urequests doesn't handle basic auth formatted URLs correctly

micropython / micropython-lib

Core Python libraries ported to MicroPython

Other

2.4k stars 997 forks source link

urequests doesn't handle basic auth formatted URLs correctly #668

Open 0xVeles opened 1 year ago

0xVeles commented 1 year ago

Per RFC1738 you can supply a username and password for basic auth as part of the URL in the format: http(s)://username:password@example.com however urequests interprets any colon following the protocol to be delimiting a host and port, as seen here.

Obviously it's simple to provide basic auth as a header instead, but it's probably best to be RFC compliant when possible.

massimosala commented 1 year ago

Probably it isn't implemented because

passing clear text credentials in the URL is a bad idea
there are modern authentication options available, this is becoming obsolete.

Just for curiosity: are there running servers using https://user:pass@... ?

massimosala commented 1 year ago

I have rewritten the library, with some improvements and basic auth.

Do you want to test it ?

After your feedback, I will open source it and propose the new version to the Micropython mantainers.

jonnor commented 1 month ago

I think that parsing username:password out of URLs can be a separate function, which extracts the relevant information and a cleaned URL. And those that the few that need it can copy-paste it into their project.