Conversation
Webfleet deprecated username/password in the request URL; the URL-based authentication is removed end of June 2026. Credentials are now base64-encoded into an Authorization: Basic header per RFC 7617 and unconditionally stripped from the query string. account, apikey and sessiontoken remain query parameters. Also drops a redundant normalizeHeaders() call in TinyCurlClient that doubled the Authorization prefix (vendor Request::fetch normalizes once, the adapter was normalizing again). Bumps the PHP requirement to 7.1 for a nullable return type.
There was a problem hiding this comment.
Pull request overview
This PR updates php-webfleet to comply with Webfleet’s upcoming deprecation of URL-based username/password authentication by moving credentials to an RFC 7617 HTTP Basic Authorization header and stripping credentials from the query string. It also removes a redundant header normalization step that could corrupt the Authorization header, and bumps the minimum PHP version to support a nullable return type.
Changes:
- Add
WebfleetOptions::getBasicAuthHeader()to generate an RFC 7617 Basic auth header value. - Strip
username/passwordfrom request query params and send credentials viaAuthorization: Basic ...header. - Stop double-normalizing headers in
TinyCurlClientand bump minimum PHP to 7.1 (README + composer).
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/WebfleetOptions.php | Adds helper to build a Basic auth header from configured credentials. |
| src/WebfleetEndpoint.php | Removes URL credentials from query parameters and injects an Authorization header into requests. |
| src/HTTP/TinyCurlClient.php | Avoids double header normalization that could break header formatting. |
| README.md | Updates documented PHP requirement to 7.1+. |
| composer.json | Updates PHP requirement to >=7.1. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
sb-everbeek
approved these changes
May 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Webfleet deprecated username/password in the request URL; the
URL-based authentication is removed end of June 2026.
Credentials are now base64-encoded into an Authorization: Basic
header per RFC 7617 and unconditionally stripped from the query
string. account, apikey and sessiontoken remain query parameters.
Also drops a redundant normalizeHeaders() call in TinyCurlClient
that doubled the Authorization prefix (vendor Request::fetch
normalizes once, the adapter was normalizing again).
Bumps the PHP requirement to 7.1 for a nullable return type.