Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request Description
I have added this in #8591, but I have realised it may not be a good idea to have it, so I am removing that particular change.
Rationale for the changes
Reading RFC 3986 we can see that setting a password through user-info is deprecated, because it is deemed unsafe.
Moreover, basic testing suggests that our HTTP client did not in fact send this user info anyway (I'm not 100% sure of that, I'm however quite sure that it was not possible to read this data back in our HTTP server using the available APIs, after some digging).
It seems that the typical thing to do with user info specified in URI is to convert it into the
Authorization: Basic
HTTP header. At least that is what CURL does:So, there is no 'native' support for user info in the URI. What we could do is automatically translate it into the
Authorization: Basic
header, like CURL does - but I'm not sure that this would be the right call. Instead, I think the user should refrain from using the user info at all for authorization, and just use ourHeader.authorization_basic
instead.Note that this does not prevent users from typing in user info directly, e.g.
URI.from "http://user@pass:example.com/"
will still be parsed and include the user info in the URI, handling it with the default behaviour (i.e. it will unfortunately be ignored later).The only API change is that we remove
set_user_info
helper, which was encouraging users to use this deprecated feature.Checklist
Please ensure that the following checklist has been satisfied before submitting the PR:
Scala,
Java,
and
Rust
style guides. In case you are using a language not listed above, follow the Rust style guide.
./run ide build
.