chore: return message on basic auth usage (#15132)

Author: miketheman

tests/unit/accounts/test_core.py

@@ -17,7 +17,7 @@
 import pytest
 
 from celery.schedules import crontab
-from pyramid.httpexceptions import HTTPUnauthorized
+from pyramid.httpexceptions import HTTPForbidden, HTTPUnauthorized
 
 from warehouse import accounts
 from warehouse.accounts import security_policy
@@ -325,11 +325,12 @@ def test_with_valid_password(self, monkeypatch, pyramid_request, pyramid_service
         )
 
         pyramid_request.matched_route = pretend.stub(name="forklift.legacy.file_upload")
+        pyramid_request.help_url = pretend.call_recorder(lambda **kw: "/the/help/url/")
 
         now = datetime.datetime.utcnow()
 
-        with freezegun.freeze_time(now):
-            assert _basic_auth_check("myuser", "mypass", pyramid_request) is True
+        with freezegun.freeze_time(now), pytest.raises(HTTPForbidden):
+            _basic_auth_check("myuser", "mypass", pyramid_request)
 
         assert service.find_userid.calls == [pretend.call("myuser")]
         assert service.get_user.calls == [pretend.call(2)]

warehouse/accounts/security_policy.py

@@ -17,7 +17,7 @@
     extract_http_basic_credentials,
 )
 from pyramid.authorization import ACLHelper
-from pyramid.httpexceptions import HTTPUnauthorized
+from pyramid.httpexceptions import HTTPForbidden, HTTPUnauthorized
 from pyramid.interfaces import ISecurityPolicy
 from pyramid.security import Allowed
 from zope.interface import implementer
@@ -105,7 +105,14 @@ def _basic_auth_check(username, password, request):
                 request=request,
                 additional={"auth_method": "basic"},
             )
-            return True
+
+            raise _format_exc_status(
+                HTTPForbidden(),
+                "Username/Password authentication is no longer supported. "
+                "Migrate to API Tokens or Trusted Publishers instead. "
+                f"See {request.help_url(_anchor='apitoken')} "
+                f"and {request.help_url(_anchor='trusted-publishers')}",
+            )
         else:
             user.record_event(
                 tag=EventTag.Account.LoginFailure,