Decode credentials from URLs before auth

[Sean-Kenneth-Doherty]

Summary

• Decode percent-escaped username and password from URL userinfo before using them for implicit basic auth.
• Add a regression test for credentials such as u%40d:1%3D2%3F, matching the behavior users expect from URL credentials.
• Stabilize plugin installation tests by avoiding the Python 3.10-only parenthesized multi-context-manager behavior under Python 3.8.

Fixes #1623.

Tests

• .venv/bin/python -m pytest -q tests/test_auth.py::test_credentials_in_url_are_percent_decoded
• .venv/bin/python -m pytest -q tests/test_auth.py::test_credentials_in_url tests/test_auth.py::test_credentials_in_url_are_percent_decoded tests/test_auth.py::test_credentials_in_url_auth_flag_has_priority tests/test_auth.py::test_only_username_in_url
• .venv/bin/python -m pytest -q tests/test_auth.py
• .venv/bin/flake8 httpie/cli/argparser.py tests/test_auth.py
• .venv/bin/python -m compileall -q httpie/cli/argparser.py tests/test_auth.py
• .venv/bin/python -m pytest -q tests/test_plugins_cli.py::test_plugins_installation tests/test_plugins_cli.py::test_plugins_listing tests/test_plugins_cli.py::test_plugins_uninstall
• .venv/bin/flake8 tests/utils/plugins_cli.py
• .venv/bin/python -m compileall -q tests/utils/plugins_cli.py
• git diff --check

Note: on Python 3.14, the pinned test extra pulled an old werkzeug that imports removed ast.Str; I upgraded httpbin, flask, and werkzeug in the local venv before running pytest, matching the workaround from #1641.

Known CI blocker

The Ubuntu Python 3.7 jobs fail before tests because ubuntu-latest now resolves to Ubuntu 24.04, and actions/setup-python cannot provide Python 3.7 there. The narrow workflow fix is to route only the Ubuntu 3.7 matrix rows to ubuntu-22.04; I confirmed the needed YAML locally, but this fork token lacks the GitHub workflow scope, so GitHub rejected pushing that workflow-file update.

[Sean-Kenneth-Doherty]

Follow-up pushed at e25c436 to carry over the CI dependency/test-environment stabilization that this branch exposed:

• capped charset_normalizer below 3.4.2 so the existing Big5 charset fixture is detected as Big5 again
• capped pyopenssl below 26 to avoid the SSL-context mutation hard failure in digest-auth lanes
• made plugin CLI subprocess installs ignore pytest-httpbin CA env vars and skip build isolation for local dummy plugins
• kept the Python 3.12 naked --pretty argparse expectation compatible

Local validation after aligning the venv with the new caps:

.venv/bin/python -m pytest tests/test_auth.py::test_credentials_in_url tests/test_auth.py::test_credentials_in_url_are_percent_decoded tests/test_auth.py::test_credentials_in_url_auth_flag_has_priority tests/test_auth.py::test_only_username_in_url tests/test_encoding.py::test_terminal_output_response_charset_detection tests/test_encoding.py::test_terminal_output_request_charset_detection tests/test_plugins_cli.py -q
# 27 passed, 1 skipped

HTTPIE_TEST_WITH_PYOPENSSL=1 .venv/bin/python -m pytest tests/test_auth.py::test_digest_auth -q
# 4 passed

.venv/bin/flake8 httpie/cli/argparser.py tests/test_auth.py tests/test_cli_ui.py httpie/manager/tasks/plugins.py tests/utils/plugins_cli.py
.venv/bin/python -m compileall -q httpie/cli/argparser.py tests/test_auth.py tests/test_cli_ui.py httpie/manager/tasks/plugins.py tests/utils/plugins_cli.py
git diff --check
# passed

Expected remaining CI limitation: Ubuntu Python 3.7 still fails before tests on ubuntu-latest/Ubuntu 24.04 because actions/setup-python@v4 cannot provide Python 3.7 there. The workflow-side fix is to run those Ubuntu 3.7 matrix entries on an older Ubuntu image, but GitHub rejects workflow-file updates from my token because it lacks the workflow scope.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.11%. Comparing base (4d7d6b6) to head (e25c436).
⚠️ Report is 383 commits behind head on master.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1850      +/-   ##
==========================================
- Coverage   97.28%   94.11%   -3.17%     
==========================================
  Files          67      113      +46     
  Lines        4235     7703    +3468     
==========================================
+ Hits         4120     7250    +3130     
- Misses        115      453     +338     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Sean-Kenneth-Doherty]

One more follow-up pushed at 23d0397 after the refreshed Ubuntu 3.8 lane exposed a Python-version compatibility issue in my previous conflict resolution.

The plugin helper now uses nested with blocks instead of parenthesized multi-context-manager syntax, while keeping the CA env cleanup and PIP_NO_BUILD_ISOLATION behavior.

Additional validation:

.venv/bin/python -m pytest tests/test_plugins_cli.py -q
# 14 passed, 1 skipped

uv run --python 3.8 --isolated --with-editable ".[dev]" python -m pytest tests/test_plugins_cli.py -q
# 14 passed, 1 skipped

.venv/bin/flake8 tests/utils/plugins_cli.py
.venv/bin/python -m compileall -q tests/utils/plugins_cli.py
git diff --check
# passed

I intentionally did not include the Ubuntu 3.7 workflow workaround in this push, since workflow-file updates require the workflow token scope.

[Sean-Kenneth-Doherty]

CI follow-up status on the current PR head (23d0397):

• The Python 3.8-compatible plugin helper fix is now on the branch. Ubuntu 3.8, 3.9, 3.10, 3.11, and 3.12 shards are passing, and code-style is passing.
• Local validation after that fix:
  • .venv/bin/python -m pytest -q tests/test_auth.py -> 30 passed
  • .venv/bin/python -m pytest -q tests/test_cli_ui.py -> 4 passed
  • .venv/bin/python -m pytest -q tests/test_plugins_cli.py -> 14 passed, 1 skipped
  • .venv/bin/flake8 httpie/cli/argparser.py tests/test_auth.py tests/test_cli_ui.py tests/utils/plugins_cli.py -> clean
  • uv run --python 3.8 python -m py_compile tests/utils/plugins_cli.py -> clean

The remaining immediate Linux red jobs are both Python 3.7 on ubuntu-latest. I prepared this follow-up locally, but my push was rejected because the token available to me does not have GitHub workflow scope for .github/workflows/tests.yml:

@@
         pyopenssl: [0, 1]
+        exclude:
+          - os: ubuntu-latest
+            python-version: '3.7'
+        include:
+          - os: ubuntu-22.04
+            python-version: '3.7'
+            pyopenssl: 0
+          - os: ubuntu-22.04
+            python-version: '3.7'
+            pyopenssl: 1

That keeps the 3.7 coverage but moves it to the last Ubuntu image that can still set up Python 3.7. Local commit is 3043d5d in my checkout; I just cannot publish that workflow-only commit from this credential.

[Sean-Kenneth-Doherty]

Follow-up validation for 23d0397:

• .venv/bin/python -m pytest -q tests/test_plugins_cli.py -> 14 passed, 1 skipped
• .venv/bin/flake8 tests/utils/plugins_cli.py -> passed
• .venv/bin/python -m compileall -q tests/utils/plugins_cli.py -> passed
• git diff --check -> passed

The Python 3.8 compatibility fix is reflected in CI now: the previously failing Ubuntu 3.8 shards and windows-latest, 3.8, 1 are green on the latest run, and coverage/code-style are green too.

The only hard failures I still see are ubuntu-latest, 3.7, 0/1, which fail during actions/setup-python before project tests run because Python 3.7 is unavailable on the current Ubuntu 24.04 ubuntu-latest image. Fixing that remaining red needs a workflow-level change such as moving only the Python 3.7 Ubuntu lanes off ubuntu-latest or into a compatible container/runner.

[Sean-Kenneth-Doherty]

One more note on the remaining Ubuntu 3.7 failures: I validated the minimal workflow patch locally as YAML, but this OAuth token cannot push workflow file changes (.github/workflows/tests.yml) because it lacks workflow scope.

The minimal patch is to exclude only os: ubuntu-latest + python-version: 3.7 from the test matrix and include replacement entries for os: ubuntu-22.04, python-version: 3.7, pyopenssl: 0/1. That keeps modern Ubuntu lanes on ubuntu-latest while giving Python 3.7 a runner image where setup-python can still provision it.

[Sean-Kenneth-Doherty]

Updated the branch with the dependency/test-environment fixes that were causing the broad CI failures on the first run. Current validation on pushed head 23d0397:

• GitHub Actions now passes: code-style, coverage, all Ubuntu 3.8-3.12 jobs, and the completed Windows jobs through 3.12/3.7/3.8/3.9 so far
• Local focused validation: .venv/bin/python -m pytest tests/test_auth.py::test_credentials_in_url tests/test_auth.py::test_credentials_in_url_are_percent_decoded tests/test_auth.py::test_credentials_in_url_auth_flag_has_priority tests/test_auth.py::test_only_username_in_url tests/test_encoding.py::test_terminal_output_response_charset_detection tests/test_encoding.py::test_terminal_output_request_charset_detection tests/test_cli_ui.py tests/test_plugins_cli.py -q -> 31 passed, 1 skipped
• .venv/bin/flake8 httpie/cli/argparser.py httpie/manager/tasks/plugins.py tests/test_auth.py tests/test_cli_ui.py tests/test_encoding.py tests/test_plugins_cli.py tests/utils/plugins_cli.py -> clean
• changed Python files parse with Python 3.7 grammar via ast.parse(..., feature_version=(3, 7))
• .venv/bin/python -m compileall -q httpie/cli/argparser.py httpie/manager/tasks/plugins.py tests/test_auth.py tests/test_cli_ui.py tests/utils/plugins_cli.py -> passed
• git diff --check origin/master...HEAD -> clean

The two remaining confirmed failures are the Ubuntu/Python 3.7 setup jobs. They fail before tests because actions/setup-python cannot find Python 3.7 on the current ubuntu-latest image. I prepared the minimal workflow fix locally (route only Ubuntu 3.7 cells to ubuntu-22.04), but cannot push workflow-file changes from this auth token because GitHub requires the workflow scope for .github/workflows/tests.yml updates. macOS jobs are still pending at the time of this comment.