From 14c75655e50c1e59db6094771a368c5773442394 Mon Sep 17 00:00:00 2001
From: Zanie Blue <contact@zanie.dev>
Date: Wed, 10 Sep 2025 14:32:17 -0400
Subject: [PATCH] Do not search for a password for requests with a token
 attached already

---
 crates/uv-auth/src/cache.rs       |  4 ++--
 crates/uv-auth/src/credentials.rs | 10 ++++++++++
 crates/uv-auth/src/middleware.rs  |  6 +++---
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/crates/uv-auth/src/cache.rs b/crates/uv-auth/src/cache.rs
index 58613ecbc50dc..5b3223e9e7199 100644
--- a/crates/uv-auth/src/cache.rs
+++ b/crates/uv-auth/src/cache.rs
@@ -148,8 +148,8 @@ impl CredentialsCache {
 
         let mut realms = self.realms.write().unwrap();
 
-        // Always replace existing entries if we have a password
-        if credentials.password().is_some() {
+        // Always replace existing entries if we have a password or token
+        if credentials.is_authenticated() {
             return realms.insert(key, credentials.clone());
         }
 
diff --git a/crates/uv-auth/src/credentials.rs b/crates/uv-auth/src/credentials.rs
index fee61a476f0d9..673b711d382cd 100644
--- a/crates/uv-auth/src/credentials.rs
+++ b/crates/uv-auth/src/credentials.rs
@@ -141,6 +141,16 @@ impl Credentials {
         }
     }
 
+    pub fn is_authenticated(&self) -> bool {
+        match self {
+            Self::Basic {
+                username: _,
+                password,
+            } => password.is_some(),
+            Self::Bearer { token } => !token.is_empty(),
+        }
+    }
+
     pub(crate) fn is_empty(&self) -> bool {
         match self {
             Self::Basic { username, password } => username.is_none() && password.is_none(),
diff --git a/crates/uv-auth/src/middleware.rs b/crates/uv-auth/src/middleware.rs
index 6136d9cffb6e4..f4a02873e710c 100644
--- a/crates/uv-auth/src/middleware.rs
+++ b/crates/uv-auth/src/middleware.rs
@@ -328,7 +328,7 @@ impl Middleware for AuthMiddleware {
                 request = credentials.authenticate(request);
 
                 // If it's fully authenticated, finish the request
-                if credentials.password().is_some() {
+                if credentials.is_authenticated() {
                     trace!("Request for {url} is fully authenticated");
                     return self
                         .complete_request(None, request, extensions, next, auth_policy)
@@ -420,7 +420,7 @@ impl Middleware for AuthMiddleware {
         .or(credentials);
 
         if let Some(credentials) = credentials.as_ref() {
-            if credentials.password().is_some() {
+            if credentials.is_authenticated() {
                 trace!("Retrying request for {url} with credentials from cache {credentials:?}");
                 retry_request = credentials.authenticate(retry_request);
                 return self
@@ -529,7 +529,7 @@ impl AuthMiddleware {
         let credentials = Arc::new(credentials);
 
         // If there's a password, send the request and cache
-        if credentials.password().is_some() {
+        if credentials.is_authenticated() {
             trace!("Request for {url} already contains username and password");
             return self
                 .complete_request(Some(credentials), request, extensions, next, auth_policy)