Client(follow_redirects=True) drops basic auth from URL

[douglas-raillard-arm]

httpx follows redirections, but if the redirected URL contains a basic auth username/password, those are dropped by httpx before making the GET request, which then fails:

1. client: GET http://foo.com/bar
2. server: 302 http://username:[email protected]/bar
3. client: GET http://private.com/bar
   => 401 unauthorized

Note that in step 3., httpx logs "INFO HTTP Request: GET http://username:[email protected]/bar" but this is deceiving, the real GET request issued does not contain username/password.

[douglas-raillard-arm]

Actually it looks like the username/password are requoted, similarly to this issue: #2863

According to to this SO post:

RFC 2616 specifies that the Location header should contain a URI as defined by RFC 1630, which requires a URI be 7-bit clean ASCII with any special characters URL encoded.

In other words, the server is delivering the URI incorrectly and should be escaping it.

So httpx should not attempt to re-quote the URL it gets from the Location header

EDIT: the request.url.userinfo seems to be actually just be ignored here:

httpx/httpx/_transports/default.py

Line 364 in db9072f

req = httpcore.Request(