Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

URL decode passwords for storage #2947

Closed
wants to merge 1 commit into from
Closed

URL decode passwords for storage #2947

wants to merge 1 commit into from

Conversation

zanieb
Copy link
Member

@zanieb zanieb commented Apr 9, 2024
edited

Closes #2822
Same idea as #2592

Needs a test plan still.

@zanieb zanieb added the bug Something isn't working label Apr 9, 2024
@zanieb zanieb mentioned this pull request Apr 9, 2024
Closed
zanieb
zanieb commented Apr 9, 2024
View reviewed changes
crates/uv-auth/src/store.rs
username: urlencoding::decode(url.username())
.expect("An encoded username should always decode")
.into_owned(),
password: url.password().map(str::to_string),
password: url.password().map(|password| {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

url.password() is explicitly a percent-encoded string so this makes a lot of sense to me.

@zanieb
Copy link
Member Author

zanieb commented Apr 9, 2024
edited

I think the problem is roughly that we use set_username and set_password to apply the credentials

uv/crates/uv-auth/src/store.rs

Lines 47 to 55 in 43ded54

impl UrlAuthData {
pub fn apply_to_url(&self, mut url: Url) -> Url {
url.set_username(&self.username)
.unwrap_or_else(|()| warn!("Failed to set username"));
url.set_password(self.password.as_deref())
.unwrap_or_else(|()| warn!("Failed to set password"));
url
}
}

but those percent-encode the credentials which are already be percent-encoded since we pulled from from url.username() and url.password() which do not perform decoding.

I want to make some changes to the documentation and structs here to clarify this.

@zanieb zanieb mentioned this pull request Apr 10, 2024
Merged
@zanieb
Copy link
Member Author

zanieb commented Apr 15, 2024

Implemented in #2976

@zanieb zanieb closed this Apr 15, 2024
zanieb added a commit that referenced this pull request Apr 16, 2024
@zanieb
Rewrite uv-auth (#2976)
c0efeed 
Closes 

- #2822 
- #2563 (via #2984)

Partially address:

- #2465
- #2464

Supersedes:

- #2947
- #2570 (via #2984)

Some significant refactors to the whole `uv-auth` crate:

- Improving the API
- Adding test coverage
- Fixing handling of URL-encoded passwords
- Fixing keyring authentication
- Updated middleware (see #2984 for more)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@charliermarsh charliermarsh charliermarsh approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

HTTP Authentication doesn't work for google artifact registry python index
2 participants
@zanieb @charliermarsh