Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ClientRequest auth should use an Authorization header #178

Closed
djones6 opened this issue Mar 13, 2019 · 2 comments
Closed

ClientRequest auth should use an Authorization header #178

djones6 opened this issue Mar 13, 2019 · 2 comments
Milestone
2019.15

Comments

@djones6
Copy link
Contributor

djones6 commented Mar 13, 2019

In #171 we noted that currently, the username and password fields are being sent as part of the URL for basic authentication, and that they are currently not percent-escaped by the NIO client.

Rather than escaping them, I believe they should instead be sent in an Authorization header. This would alleviate the need to escape their values, besides being recommended practice. Normally the Authorization header is sent in response to a server sending a WWW-Authenticate header, but I believe it's valid to provide it outside of that flow.

This would be a behavioural (breaking?) change as the format of the URL would change where basic authentication is being used, and would require recipients to support parsing the Authorization header (which I believe they should do, but I can imagine there may be implementations out there that assumes they'll be tacked on to the URL).

Both Kitura-NIO and Kitura-net would need to be changed to behave consistently.
@djones6 djones6 added this to the 2019.06 milestone Mar 13, 2019
@ianpartridge ianpartridge modified the milestones: 2019.06, 2019.08 Apr 10, 2019
@pushkarnk pushkarnk modified the milestones: 2019.08, 2019.09 Apr 24, 2019
@pushkarnk pushkarnk modified the milestones: 2019.09, 2019.10 May 15, 2019
@pushkarnk pushkarnk modified the milestones: 2019.10, 2019.11 May 22, 2019
@pushkarnk pushkarnk modified the milestones: 2019.11, 2019.12 Jun 4, 2019
@RudraniW RudraniW mentioned this issue Jun 14, 2019
Merged
@pushkarnk pushkarnk removed their assignment Jun 19, 2019
@ianpartridge ianpartridge modified the milestones: 2019.12, 2019.13 Jun 19, 2019
@ianpartridge ianpartridge modified the milestones: 2019.13, 2019.14 Jul 3, 2019
@djones6
Copy link
Contributor Author

djones6 commented Jul 8, 2019

We discovered that for Kitura-net, libcurl already handles this for us: credentials prepended to the URL are removed and sent instead as an Authorization header.

Need to confirm whether the same happens for Kitura-NIO.

@djones6 djones6 modified the milestones: 2019.14, 2019.15 Jul 31, 2019
@djones6
Copy link
Contributor Author

djones6 commented Aug 15, 2019

This was merged (for Kitura-NIO).

@djones6 djones6 closed this as completed Aug 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2019.15
Development

No branches or pull requests
4 participants
@ianpartridge @pushkarnk @RudraniW @djones6