Extra Index Url Authentication is Interactive Even When Specified

[Californian]

Authentication for extra index URLs requests user-interactive authentication even when authentication is specified in the extra index URL itself.

Describe your environment

1. Arch Linux
2. Python version: Python 3.6.3
3. Pipenv version: pipenv, version 8.3.2

Expected result

When I add a [[source]] with a URL that has authentication information (e.g. https://user:password@host/pypi/simple), authentication information should not be requested.

Actual result

$ pipenv lock --verbose
Locking [dev-packages] dependencies…
Using pip: -i https://pypi.python.org/simple --extra-index-url https://xxxUSERxxx:xxxPASSWORDxxx@xxxHOSTxxx/xxxPATHxxx/pypi/simple

                          ROUND 1
Current constraints:
  xxx
  xxx
  xxx

Finding the best candidates:
User for xxxxxxxx:

This then waits for user input.

Steps to replicate

1. Add a [[source]] to the Pipfile with a URL that requires basic http auth.
2. Add a package to the Pipfile that uses the specified index (e.g. package_name: {version="*", index="index_name"}.
3. Run pipenv lock.

[Californian]

Sorry, this is not a pipenv issue; it happens even with normal pip outside of the virtualenv.

FYI, for anyone wondering how to use private pip repos with CI and docker, you'll have to use the PIP_EXTRA_INDEX_URL environment variable with authentication. This can be done for local testing with a .env file that isn't checked into a VCS, and remotely with whatever your CI tool uses for environment variable definition (usually in GUI or CLI settings for the repo). If you are using docker, you can then inject this with a --build-arg YOUR_ARG_KEY=$YOUR_ENV_VAR. I would add this to the relevant issue (#1020), but it was closed for some reason.

[techalchemy]

@Californian thanks for the relevant update, I'll add a link

[rca]

@Californian OT here, but using --build-arg for secrets is not good. You can actually get the secret from the build history; try docker history <image> and you'll see it there.