Basic auth doesn't support : in username fix

[HomiGrotas]

When using mac address as a username, the result is:

10:10:5e:00:23:cf 10 I researched for a while and it seems the rest of the mac address was moved to the password segment since the split by ':'. If we do split by last, the ':' character can be in the username.

[miguelgrinberg]

The Basic Auth specification clearly states that the username cannot contain a colon character. Reference: https://www.rfc-editor.org/rfc/rfc2617#section-2.

      basic-credentials = base64-user-pass
      base64-user-pass  = <base64 [4] encoding of user-pass,
                       except not limited to 76 char/line>
      user-pass   = userid ":" password
      userid      = *<TEXT excluding ":">
      password    = *TEXT

With your change, you would be making it impossible to have colons in the password, which goes against the spec, which does allow colons in the password. There is really no way to make colons work for everybody, but if I have to choose, I prefer to allow them in the password, where they are much more likely to appear.

[HomiGrotas]

I didn't know that. Thanks for the detailed answer. How about mentioning it in the docs so other developers with the same problem won't have to bother searching for it?

[miguelgrinberg]

I guess, but HTTP Authentication is full of conditions and rules. Should all of that be copied to this package's docs? I think the important lesson here is that when you are coding against a specification, RFC or similar, it is required that you check that you are within the boundaries of what's allowed.