Raise ValueError if BasicAuth login has a ":"

[kawadia]

What do these changes do?

Improves BasicAuth by raising ValueError if BasicAuth login has a ":". A colon is not allowed in login/username per RFC 1945#section-11.1.

Are there changes in behavior for the user?

Yes. Current BasicAuth would silently fail to authenticate if login has a ":". This change would would instead raise a clear error to the user.

Related issue number

Checklist

• [*] I think the code is well written
• [*] Unit tests for the changes exist
• Documentation reflects the changes
• [*] Add yourself to CONTRIBUTORS.txt
• [*] Add a new entry to CHANGES.rst
  • Choose any open position to avoid merge conflicts with other PRs.
  • Add a link to the issue you are fixing (if any) using #isuue_number format at the end of changelog message. Use Pull Request number if there are no issues for PR or PR covers the issue only partially.

[codecov-io]

Current coverage is 98.50% (diff: 100%)

Merging #1307 into master will increase coverage by <.01%

@@             master      #1307   diff @@
==========================================
  Files            29         29          
  Lines          6497       6499     +2   
  Methods           0          0          
  Messages          0          0          
  Branches       1090       1091     +1   
==========================================
+ Hits           6400       6402     +2   
  Misses           47         47          
  Partials         50         50          

Powered by Codecov. Last update 63a0d5c...b724adb

[asvetlov]

Thanks!

[kxepal]

Sorry so being late for the party, but this is not very correct RFC reference since:

1. it about HTTP 1/0
2. there it disallows non-latin usernames, while we don't.
   Here is a better one: https://tools.ietf.org/html/rfc2617#section-2

[kxepal]

Mean while newly https://tools.ietf.org/html/rfc7617#page-3 allows any characters for user/pass except control ones. And the colon : is allowed, but needs to be escaped.

[asvetlov]

Thanks.
I'l use yarl.quote for both parts separately.

[asvetlov]

Hmm, after re-reading RFC 7617 I've found:

The user-id and password MUST NOT contain any control characters (see
"CTL" in Appendix B.1 of [RFC5234]).

Furthermore, a user-id containing a colon character is invalid, as the first colon in a user-pass string separates user-id and password from one another; text after the first colon is part of the password.

User-ids containing colons cannot be encoded in user-pass strings.

Looks like the PR is correct

[asvetlov]

There is nothing about user-id encoding like percent-quoting etc.

[kxepal]

That's strange, because without percent-quoting you're not able to use non-ascii names and passwords what is quite awkward today. And since you actually can have them, quoting colon character doesn't breaks the parser while it's quoted.

[asvetlov]

No, translation is base64encode(user+':'+password).
Base64 converts utf8 strings into ascii looselessly.
But colon in user is forbidden.

[lock]

This thread has been automatically locked since there has not been
any recent activity after it was closed. Please open a new issue for
related bugs.

If you feel like there's important points made in this discussion,
please include those exceprts into that new issue.