Describe the bug

Some services publish a URL like:

https://:[email protected]/v3/..."

You can see the user field is an empty length string. When a request is made using aiohttp, the credentials are ignored and the server responds with a 403. This differs from requests and also curl, which parse this URL as having a zero-length username and a valid password.

To Reproduce

The request is sent without credentials

Expected behavior

Credentials should be sent

Logs/tracebacks

N.A.

Python Version

$ python --version
Version: 3.7.4.post0

aiohttp Version

$ python -m pip show aiohttp

multidict Version

$ python -m pip show multidict
Version: 5.1.0

yarl Version

$ python -m pip show yarl
Version: 1.6.3
...

OS

macOS

Related component

Client

Additional context

In asyncio/helpers.py specifically invoking strip_auth_from_url calls BasicAuth.from_url line, which contains:

@classmethod
def from_url(cls, url: URL, *, encoding: str = "latin1") -> Optional["BasicAuth"]:
    """Create BasicAuth from url."""
    if not isinstance(url, URL):
        raise TypeError("url should be yarl.URL instance")
    if url.user is None:
        return None
    return cls(url.user, url.password or "", encoding=encoding)

The underlying cause appears to be that yarl returns url.user=None and url.password=mypassword. You can see that url.password is not checked in this case. I will open a PR with suggested fix and test.

Code of Conduct

• I agree to follow the aio-libs Code of Conduct