Missing auth-required for private registries

[jocutajar]

• What are you trying to do?

Publish a package to a private registry (requires auth to publish) that depends on another package in that private registry (requires auth to download).

• What feature or behavior is this required for?

Working with private registry

• How could we solve this issue? (Not knowing is okay!)

I think the registry needs to explicitly inform cargo that it requires auth (auth-required) in the config.json here:

nexus-repository-cargo/src/main/java/org/sonatype/nexus/plugins/cargo/registry/CargoRegistryFacetImpl.java

Line 160 in 57760b6

config.add("allowed-registries", allowedRegistries);

as per rust-lang/cargo#10920
and https://doc.rust-lang.org/nightly/cargo/reference/registry-index.html#index-configuration

but only if it is a private registry. Public registries should have that set to false I guess.

• Anything else?

I suppose we could make the registry accessible for read to anonymous users, that would work around the limitation.

Without the auth-required: true config value, cargo publish fails with:

Updating `my-registry` index
   Packaging my-crate v0.1.0 (/home/me/my-crate)
   Verifying my-crate v0.1.0 (/home/me/my-crate)
    Updating crates.io index
error: failed to verify package tarball

Caused by:
  failed to download from `https://nexus.example.com/repository/our-crates/api/v1/crates/my-dependency/0.1.0/download`

Caused by:
  failed to get successful HTTP response from `https://nexus.example.com/repository/our-crates/api/v1/crates/my-dependency/0.1.0/download` (1.2.3.4), got 401
  body: