If you use PyPI for uploading files, you can authenticate using a username and password, or you can authenticate using just a token, and sending the string __token__, and then the token with a prefix:
To use an API token:
Set your username to __token__ Set your password to the token value, including the pypi- prefix
You can see more details on their page here: https://pypi.org/help/#apitoken
This seems quite clever - it doesn't break the experience for people using old style credentials, but allows you to tie a reduced set of privileges to a given token, which seems safer.
What is the name of this pattern, where both ways of authing are supported like this? I mean beyond the name 'token based authentication', as that doesn't account for the fallback offered here.
And beyond the obvious downside that only needs to get their hands on the token to send possibly malicious requests, what are the other downsides to this approach?
I'm working with RSS in a project, and it seems a nice way to provide access to legacy RSS readers, while still supporting more use cases of an API.
PyPI admin here: we call that a "compromise" 😉. PyPI needs to be entirely backwards-compatible with existing clients that only support basic HTTP auth, so this was really the only option available to us with that constraint.
I'm not sure there's a better name for it. There are some other examples of this in use in varying ways: