Support custom encoding for basic auth credentials by kxepal · Pull Request #110 · aio-libs/aiohttp

kxepal · 2014-07-08T08:32:54Z

This introduces BasicAuthEx namedtuple which acts as like as BasicAuth
one with single exception as it handles encoding as third argument.

RFC2617, section 2 (HTTP Authentication) defines basic-credentials:

basic-credentials = base64-user-pass
base64-user-pass  = <base64 encoding of user-pass,
                     except not limited to 76 char/line>
user-pass         = userid ":" password
userid            = *<TEXT excluding ":">
password          = *TEXT

RFC 2616, section 2.1 defines TEXT to have ISO-8859-1 encoding
(aka latin1):

The TEXT rule is only used for descriptive field contents and values
that are not intended to be interpreted by the message parser. Words
of *TEXT MAY contain characters from character sets other than
ISO-8859-1 only when encoded according to the rules of RFC 2047.

In fact, I know no Basic Auth implementation which respects RFC 2047
for Basic Auth.

However, the truth of the real world is that the most major browsers
are already uses UTF-8 instead of ISO-8859-1 for the credentials as
like as any modern web services which allows non-ASCII login/password.

Also, there is the RFC draft which aims to handle the case when
credentials will optionally get always encoded with UTF-8:
http://tools.ietf.org/html/draft-ietf-httpauth-basicauth-update-01

While we should strictly follow common standards, we also need to handle
real world use cases. This change allows that and makes aiohttp ready
for further Basic Auth scheme standard update.

asvetlov · 2014-07-08T09:10:39Z

If you change auth please update proxy authorization for https://github.com/KeepSafe/aiohttp/blob/master/aiohttp/connector.py#L279 also.

kxepal · 2014-07-08T09:28:44Z

Hm...I thought about, but was ensure that it relies on ClientRequest requirements for specified params. Anyway, thanks for spotting. Fixed.

asvetlov · 2014-07-08T09:51:16Z

aiohttp/client.py

Relax the check please

ouch...not sure how did I miss that. thanks!

This introduces BasicAuthEx namedtuple which acts as like as BasicAuth one with single exception as it handles encoding as third argument. RFC2617, section 2 (HTTP Authentication) defines basic-credentials: basic-credentials = base64-user-pass base64-user-pass = <base64 encoding of user-pass, except not limited to 76 char/line> user-pass = userid ":" password userid = *<TEXT excluding ":"> password = *TEXT RFC 2616, section 2.1 defines TEXT to have ISO-8859-1 encoding (aka latin1): The TEXT rule is only used for descriptive field contents and values that are not intended to be interpreted by the message parser. Words of *TEXT MAY contain characters from character sets other than ISO-8859-1 only when encoded according to the rules of RFC 2047. In fact, I know no Basic Auth implementation which respects RFC 2047 for Basic Auth. However, the truth of the real world is that the most major browsers are already uses UTF-8 instead of ISO-8859-1 for the credentials as like as any modern web services which allows non-ASCII login/password. Also, there is the RFC draft which aims to handle the case when credentials will optionally get always encoded with UTF-8: http://tools.ietf.org/html/draft-ietf-httpauth-basicauth-update-01 While we should strictly follow common standards, we also need to handle real world use cases. This change allows that and makes aiohttp ready for further Basic Auth scheme standard update.

asvetlov · 2014-07-08T11:41:07Z

Done. Thanks!

fafhrd91 · 2014-07-08T13:15:50Z

maybe we should make three element namedtuple, something like _BasicAuth.
and replace BasicAuth with function with default third parameter encoding. BasicAuth() function may return _BasicAuth tuple

kxepal · 2014-07-08T13:25:37Z

@fafhrd91 thought about it, but wasn't sure since it could break BC even more. If it's ok, should I submit PR?

asvetlov · 2014-07-08T13:28:36Z

I'm ok with both decisions.

kxepal · 2014-07-08T13:29:00Z

Btw, we can make not function wrapper around private class, but just class with optional third argument:

class BasicAuth(collections.namedtuple('BasicAuth', ['login', 'password', 'encoding'])):
    def __new__(cls, login, password, encoding='latin1'):
        return super().__new__(cls, login, password, encoding)

Would be much better. Such functions-wrappers around private classes in Python 2.x stdlib always annoys me.

UPDATE: code fix, didn't test

fafhrd91 · 2014-07-08T13:33:58Z

@kxepal I like your solution!

fafhrd91 · 2014-07-08T13:40:01Z

also this class can implement .encode() method.

asvetlov · 2014-07-08T13:41:10Z

+1

kxepal · 2014-07-08T13:48:48Z

also this class can implement .encode() method.

mmm...it will be only useful if we'll raise an exception instead of warning when non BasicAuth instance arrives like it happens for ProxyConnector.

kxepal · 2014-07-08T13:51:09Z

Anyway, created #112 for further discussion.

kxepal · 2015-10-01T11:01:26Z

Pingback with new RFC-7617 which defines optional charset parameter. And UTF-8 usage now legalized for user credentials encoding.

asvetlov · 2015-10-01T12:21:08Z

Good to know

asvetlov · 2015-10-01T12:22:20Z

Would do you open an issue for supporting charset param?

kxepal · 2015-10-01T12:23:43Z

Sure. Could even try to make a patch for it.

kxepal · 2015-10-01T12:28:53Z

Done: #540

lock · 2019-10-30T00:02:28Z

This thread has been automatically locked since there has not been
any recent activity after it was closed. Please open a new issue for
related bugs.

If you feel like there's important points made in this discussion,
please include those exceprts into that new issue.

asvetlov reviewed Jul 8, 2014
View reviewed changes

asvetlov merged commit 555c35a into aio-libs:master Jul 8, 2014

lock bot added the outdated label Oct 30, 2019

lock bot locked as resolved and limited conversation to collaborators Oct 30, 2019

Uh oh!

Conversation

kxepal commented Jul 8, 2014

Uh oh!

asvetlov commented Jul 8, 2014

Uh oh!

kxepal commented Jul 8, 2014

Uh oh!

asvetlov Jul 8, 2014

Choose a reason for hiding this comment

Uh oh!

kxepal Jul 8, 2014

Choose a reason for hiding this comment

Uh oh!

asvetlov commented Jul 8, 2014

Uh oh!

fafhrd91 commented Jul 8, 2014

Uh oh!

kxepal commented Jul 8, 2014

Uh oh!

asvetlov commented Jul 8, 2014

Uh oh!

kxepal commented Jul 8, 2014

Uh oh!

fafhrd91 commented Jul 8, 2014

Uh oh!

fafhrd91 commented Jul 8, 2014

Uh oh!

asvetlov commented Jul 8, 2014

Uh oh!

kxepal commented Jul 8, 2014

Uh oh!

kxepal commented Jul 8, 2014

Uh oh!

kxepal commented Oct 1, 2015

Uh oh!

asvetlov commented Oct 1, 2015

Uh oh!

asvetlov commented Oct 1, 2015

Uh oh!

kxepal commented Oct 1, 2015

Uh oh!

kxepal commented Oct 1, 2015

Uh oh!

lock bot commented Oct 30, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants