Check access when adding a new source with credentials

[umerkle]

NuGet Product(s) Involved

NuGet.exe, dotnet.exe

The Elevator Pitch

If you add a new package source with 'nuget sources Add' or also with 'dotnet nuget add source', you have to specify credentials if the source is a private one.
Currently, it seems, that NuGet does not check those credentials and says 'successfully added' after adding the source to NuGet.Config. But you will notice errors, when trying to access the source repo.

So my request is, to check these credentials prior to adding the source to NuGet.Config.

As @zivkan mentioned in the discussion, this may break CI scripts.
But perhaps this feature can be optional and activated via a parameter or so?

Edit:
Would be also cool to have a command to check the current used credentials.
Let's say there are some credentials stored in my NuGet.Config. And maybe on adding the source everything was fine, but password now is not valid anymore. So it would be good to have kind of a validate-sources command or something like that to see which sources credentials might have become invalid.

Additional Context and Details

I think this feature would be helpful in preventing errors on getting packages from private sources.
Especially if you use encrypted passwords (e.g. on Windows) and you can not easily check a misstyped password.

In my case, i use adding sources dynamically in Gitlabs CI/CD pipeline. In the log, i can not see the used password and since it is running in an ephemeral container, i can also not see it in NuGet.Config file. So hunting for errors is hard and could be easier if NuGet would tell about wrong credentials.

[kartheekp-ms]

In my case, i use adding sources dynamically in Gitlabs CI/CD pipeline.

Until this issue is resolved, could you verify if the credentials are functional using a PowerShell script? I haven't considered all the edge cases in the script below, so please feel free to modify the code as necessary.

$url = "https://your.private.url/path"

try {
   # Username and Password are read from environment variables
    $username = $env:USERNAME
    $password = $env:PASSWORD

    # Convert the username:password combination into Base64 format for Basic Authentication
    $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("${username}:${password}"))

    # Invoke a web request with the Basic Authentication header
    $response = Invoke-WebRequest -Uri $url -Headers @{
        Authorization = ("Basic {0}" -f $base64AuthInfo)
    }

    # If the request is successful and doesn't throw an exception, output a success message
    Write-Output "Access to $url was successful. Status Code: $($response.StatusCode)"
}
catch {
    # In case of an error, handle specific exceptions or general errors
    if ($_.Exception.Response.StatusCode.Value__ -eq 403) {
        Write-Output "Access to $url is forbidden."
    }
    else {
        Write-Output "Failed to access $url. Error: $($_.Exception.Message)"
    }
}

[umerkle]

OK, tried your script (under Windows!):

Accessing an BasicAuth protected URL with

• wrong username returns:

  Failed to access https://your.private.url/path. Error: Der Remoteserver hat einen Fehler zurückgegeben: (401) Nicht autorisiert.
  or in English
  Failed to access https://your.private.url/path. Error: The remoteserver returned an error: (401) Not authorized

• wrong username and wrong password returns:
  see above
• wrong password returns:
  see above
• correct credentials returns:

  Access to https://your.private.url/path was successful. Status Code: 200

[TomKovac]

Are there any news with this issue? I am struggling to figure out which feed has an authentication issue when its PAT expire. Thanks for letting mi know.