Open idy opened 1 week ago
Does look like both dart:io
and package:http
sends the authentication as (code from dart:io
)
String auth = base64Encode(utf8.encode(uri.userInfo));
and prefixed with "Basic "
.
The problem is that uri.userInfo
does not decode percent-escapes, so the code should be doing
String auth = base64Encode(utf8.encode(Uri.decodeComponent(uri.userInfo)));
Alterantively, the userInfo
getter should decode for you. That's what most other getters on Uri
do, extracting the meaning of the substring of the URI text, not its literal text.
(We should decide on one of those, doing both would be wrong too.)
I can't say what a browser would do, because my browser seems to ignore username/password in the request. Probably for safety reasons.
As we discussed in lang/sdk#56114, I personally believe that Uri.parse
should not store pct-encoded values in userInfo. Instead, it should encode these values when constructing the URL in toString()
.
When using the following code to send a request, the server receives the password not as
^pwd
but as%5Epwd
.