/simple

Alternative usages

It’s also possible to implicitly declare the URL of our private package index:

• By creating a PIP_EXTRA_INDEX_URL env var:

    $ export PIP_EXTRA_INDEX_URL="https://user:passwd@pypi.nibble.ai/simple"
  

• By creating a file ~/.pip/pipconf holding the following content:

    [global]
    extra-index-url = "https://user:passwd@pypi.nibble.ai/simple"
  

Be careful to use these solutions only in trusted environments, since the URL contains the credentials for Basic HTTP Authentication.