Faraday: Passing a URL with embedded basic auth is broken
The recent authentication middleware refactoring broke passing a URL with embedded basic auth in the user info part of the URI, because basic_auth is still used in url_prefix= https://github.com/lostisland/faraday/blob/0f9626c48d0daa24888cb4e5e7962c106a48d97f/lib/faraday/connection.rb#L364-L367
~/src/github.com/lostisland/faraday (1.x) $ ruby -Ilib -rfaraday -rfaraday/net_http -rjson -e "puts JSON.load(Faraday.new(url: 'https://user:[email protected]/headers').get.body)['headers']['Authorization']"
WARNING: `Faraday::Connection#basic_auth` is deprecated; it will be removed in version 2.0.
While initializing your connection, use `#request(:basic_auth, ...)` instead.
See https://lostisland.github.io/faraday/middleware/authentication for more usage info.
Basic dXNlcjpwYXNzd29yZA==
~/src/github.com/lostisland/faraday (main) $ ruby -Ilib -rfaraday -rfaraday/net_http -rjson -e "puts JSON.load(Faraday.new(url: 'https://user:[email protected]/headers').get.body)['headers']['Authorization']"
lib/faraday/connection.rb:365:in `block in url_prefix=': undefined method `basic_auth' for #<Faraday::Connection:0x00007fed250abaa8 @parallel_manager=nil, @headers={}, @params={}, @options=#<Faraday::RequestOptions (empty)>, @ssl=#<Faraday::SSLOptions (empty)>, @default_parallel_manager=nil, @manual_proxy=nil, @builder=#<Faraday::RackBuilder:0x00007fed25092210 @adapter=Faraday::Adapter::NetHttp, @handlers=[Faraday::Request::UrlEncoded]>, @url_prefix=#<URI::HTTPS https://user:[email protected]/headers>> (NoMethodError)
from lib/faraday/connection.rb:506:in `with_uri_credentials'
from lib/faraday/connection.rb:364:in `url_prefix='
from lib/faraday/connection.rb:84:in `initialize'
from lib/faraday.rb:96:in `new'
from lib/faraday.rb:96:in `new'
from -e:1:in `<main>'
A test demonstrating this is available here: https://github.com/lostisland/faraday/compare/1.x...etiennebarrie:test-basic-auth-in-url:
it 'uses User Information from the URI for Basic authentication' do
conn.url_prefix = 'http://user:[email protected]'
expect(conn.url_prefix.to_s).to eq('http://sushi.com/')
request = conn.build_request(:get)
expect(request.headers['Authorization']).to eq("Basic #{Base64.strict_encode64('user:password')}")
end
We should decide if we want to fix this or remove support for this feature.
See comment by @etiennebarrie in https://github.com/lostisland/faraday/issues/1308#issuecomment-909109525_
iMacTia
All 5 comments
@etiennebarrie I'm quoting your thoughts from the comment:
While I'm not against deprecating basic_auth and authorization on Connection, I think being able to have basic auth embedded in the URL is really useful (it can be configured in secrets for example).
I'm seriously thinking of removing the support for this.
It seems like this practice have been deprecated back in 2005 and most of the major browsers have been dropping its support as well.
I'm also curious about your example above:
it can be configured in secrets for example
I don't see how using thebasic_authmiddleware would not allow to use secrets?
Wouldn't something like this work?
# Faraday 1.x
conn = Faraday.new(url_with_no_userinfo) do |f|
conn.request :basic_auth, Secrets.basic_auth_user, Secrets.basic_auth_pass
...
end
We basically do:
def connection
Faraday.new(url: server) do
# other config
end
end
def server
if global?
secrets.global
elsif something?
secrets.other
elsif something_else?
secrets.another
end
end
So we just need one secret per URL/user/password.
We can totally split each secret into three, or even keep the single URL secret but extract the user password before passing it down to Faraday.
etiennebarrie
on 1 Sep 2021
Yes that's what I thought, thanks for confirming @etiennebarrie 👍
iMacTia
on 1 Sep 2021
Hi, here it is another use case: elastic/elasticsearch-ruby#1479
tagliala
on 6 Sep 2021
Thanks for the input @tagliala, ultimately we want to please the community, so it's important to understand how much this feature is used in order to decide about its future.
This is obviously a widespread library, so many thanks for pointing it out
iMacTia
on 8 Sep 2021
Related issues
aleksb86
·
3Comments
asf-stripe
·
3Comments
subvertallchris
·
5Comments
QuinnWilton
·
4Comments
jeffb-stell
·
5Comments
Most helpful comment
Hi, here it is another use case: elastic/elasticsearch-ruby#1479