Implement BasicAuth decode classmethod.

[luhn]

If you can encode, you should be able to decode.

Loosely based off of https://github.com/rdegges/python-basicauth, which is in the public domain.

[kxepal]

Why this case exists?

[luhn]

Because https://github.com/rdegges/python-basicauth implements it. Happy to remove it if you want.

[kxepal]

I would be better strict to the specification where auth scheme is mandatory. Unlikely Authorization: Zm9vOmJhcg== will be a valid basic auth header.

[asvetlov]

I want have a real use case anyway.
What the purpose of added method?

[luhn]

So I can implement Basic Auth on my server.

auth = BasicAuth.decode(request.headers['Authorization'])
if not (auth.login == 'admin' and auth.password == 'password123'):
    raise HTTPForbidden(reason='Go away, hacker!')

[asvetlov]

@luhn sounds good.
Would you implement Request.authorization property also? It may be similar to .if_modified_since https://github.com/KeepSafe/aiohttp/blob/master/aiohttp/web_reqrep.py#L229

[luhn]

Done.

[asvetlov]

Almost perfect from my side but BasicAuth.decode should be documented in docs/client_reference.rst and Request.authorization in docs/web_reference.rst.
Sorry, I don't want to use autodoc feature -- docstrings should be readable and relative short.
All autodoc-styled docstrings will be replaced eventually.

@kxepal are you ok with PR's functionality?

[kxepal]

Here is the trick:

>>> header = 'basic aGVsbG860LzQuNGAIQ=='
>>> auth = BasicAuth.decode(header)
>>> auth.password
'миÑ\x80!
'>>> bytearray([ord(i) for i in auth.password]).decode('utf-8')
'мир!'

So, unfortunately, this method will work correctly until you stay in latin1 name space. If your users will be allowed to have unicode wide password, they'll have to reimplement it. Somehow you'll have to inject encoding here. Thoughts?

[luhn]

We could remain encoding-neutral and have BasicAuth store login and password as bytes rather than strings.

Or we could assume UTF-8, since it is fairly universal these days. Also, the latest update on HTTP Basic Auth defines a charset field, but UTF-8 is the only allowed value (seems silly), so UTF-8 doesn't seem that bad of an assumption.

[kxepal]

@luhn I would agree with that with happy, but you don't know how many services that works with the local national encoding by default (this includes latin1, cp1251, etc.) /:

The charset parameter you reference works only with the flow:

1. Make request
2. Receive HTTP 401 with WWW-Authenticate and that charset param
3. Resend request with Authorization header where credentials respects previously mentioned charset

This means some interaction with the user and works perfectly with the browsers, but not with the libraries ):

[luhn]

Understood.

We could make authorization a method instead of a property and have an encoding argument?

[kxepal]

Suddenly, it seems so.

Or may be don't try to parse anything here and just return Authorization header as is. The more I'm thinking about the more I realize that to handle this header no matter for what auth scheme you need somehow interact with application config (for the encoding, secrets, hash algos etc.). The request eventually known nothing about these bits and it shouldn't. This will delegate parse task to user land where it's possible to do that correctly and without much hacks.

@asvetlov what do you think?

[kxepal]

@asvetlov Basically, yes, but there are few edge cases. The Request.authorization is good idea and I wonder if it's possible to make it plug-able to allow users easily manage various auth scheme handlers for oauth, api tokens and else reusing Request API instead on implementing own helpers. Feature is definitely not for this PR, but I think in basics it can help to deal with annoying encoding bit.

[asvetlov]

Ok. Let's implement .encode() only without .authorization.
It's really not obvious now how to process different auth schemes.
@luhn would you update the Pull Request?

[luhn]

Hi guys, sorry for the delay, forgot about this PR. Is this what you wanted?

[fafhrd91]

@asvetlov @kxepal status?

[kxepal]

You can use :param str auth_header: ... today, but aiohttp doesn't uses docstring in code, but separate files under doc/ directory.

[kxepal]

LGFM except docs bit.

[luhn]

How's that?

[coveralls]

Coverage decreased (-0.02%) to 98.196% when pulling 1f14c40 on luhn:basic-auth-decode into 024f6e1 on KeepSafe:master.

[kxepal]

@luhn here: https://github.com/KeepSafe/aiohttp/blob/master/docs/client_reference.rst#basicauth

[luhn]

I don't understand what it is you wish me to do.

[luhn]

To clarify: I've already updated the docs in client_reference.rst and I'm unsure what further needs to be done.

[kxepal]

@luhn mmm...it seems I was look on some old commit then. Sorry for confusion, everything looks good for me. +1

[fafhrd91]

Thanks!

[lock]

This thread has been automatically locked since there has not been
any recent activity after it was closed. Please open a new issue for
related bugs.

If you feel like there's important points made in this discussion,
please include those exceprts into that new issue.