fix: respect verify=False in authenticator requests (#10803)

dimbleby · Copilot · radoering · web-flow · commit 1c61afe367d8 · 2026-04-02T17:38:11.000+02:00
kwargs.get("verify") or certs.cert evaluated False as falsy,
silently overriding an explicit verify=False with configured
certificates. Use a None check to distinguish "not passed"
from "explicitly False".

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
Co-authored-by: Randy Döring &lt;30527984+radoering@users.noreply.github.com&gt;
diff --git a/src/poetry/utils/authenticator.py b/src/poetry/utils/authenticator.py
@@ -206,7 +206,9 @@ def request(
         stream: bool | None = kwargs.get("stream")
 
         certs = self.get_certs_for_url(url)
-        verify: bool | str | Path = kwargs.get("verify") or certs.cert or certs.verify
+        verify: bool | str | Path | None = kwargs.get("verify")
+        if verify is None:
+            verify = certs.cert or certs.verify
         cert: str | Path | None = kwargs.get("cert") or certs.client_cert
 
         if cert is not None:
diff --git a/tests/utils/test_authenticator.py b/tests/utils/test_authenticator.py
@@ -422,6 +422,37 @@ def test_authenticator_uses_certs_from_config_if_not_provided(
     assert Path(kwargs["cert"]) == Path(client_cert or configured_client_cert)
 
 
+@pytest.mark.parametrize("verify", [True, False, None])
+def test_authenticator_request_verify_is_respected(
+    config: Config,
+    mock_remote: responses.RequestsMock,
+    mock_config: Config,
+    http: responses.RequestsMock,
+    mocker: MockerFixture,
+    verify: bool | None,
+) -> None:
+    """especially verify=False must not be overridden by configured certificates."""
+    mock_config.merge(
+        {
+            "certificates": {
+                "foo": {"cert": "/path/to/cert", "client-cert": "/path/to/client-cert"}
+            },
+        }
+    )
+
+    authenticator = Authenticator(mock_config, NullIO())
+    url = "https://foo.bar/files/foo-0.1.0.tar.gz"
+    session = authenticator.get_session(url)
+    session_send = mocker.patch.object(session, "send")
+    authenticator.request("get", url, verify=verify)
+    kwargs = session_send.call_args[1]
+
+    if verify is None:
+        assert kwargs["verify"] == str(Path("/path/to/cert"))
+    else:
+        assert kwargs["verify"] is verify
+
+
 def test_authenticator_uses_credentials_from_config_matched_by_url_path(
     config: Config, mock_remote: None, http: responses.RequestsMock
 ) -> None:
