Skip to content

Handle PyPI unrecognized device login confirmation#48

Open
anth-volk wants to merge 2 commits into
arcivanov:masterfrom
anth-volk:handle-pypi-login-confirmation
Open

Handle PyPI unrecognized device login confirmation#48
anth-volk wants to merge 2 commits into
arcivanov:masterfrom
anth-volk:handle-pypi-login-confirmation

Conversation

@anth-volk

Copy link
Copy Markdown

Summary

  • handle PyPI's unrecognized-device login confirmation redirect after TOTP by prompting for the email confirmation URL and following it in the same session
  • verify the PyPI login before attempting any release deletion
  • improve missing-CSRF diagnostics with final URLs and page titles
  • add a --debug-auth option for auth redirect/page-title diagnostics and sanitized HTML snapshots
  • document the new login-confirmation behavior and debug option in the README

Context

PyPI added login verification protections for unrecognized TOTP logins, documented here: https://blog.pypi.org/posts/2025-11-14-login-verification/

This also addresses the failure mode discussed in #42, where deletion reached the release page step but failed with a misleading missing-CSRF error after PyPI served a login-confirmation page instead: #42

Tests

  • env PYTHONPATH=src/main/python python -m unittest discover -s src/unittest/python -p '*tests.py'
  • uvx --from pybuilder pyb -v

@arcivanov

Copy link
Copy Markdown
Owner

Thank you for the PR. Unfortunately it's 1) over-complicated and 2) I'm not going to accept the debug auth option.

@anth-volk

Copy link
Copy Markdown
Author

The code is complicated because PyPI offers a few different pathways on login. It could throw the new-ish "unauthorized login" page and request email verification, or it might not, and this code was aimed at handling both and keeping funcs as CLEAN and single-use as possible. --debug-auth grew out of testing I was doing, but I can understand why you might not want it. I'd be happy to either withdraw this or modify it, however you see fit, but every time I've used the tool without these modifications, the newer email verification request page breaks the tool for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants