Personal Access Tokens should be usable in the API with basic auth
Following industry best-practice, GitLab encourages the use of disposable, scoped tokens for API auth. These tokens can be passed to endpoints using a query string parameter, a GitLab-specific
PRIVATE-TOKEN header, or an OAUTH2-style
Curiously though, even though all three of these methods result in a plaintext transfer of the token, regular HTTP basic auth is not supported. Accessing API endpoints with
curl gitlab.corp.com/api/thing -u username:token results in a 4xx error.
This is surprising behaviour at the best of times, but my specific issue with it is that accessing private source with authentication for NixOS is only supported using basic auth via a netrc file, see:
None of the other options work for NixOS because all of them would result in the token becoming part of the derivation (the serialized expression of all inputs to a package) and therefore placed in a public
/nix/store path. The only other option would be for the Nix daemon itself to gain a new parallel implementation of the netrc scheme but that passes the Bearer token instead. But this is unlikely to happen because the existing basic auth scheme works fine with authenticated source on most other popular version control hosts, for example:
I am currently working around this with a small reverse proxy that provides unauthenticated access to GitLab, and then Nix uses this as an alternative source mirror. But this is not a long-term solution. If it helps, I am a Premium user.