Authentication#

This page lists the credential configuration that the sysand client supports for HTTP(S) indexes and project downloads.

For the conceptual overview, see Authentication. To create a Sysand Index API token, see Create an API token.

Credential environment variables#

HTTP credentials are configured through environment variables whose names share one arbitrary suffix <X>.

Basic authentication:

SYSAND_CRED_<X>=<PATTERN>
SYSAND_CRED_<X>_BASIC_USER=<USER>
SYSAND_CRED_<X>_BASIC_PASS=<PASSWORD>

Bearer token authentication:

SYSAND_CRED_<X>=<PATTERN>
SYSAND_CRED_<X>_BEARER_TOKEN=<TOKEN>

<PATTERN> is a URL glob pattern. <X> is only a label that connects the URL pattern to its credential values.

URL glob matching#

Sysand uses URL glob patterns with literal path separators:

Pattern syntax

Meaning

?

Matches any single character except /.

*

Matches any sequence of characters that does not contain /.

**

Matches any sequence of characters, including /.

Example:

$ export SYSAND_CRED_TEST='https://*.example.com/**'
$ export SYSAND_CRED_TEST_BASIC_USER='foo'
$ export SYSAND_CRED_TEST_BASIC_PASS='bar'

That pattern matches URLs such as:

https://www.example.com/projects/project.kpar
https://projects.example.com/index.json
https://projects.example.com/projects/myproject/versions.json

Request behavior#

For normal HTTP(S) fetches, Sysand first makes an unauthenticated request. If the response status is in the 4xx range and the URL matches a credential pattern, Sysand retries with matching credentials.

If multiple credential patterns match one URL, Sysand logs a warning and tries the matching credentials until one returns a response outside the 4xx range. If none succeeds, the first response is returned.

Redirects are handled differently:

  • If credentials were sent to the original URL and that URL redirects to another URL on the same host, the credentials are also sent to the redirected URL.

  • Sysand does not first try the redirected URL without credentials.

SYSAND_CRED_* variables do not configure Git credentials. For Git projects, Sysand runs Git with the user’s existing Git setup, such as SSH keys or credential helpers.

Publish credentials#

In the default auto mode, sysand publish first uses trusted publishing when it detects a supported CI environment. If trusted publishing is unavailable, it falls back to configured bearer token credentials. Basic-auth entries are ignored for publishing.

Before uploading, sysand publish resolves the publish API URL and then checks the configured bearer-token patterns against that upload URL when falling back to explicit credentials.

Outside supported trusted-publishing environments, publishing fails before the upload request is made if no bearer-token pattern matches the upload URL. If more than one bearer-token pattern matches the upload URL, publishing also fails; refine the SYSAND_CRED_<X> patterns so exactly one bearer token matches.