Open 0xVeles opened 1 year ago
massimosala
commented
1 year ago Probably it isn't implemented because
Just for curiosity: are there running servers using https://user:pass@... ?
massimosala
commented
1 year ago Hi
I have rewritten the library, with some improvements and basic auth.
Do you want to test it ?
After your feedback, I will open source it and propose the new version to the Micropython mantainers.
jonnor
commented
2 months ago I think that parsing username:password out of URLs can be a separate function, which extracts the relevant information and a cleaned URL. And those that the few that need it can copy-paste it into their project.
smithps
commented
1 day ago I just found this bug report as I am trying to implement DDNS on a PicoW - the URL specified by dyndns is as follows;
https://{user}:{updater client key}@members.dyndns.org/v3/update?hostname={hostname}&myip={IP Address}
Which although not using a password as such, is still passing a plaintext "key".
Out of curiosity and in order to be able to handle such formatted URLs (even if they aren't recommended - it's obvious that they are still in use)....would it be sensible to search backwards from the first '/' looking for a port number and/or if the value found after the ':' is not numeric to ignore it?
smithps
commented
1 day ago Probably it isn't implemented because
- passing clear text credentials in the URL is a bad idea
- there are modern authentication options available, this is becoming obsolete.
Just for curiosity: are there running servers using https://user:pass@... ?
Yes; DynDNS (Part of Oracle) use this for updating Dynamic DNS records see their help article here
Per RFC1738 you can supply a username and password for basic auth as part of the URL in the format:
http(s)://username:password@example.comhowever urequests interprets any colon following the protocol to be delimiting a host and port, as seen here.Obviously it's simple to provide basic auth as a header instead, but it's probably best to be RFC compliant when possible.