Fork me on GitHub
Captain Porcelain10:02:29

Hello everyone, this might be a rather stupid question but I'm stuck on it. I'm trying to deploy a jar to clojars using deps-deploy. I've set my username and password as env variables as per requirement of deps-deploy. But I still receive an error 401 unauthorized. The username and password are correct, and at least the username is picked up by deps-deploy as I can see it in the logs. What can I do to figure out what is happening?


I've never used deps-deploy, but just gave it a try and it worked for me:

$ env CLOJARS_USERNAME=tcrawley CLOJARS_PASSWORD=<redacted> clj -A:deploy
Deploying org.clojars.tcrawley/deploytest3-0.1.0-SNAPSHOT to clojars as tcrawley
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See  for further details.
I would confirm you have the correct env var name, and double check that the username and password are indeed correct. Does the password contain any characters that may be expanded by your shell? If so, try quoting it.

Captain Porcelain11:02:54

Thanks for checking. I had copied the password from the env variable to the login form and was able to login. It doesn't contain and special chars that can be expanded.

Captain Porcelain11:02:48

But I've changed my password and can't login anymore. So I'll have to reset it before I can test further.

Captain Porcelain11:02:09

Do you know if one is locked out of ones account after a couple of failed logins?

Captain Porcelain11:02:54

Hmm, I don't receive and passwort reset email when I enter my username, but I do when I enter my email. After the reset I still can't login. I guess I messed this up somehow...

Captain Porcelain11:02:07

I've just created a new account captainporcelain instead of captain-porcelain and with that I can login and deploy my jar. So I guess the issue lies with the dash in my initial username.


We don't lock accounts due to failed logins. Does the login in the password reset email match what you expect?


oh, interesting.


I'm trying to think why a dash would matter


but it's possible we have a bug there somewhere

Captain Porcelain12:02:27

I guess it's relevant, that my initial group of org.clojars.captain-porcelain is listed in my new account too.


I can see in the nginx logs the 401s for captain-porcelain, and the name there is correct. But that name is just being pulled from the basic auth, so before it gets to the clojars application.


Do you also see org.clojars.captainporcelain as a group under the new account?


Because having access to the - version really feels like a bug and a security hole

Captain Porcelain12:02:59

Yes I can see both.

Captain Porcelain12:02:05

It may have been created by the jar I've uploaded. I've used it in the pom and didn't change it to the version without - before uploading.

Captain Porcelain12:02:26

Is there a way to delete my first account (captain-porcelain)?

Captain Porcelain12:02:05

Anyways, thank you very much for your help 😃


Sorry for the late reply, but I've figured it out: • Your first account was called captain-procelain, not captain-porcelain • You pushed to org.clojure.captain-porcelain, not org.clojars.captain-porcelain , so the special user group logic didn't prevent that, since the group name was unclaimed • I went ahead and deleted the captain-procelain user

Captain Porcelain06:02:16

Now I feel stupid. And in dire need of new glasses

Captain Porcelain06:02:49

Thank you for looking into this 😊


No worries, and my pleasure!