Skip to content

fix: retry download without Authorization header on 401 for public boxes #13704

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: retry download without Authorization header on 401 for public boxes #13704

wants to merge 1 commit into from
+111 −3

Conversation

damacus
Copy link

@damacus damacus commented Aug 12, 2025
edited
Loading

fixes #13703

@damacus damacus requested a review from a team as a code owner August 12, 2025 08:17
@hashicorp-cla-app HashiCorp CLA App
Copy link

hashicorp-cla-app bot commented Aug 12, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@damacus damacus force-pushed the fix/expired-token-401-retry branch from 719f9bc to e5d0c72 Compare August 12, 2025 08:18
@Stromweld
Copy link
Contributor

@taru-garg-hashicorp can we get this merged for the next release?

@taru-garg-hashicorp
Copy link
Contributor

Hi there,

Apologies for the delayed response—I’ve been considering the best way to address this issue. Currently, when an auth token has expired, vagrant continues to send it as a header, which leads to authentication failures. Ideally, public boxes shouldn’t require authentication, but since the expired token is still being sent, the registry attempts to validate it.

There are two main issues here:

  • vagrant is sending an auth token even when it’s not necessary.
  • The vagrant public registry is trying to authenticate every request, even for public boxes.

While this fix will address the immediate problem, I’m concerned it might create new issues for users who logged in previously and now have expired tokens. In the case of public boxes, this could mean two requests per download, which would cause users to hit rate limits more quickly.

One idea I’ve been considering is introducing something like a --no-auth flag to the CLI. Most users downloading public boxes will likely know if authentication is required, but adding this flag could disrupt current workflows.

I will discuss these options with the team to determine the best solution. As for the release timeline, there’s no set date for 2.4.10 yet, but if we resolve this beforehand, I’ll make sure it’s included in that release.

Thanks!

@Stromweld
Copy link
Contributor

can the vagrant public registry be updated to ignore auth for public boxes?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vagrant fails to download public boxes or get metadata when auth token has expired
3 participants
@damacus @Stromweld @taru-garg-hashicorp