← index #668Issue #6649
Related · high · value 1.550
QUERY · ISSUE

urequests doesn't handle basic auth formatted URLs correctly

openby 0xVelesopened 2023-05-24updated 2024-11-18

Per RFC1738 you can supply a username and password for basic auth as part of the URL in the format: http(s)://username:password@example.com however urequests interprets any colon following the protocol to be delimiting a host and port, as seen here.

Obviously it's simple to provide basic auth as a header instead, but it's probably best to be RFC compliant when possible.

5 comments
massimosala · 2023-06-28

Probably it isn't implemented because

  • passing clear text credentials in the URL is a bad idea
  • there are modern authentication options available, this is becoming obsolete.

Just for curiosity: are there running servers using https://user:pass@... ?

massimosala · 2023-06-28

Hi

I have rewritten the library, with some improvements and basic auth.

Do you want to test it ?

After your feedback, I will open source it and propose the new version to the Micropython mantainers.

jonnor · 2024-08-25

I think that parsing username:password out of URLs can be a separate function, which extracts the relevant information and a cleaned URL. And those that the few that need it can copy-paste it into their project.

smithps · 2024-11-18

I just found this bug report as I am trying to implement DDNS on a PicoW - the URL specified by dyndns is as follows;

https://{user}:{updater client key}@members.dyndns.org/v3/update?hostname={hostname}&myip={IP Address}

Which although not using a password as such, is still passing a plaintext "key".

Out of curiosity and in order to be able to handle such formatted URLs (even if they aren't recommended - it's obvious that they are still in use)....would it be sensible to search backwards from the first '/' looking for a port number and/or if the value found after the ':' is not numeric to ignore it?

smithps · 2024-11-18

Probably it isn't implemented because

  • passing clear text credentials in the URL is a bad idea
  • there are modern authentication options available, this is becoming obsolete.

Just for curiosity: are there running servers using https://user:pass@... ?

Yes; DynDNS (Part of Oracle) use this for updating Dynamic DNS records see their help article here

CANDIDATE · ISSUE

POST Request with BASIC AUTH - How to?

closedby tongclementopened 2020-11-25updated 2024-09-13

Dear all,

I am trying to implement a simple pull request with basic auth on the esp32. As seen at https://github.com/micropython/micropython-lib/pull/311, it seems like it is implemented in urequests.post and can be called by: res = urequests.post(request_url, headers={'content-type': 'application/json'}, data=post_data, auth=('username','password')).json() print(res.text).

However it seems like this doesn't work. Am I not calling this function right? There seems to be no documentation on requests in the official documentation.

Sincerely with Many Thanks,
Clement

Keyboard

j / / n
next pair
k / / p
previous pair
1 / / h
show query pane
2 / / l
show candidate pane
c
copy suggested comment
r
toggle reasoning
g i
go to index
?
show this help
esc
close overlays

press ? or esc to close

copied