Skip to content

fix(fetch): support basic auth from URL#10896

Merged
jasonsaayman merged 6 commits into
axios:v1.xfrom
niksy:fetch-auth-in-url
Jun 1, 2026
Merged

fix(fetch): support basic auth from URL#10896
jasonsaayman merged 6 commits into
axios:v1.xfrom
niksy:fetch-auth-in-url

Conversation

@niksy
Copy link
Copy Markdown

@niksy niksy commented May 15, 2026
edited by cubic-dev-ai Bot
Loading

Summary

The fetch adapter is now aligned with the http adapter for Basic auth: it first respects config.auth, and when that is not provided, it falls back to credentials embedded in the request URL, sets Authorization: Basic ..., and clears any existing authorization header so precedence matches Node behavior.

It also sanitizes the URL by stripping credentials before constructing Request, which prevents the TypeError: Request cannot be constructed from a URL that includes credentials.

Existing test was covering classic http adapter instead of fetch so it was passing which is wrong and is now fixed. New tests cover URL-based auth fallback, decoding of percent-encoded credentials, safe handling of malformed percent-encoding without throwing, and confirmation that the auth option overrides a manually provided Authorization header regardless of header casing.

Checklist

  • Tests added or updated (or N/A with reason)
  • Docs / types updated if public API changed (index.d.ts and index.d.cts)
  • No breaking changes (or called out explicitly above)

Summary by cubic

Fixes Basic auth in the fetch adapter to match http, including URL-embedded credentials (username, password, or password-only). Credentials are stripped from the URL and sent via a UTF‑8‑safe Authorization: Basic ... header to avoid Request construction errors.

Description

  • Summary of changes
    • Precedence: config.auth > URL creds; clear any Authorization header (any casing).
    • Decode percent-encoded username/password; keep malformed encodings literal.
    • Support password-only URL creds; parity with http (small http fix included).
    • UTF‑8-safe base64 for username and password; set Authorization: Basic ....
    • Strip creds from URL before creating Request.
    • Lightweight pre-check to avoid parsing URLs without likely creds.
  • Reasoning
    • Align adapters, match Node behavior, and prevent fetch URL-with-credentials errors.
  • Additional context
    • No API changes; behavior matches http and WHATWG URL.

Docs
Please update /docs/ (and README where relevant) to cover:

  • Auth precedence and clearing pre-set Authorization.
  • URL credential fallback (incl. password-only), decoding, and malformed handling.
  • UTF‑8 handling for both username and password, and stripping credentials before Request.

Testing

  • Switched an existing test to target the fetch adapter.
  • Added fetch tests for UTF‑8 credentials, URL-based fallback, percent-decoding (valid/malformed), password-only creds, and auth overriding an Authorization header (any casing).
  • Added an http test for password-only URL creds.

Semantic version impact
Patch: bug fix and behavior alignment; no public API changes.

Written for commit d3d6e60. Summary will update on new commits.

Review in cubic

@niksy niksy requested a review from jasonsaayman as a code owner May 15, 2026 08:36
@niksy niksy mentioned this pull request May 15, 2026
Open
8 tasks
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 2 files

Confidence score: 3/5

  • There is a concrete regression risk in lib/adapters/fetch.js: using btoa(auth) can throw a DOMException for non-Latin1 credentials, which may break Basic Auth for affected users.
  • I’m scoring this as moderate risk because the issue is fairly severe (7/10) with strong confidence (8/10) and can cause user-facing request failures, even though the change surface appears limited.
  • Pay close attention to lib/adapters/fetch.js - align credential encoding behavior with the HTTP adapter to avoid non-Latin1 auth failures.
Prompt for AI agents (unresolved issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/adapters/fetch.js">

<violation number="1" location="lib/adapters/fetch.js:242">
P1: `btoa(auth)` may throw DOMException for non-Latin1 credentials, diverging from http adapter behavior</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

Comment thread lib/adapters/fetch.js Outdated
@niksy niksy force-pushed the fetch-auth-in-url branch from 7f5f927 to 16148de Compare May 15, 2026 08:45
@jasonsaayman
Copy link
Copy Markdown
Member

jasonsaayman commented May 15, 2026

@cubic-dev-ai please review in depth again

@cubic-dev-ai
Copy link
Copy Markdown
Contributor

cubic-dev-ai Bot commented May 15, 2026

@cubic-dev-ai please review in depth again

@jasonsaayman I have started the AI code review. It will take a few minutes to complete.

@jasonsaayman jasonsaayman added priority::medium A medium priority commit::fix The PR is related to a bugfix labels May 15, 2026
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 2 files

Confidence score: 3/5

  • There is a concrete, user-facing behavior risk in lib/adapters/fetch.js: password-only URL credentials (like https://:[email protected]) are currently dropped because fallback logic checks only parsedURL.username.
  • Given the medium severity (5/10) with high confidence (9/10), this is more than a cosmetic issue and could cause authentication failures for a valid credential format.
  • This looks scoped to a specific credential edge case rather than a broad breakage, so risk is moderate rather than critical.
  • Pay close attention to lib/adapters/fetch.js - credential parsing/fallback should preserve password-only credentials instead of silently omitting them.
Prompt for AI agents (unresolved issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/adapters/fetch.js">

<violation number="1" location="lib/adapters/fetch.js:244">
P2: URL credential fallback ignores password-only credentials (e.g. `https://:[email protected]`) because it checks `parsedURL.username` only, causing credentials to be silently dropped.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Re-trigger cubic

Comment thread lib/adapters/fetch.js Outdated
@niksy
Copy link
Copy Markdown
Author

niksy commented May 17, 2026

@cubic-dev-ai

@cubic-dev-ai
Copy link
Copy Markdown
Contributor

cubic-dev-ai Bot commented May 17, 2026

@cubic-dev-ai

@niksy I have started the AI code review. It will take a few minutes to complete.

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 4 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

Re-trigger cubic

jasonsaayman
jasonsaayman reviewed May 24, 2026
View reviewed changes
Comment thread lib/adapters/fetch.js Outdated
jasonsaayman
jasonsaayman previously requested changes May 24, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jasonsaayman jasonsaayman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one small issues, thanks

@jasonsaayman jasonsaayman added the status::changes-requested A reviewer requested changes to the PR label May 24, 2026
@niksy niksy force-pushed the fetch-auth-in-url branch from b7ae540 to 61f12db Compare May 25, 2026 13:12
@niksy niksy force-pushed the fetch-auth-in-url branch from 61f12db to f5b76ce Compare May 25, 2026 13:15
@niksy niksy requested a review from jasonsaayman May 25, 2026 13:15
@jasonsaayman jasonsaayman dismissed their stale review May 26, 2026 17:47

Re-review

@jasonsaayman jasonsaayman merged commit 38ba1b3 into axios:v1.x Jun 1, 2026
26 checks passed
@jasonsaayman jasonsaayman removed the status::changes-requested A reviewer requested changes to the PR label Jun 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@jasonsaayman jasonsaayman Awaiting requested review from jasonsaayman jasonsaayman is a code owner

Assignees

@niksy niksy

Labels

commit::fix The PR is related to a bugfix priority::medium A medium priority

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@niksy @jasonsaayman