Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for bearer auth in .netrc #267

Merged
merged 4 commits into from
Aug 12, 2022

Conversation

porglezomp
Copy link
Contributor

Previously the .netrc only handled authorization that contains both a username and password.

This is a divergence from the behavior of httpie.

This only activates when --auth-type bearer is specified without the --auth flag, so I believe it should be a compatible change. (I believe previously using it like this would have always reported an error?)

Previously the .netrc only handled authorization that contains both a
username and password.

This is a divergence from the behavior of httpie. This only activates
when `--auth-type bearer` is specified without the `--auth` flag, so I
believe it should be a compatible change.
@porglezomp
Copy link
Contributor Author

force-pushed to squash rustfmt fixes into the commits

@ducaale
Copy link
Owner

ducaale commented Aug 10, 2022

Thanks, @porglezomp. Can I double check which version of HTTPie was the .netrc working with --auth-type=bearer? In the latest version of HTTPie (v3.2.1), it doesn't seem that --auth can be left out, which is a prerequisite for using the .netrc file

$ cat .netrc
machine httpbin.org
password pass

$ http --version
3.2.1

$ http -v httpbin.org/json --auth-type bearer
usage:
    http [METHOD] URL [REQUEST_ITEM ...]

error:
    --auth required

for more information:
    run 'http --help' or visit https://httpie.io/docs/cli

@porglezomp
Copy link
Contributor Author

This is specifically different behavior from httpie.
It's an enhancement to xh that I found useful, and I'm less confident about making the change on the httpie side.

I don't know how strict you're interested in the compatibility between xh and httpie being.
I personally felt alright making this change since it still leaves xh as a drop-in replacement (although not vice-versa).

This enhancement doesn't change behavior on any httpie command that currently works:

  • if you don't explicitly request the --auth-type=bearer it won't act any differently
  • existing commands using --auth-type=bearer (in scripts and things) would be passing --auth so it won't consult the .netrc for the token in those cases

This does cause xh to handle a new case.

src/auth.rs Outdated Show resolved Hide resolved
@ducaale
Copy link
Owner

ducaale commented Aug 11, 2022

This enhancement doesn't change behavior on any httpie command that currently works:

  • if you don't explicitly request the --auth-type=bearer it won't act any differently
  • existing commands using --auth-type=bearer (in scripts and things) would be passing --auth so it won't consult the .netrc for the token in those cases

I am okay with supporting .netrc for bearer auth but I'm a little nervous about making the login field optional. Can you revert login to be required but ignore it when the auth type is bearer?

Copy link
Collaborator

@blyxxyz blyxxyz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using netrc for this feels like a stretch, but I can't think of any failure scenarios or obviously better alternatives, so I think supporting this is for the best.

(We can't extend the format with a token directive, Python's netrc parser doesn't like that.)

In httpie/cli#1216 Jakub actually suggested this enhancement, so it's worth trying there as well, so I think it would be accepted in HTTPie.

@@ -438,13 +448,20 @@ mod tests {
notfound(STRANGE_CHARACTERS, COM);
}

fn found(netrc: &str, host: url::Host<&str>, login: &str, password: &str) {
#[track_caller]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't know about that attribute, this is great

@blyxxyz
Copy link
Collaborator

blyxxyz commented Aug 11, 2022

I am okay with supporting .netrc for bearer auth but I'm a little nervous about making the login field optional. Can you revert login to be required but ignore it when the auth type is bearer?

An optional login field seems fine as long as it's only optional for bearer auth, and when the password is a token there's no good value for login. So I think it's better this way.

Though HTTPie crashes if there's no login:

  File "[...]/httpie/cli/argparser.py", line 316, in _process_auth
    orig=SEPARATOR_CREDENTIALS.join(netrc_credentials)
TypeError: sequence item 0: expected str instance, NoneType found

@ducaale
Copy link
Owner

ducaale commented Aug 11, 2022

An optional login field seems fine as long as it's only optional for bearer auth, and when the password is a token there's no good value for login. So I think it's better this way.

@blyxxyz What if we require the login field to equal token when using bearer authentications? When I searched for .netrc + bearer auth, the only thing I could find was databricks which did it that way. See https://docs.databricks.com/dev-tools/api/latest/authentication.html#store-tokens-in-a-netrc-file-and-use-them-in-curl

@blyxxyz
Copy link
Collaborator

blyxxyz commented Aug 11, 2022

What if we require the login field to equal token when using bearer authentications? When I searched for .netrc + bearer auth, the only thing I could find was databricks which did it that way. See https://docs.databricks.com/dev-tools/api/latest/authentication.html#store-tokens-in-a-netrc-file-and-use-them-in-curl

That's a little unintuitive, I think we should ideally do it in a way that could be guessed without documentation. For databricks it's a hack to fit it into curl's existing netrc loader, but we're providing the netrc loader so we have more options.

Is there a drawback to an optional login field? It made me uneasy at first but after thinking through it it seems well-behaved.

@ducaale
Copy link
Owner

ducaale commented Aug 11, 2022

That's a little unintuitive, I think we should ideally do it in a way that could be guessed without documentation. For databricks it's a hack to fit it into curl's existing netrc loader, but we're providing the netrc loader so we have more options.

Sounds reasonable. Let's keep the login field optional 👍.

src/netrc.rs Outdated Show resolved Hide resolved
@porglezomp porglezomp requested review from ducaale and blyxxyz August 12, 2022 19:26
Copy link
Collaborator

@blyxxyz blyxxyz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

Are you interested in pitching this to HTTPie?

@ducaale ducaale changed the base branch from master to develop August 12, 2022 20:03
@ducaale ducaale merged commit 7074e1c into ducaale:develop Aug 12, 2022
@porglezomp
Copy link
Contributor Author

My work situation means I'd need to get approval for that as a separate contribution, so I'm probably not the best person to pitch that at the moment 😔

@pwagland
Copy link

pwagland commented Mar 5, 2024

Looks great!

Are you interested in pitching this to HTTPie?

Pitched: httpie/cli#1569

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants