Authentication via https://ACCESS_TOKEN@HOST/api/v1/entries.json seems to no longer work

[15characterlimi]

Describe the bug

Authentication by specifying the access token in the Nightscout URL through HTTP authentication (putting it in front of the hostname separated by "@") no longer works.

To Reproduce Steps to reproduce the behavior:

Below, replace ACCESS_TOKEN with an access token with role device-readwrite set up in Nightscout, and replace HOST with the hostname of a Nightscout instance (ends with ".code.run"). Then:

• (a) If I open the URL https://HOST/api/v1/entries.json?token=ACCESS_TOKEN in a browser (i.e. via HTTP GET), it lists a array of my latest glucose values, in JSON format.
• (b) If I instead open the URLhttps://ACCESS_TOKEN@HOST/api/v1/entries.json in a web browser then I get redirected to the same URL without ACCESS_TOKEN@, and with page body {"status":401,"message":"Unauthorized","description":"Invalid/Missing"}

This broke after I synced my fork of https://github.com/nightscout/cgm-remote-monitor to the latest commit 21e0591d49235845acba58cf8b3cc7339921185b today.

Unfortunately the previous version that I know to have worked was from around May 20, 2021, so I don't know when in the last 33 months or so this broke.

Expected behavior

Both methods should produce a list of my latest glucose values, in JSON format.

Your setup information

• Nightscout built today from the latest commit 21e0591d49235845acba58cf8b3cc7339921185b
• Trying to upload via Xdrip. Due to bugs in Xdrip, the access token needs to either be specified in the manner I noted above, when one can't reuse the Xdrip webserver's API secret. Concretely, the code in Xdrip incorrectly treats the uploader base URL as a String and appends stuff to it, instead of parsing it as a Uri and then mutating just the path component; this breaks when the URL has query parameters.
• See https://github.com/NightscoutFoundation/xDrip/issues/1035#issuecomment-845475389 for an old comment of mine elaborating how the authentication used to be able to get to work in combination with Xdrip.

Additional context

Note that the documentation at https://nightscout.github.io/uploader/setup/#xdrip documents the format that no longer works (that page is very old so it still refers to API_SECRET rather than ACCESS_TOKEN, but the gist is the same).

[akadaoui]

Hi all. I'm encountering the same issue... @15characterlimi have you found any clue or workaround this issue?

[15characterlimi]

@akadaoui the solution I ended up taking isn't great, my personal workaround is that I fixed the bug in the xdrip soure code where it doesn't correctly put the access token into a query parameter like in my example (a). I didn't contribute that fix back to xdrip because I've found the xdrip maintainers to be very unwelcoming towards fixes for even very obvious bugs in the past (the xdrip source is a huge bug fest, but that's a different matter).

Anyway, that's my personal workaround but it will only work for those who use xdrip and are comfortable editing and compiling the xdrip source code themselves.