Skip to content

Fix #1623: Decode percent-encoded credentials in URL #1668

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ns-fboucault wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Fix #1623: Decode percent-encoded credentials in URL #1668

ns-fboucault wants to merge 3 commits into from

Conversation

@ns-fboucault
Copy link

@ns-fboucault ns-fboucault commented Oct 17, 2025

Description

Fixes #1623

HTTPie now properly decodes percent-encoded characters in the username and password when they are provided in the URL's userinfo section.

This allows credentials containing special characters like @, =, and ? to be specified directly in URLs by percent-encoding them, matching the behavior of other HTTP clients like curl.

Changes

  • Modified httpie/cli/argparser.py to use urllib.parse.unquote() to decode username and password from URLs
  • Added test test_percent_encoded_credentials_in_url() to verify the fix

Example

This now works correctly:

http https://u%40d:1%3d2%3f@httpbin.org/basic-auth/u%40d/1%3d2%3f

Where u%40d decodes to u@d and 1%3d2%3f decodes to 1=2?

Testing

  • ✅ All existing auth tests pass (31 tests)
  • ✅ New test covers the reported issue
  • ✅ Manually verified with httpbin.org
  • ✅ Backward compatible (non-encoded credentials still work)

Checklist

  • Tests added/updated
  • All tests passing
  • No breaking changes
  • Follows existing code style

@ns-fboucault
Add tests for issue httpie#1623: percent-encoded credentials in URL
e1da5b3 
Add automated tests that reproduce the bug where HTTPie fails to decode
percent-encoded characters in URL credentials (username and password).

The tests verify that credentials containing special characters like @, =, ?,
:, and / should be properly decoded when provided in the URL's userinfo section.

Currently all tests fail with 401 UNAUTHORIZED, confirming the bug exists.

Related to: httpie#1623
@ns-fboucault
Fix issue httpie#1623: Decode percent-encoded credentials in URL
bf3854e 
HTTPie now properly decodes percent-encoded characters in the username
and password when they are provided in the URL's userinfo section.

This allows credentials containing special characters like @, =, and ?
to be specified directly in URLs by percent-encoding them.

Example that now works:
  http https://u%40d:1%3d2%3f@httpbin.org/basic-auth/u%40d/1%3d2%3f

The fix uses urllib.parse.unquote() to decode the username and password
extracted from the URL before using them for authentication.

Fixes: httpie#1623
@ns-fboucault
Fix flake8 whitespace errors in test_auth.py
61f697a 
Remove trailing whitespace on blank lines and extra blank lines at end of file.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Username/password in the URL not decoded when used for basic authentication

1 participant

@ns-fboucault