{ "id": "62781", "key": "TIMOB-2149", "fields": { "issuetype": { "id": "1", "description": "A problem which impairs or prevents the functions of the product.", "name": "Bug", "subtask": false }, "project": { "id": "10153", "key": "TIMOB", "name": "Titanium SDK/CLI", "projectCategory": { "id": "10100", "description": "Titanium and related SDKs used in application development", "name": "Client" } }, "fixVersions": [], "resolution": { "id": "7", "description": "", "name": "Invalid" }, "resolutiondate": "2011-04-15T03:11:58.000+0000", "created": "2011-04-15T03:11:56.000+0000", "priority": { "name": "Medium", "id": "3" }, "labels": [ "defect", "ios", "iphone", "xhr" ], "versions": [], "issuelinks": [], "assignee": { "name": "rpfeiffer", "key": "rpfeiffer", "displayName": "Ralf Pfeiffer", "active": true, "timeZone": "America/Los_Angeles" }, "updated": "2017-03-09T23:04:10.000+0000", "status": { "description": "The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.", "name": "Closed", "id": "6", "statusCategory": { "id": 3, "key": "done", "colorName": "green", "name": "Done" } }, "components": [ { "id": "10206", "name": "iOS", "description": "iOS Platform" } ], "description": "{html}
When sending a request to XHR to the following URL:
\n\nhttp://mike@demandocat.com:testing@api.lafitness.com/Services/Priva...
\nThe request is directed to demandocat.com instead of\napi.lafitness.com.
\nSome sort of issue exists parsing URLs that contain\nusername/passwords when they contain the @ char.
Note the title should say iPhone not Android
Fixed title to reflect iPhone, not Android.
to scrub
http://www.ietf.org/rfc/rfc3986.txt
\nThe authority (Username and host info) is defined as [ userinfo\n\"@\" ] host [ \":\" port ]
\nuserinfo is defined as *( unreserved / pct-encoded / sub-delims\n/ \":\" )
\nunreserved is defined as ALPHA / DIGIT / \"-\" / \".\" / \"_\" /\n\"~\"
\npct-encoded is defined as \"%\" HEXDIG HEXDIG
\nsub-delims is defined as \"!\" / \"$\" / \"&\" / \"'\" / \"(\" / \")\" /\n\"*\" / \"+\" / \",\" / \";\" / \"=\"
\nIn none of userinfo is \"@\" allowed as a valid character.
\nPer rfc 3986, the URI is requesting host of demandocat.com, port\n'testing', which is an invalid number. Thus, this URI is\ninvalid.
\nTo specify a userinfo that would contain the \"@\" character, it\nMUST be pct-encoded as \"%40\"
Invalidated without any evaluation to ensure authentication is\npossible using this means or test case for basic auth? The ability\nfor a client to pass credentials by this means is very basic\nfunctionality. It does not work with this client with iOS.
\nBefore closing or invalidating the ticket, it would be\npreferable to demonstrate that the functionality performs as\nexpected or repair/assign if it does not. This issue has been\nsatisfactorily repaired for Android with a test confirmation one\ncan now properly authenticate. I feel this has been evaded. This is\nnecessary functionality for web services work and we have a\ncrippled client if it cannot perform basic authentication using\nthis method.
Blain. I can put together something that demonstrates the\ninability to authenticate by passing credentials in url where doing\nsame in curl succeeds. Passing credentials in this way is a common\nthing to want to do and this requires a fix.
Hello fairwinds,
\nOur current situation:
\nWith URLs, we have already gone down the slippery slope in\nTitanium. I would have preferred that we were strict in the main\nAPI, and yet also provide helper functions to encode/decode,\nescape, where the algorithms are well-documented and\nunderstood.
\nIn the coming months we will systematically scrub our API and\nseek to achieve a good balance between achieving better standards\ncompliance as well providing functionality for ease of use by the\nend developer.
\nOn this specific issue:
\nBlain's comment is accurate, that \"@\" is not allowed in the\nuserinfo, and that if non-allowed characters exist, they should be\nescaped. In this case if \"@\" is the userinfo should be \"%40\".
\nWhat we will do:
\nWe'll take the action to discuss this issue internally, as\nAndroid and iOS differ in their approach right now.
\nThanks for your input, and expect an update on this within a\nweek.
\nSincerely,
\n~Ralf Dir of Platform Engineering
Hi Ralph. Not sure the issue for me was properly characterized\nby the ticket. The core issue for me is not simply the @ in the\nname but authenticating via:
\nhttp://user:pw@example.com or
\nhttp://user:pw@example.com
neither of which will authenticate using the client. Am quite\nhappy to encode the user:pw string including any @ character that\nmight exist there.
Ralph. One of those examples should be https above, sorry for\ntypo.