[PATCH] http auth user & password lookup

[Brad Schick]

Matt Mackall wrote:
>>>> We also want to store and check the URI (or at least the host name), no?
>>>>    
>>>>         
>>> I considered that. It would disambiguate all cases, but I think for many
>>> instances the realm is enough. Maybe an optional uri? Any suggestions
>>> for how to add that. Could be something like:
>>>
>>> realm[@uri]  = user[:pass]
>>>   
>>>       
>> Any feedback on this? I think it would help other users if I can get
>> this patch to an acceptable state. Its currently a pretty big hassle
>> doing remote work over http if auth is in place (or fairly insecure due
>> to displaying of passwords) .
>>     
>
> Isn't there a security risk of not having the URI in there? If you're
> doing pushes to two servers with realm-a and realm-b, the second
> server can claim to be in realm-a and get your realm-a password, no?
>   

That is a good point, particularly for basic http auth that sends the
plain text password. I'm not sure how many repo managers are looking to
steal the passwords of their users on other repos, but I definitely
agree on principle.

Using the full URI only would be a hassle when you have several repos on
one host with a shared user:pass. How about:

realm:(hostname|uri) = user[:pass]

Since this is just for http, it should be as simple as looking for a /
character to determine it is a uri. If a / is found, then match the
entire uri including protocol. If not then just match host names. Or if
that seems too messy, just using realm and hostname should work for most
cases.

-Brad