[Python-Dev] urllib2.HTTPBasicAuthHandler doesn't work with GitHub API (original) (raw)
Matěj Cepl mcepl at redhat.com
Mon Nov 4 15:11:12 CET 2013
- Previous message: [Python-Dev] [Infrastructure] bugs.python.org not reachable in IPv6?
- Next message: [Python-Dev] urllib2.HTTPBasicAuthHandler doesn't work with GitHub API
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
GitHub API v3 is intentionally broken (see http://developer.github.com/v3/auth/):
The main difference is that the RFC requires unauthenticated requests to be answered with 401 Unauthorized responses. In many places, this would disclose the existence of user data. Instead, the GitHub API responds with 404 Not Found. This may cause problems for HTTP libraries that assume a 401 Unauthorized response. The solution is to manually craft the Authorization header.
Unfortunately, urllib2.HTTPBasicAuthHandler relies on the standard-conformant behavior. So a naive programmer (like me) who wants to program against GitHub API using urllib2 (and foolishly ignores this comment about the API non-conformance, because he thinks GitHub wouldn't be that stupid and break all Python applications) writes something like the attached script, spends couple of hours hitting this issue, until he tries python-requests (which work) and his (mistaken) conclusion is that urllib2 is a piece of crap which should never be used again.
I am not sure how widespread is this breaking of RFC, but it seems to me that quite a lot (e.g., http://stackoverflow.com/a/9698319/164233 which just en passant expects urllib2 authentication stuff to be useless), and the question is whether it shouldn't be documented somehow and/or urllib2.HTTPBasicAuthHandler shouldn't be modified to try add Authenticate header first.
Any suggestions?
Best,
Matěj
-- http://www.ceplovi.cz/matej/, Jabber: mcepl at ceplovi.cz GPG Finger: 89EF 4BC6 288A BF43 1BAB 25C3 E09F EF25 D964 84AC
For a successful technology, reality must take precedence over public relations, for nature cannot be fooled. -- R. P. Feynman's concluding sentence in his appendix to the Challenger Report -------------- next part -------------- A non-text attachment was scrubbed... Name: test3_create_1.py Type: text/x-python Size: 2453 bytes Desc: not available URL: <http://mail.python.org/pipermail/python-dev/attachments/20131104/0d954e0d/attachment.py> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 255 bytes Desc: OpenPGP digital signature URL: <http://mail.python.org/pipermail/python-dev/attachments/20131104/0d954e0d/attachment.sig>
- Previous message: [Python-Dev] [Infrastructure] bugs.python.org not reachable in IPv6?
- Next message: [Python-Dev] urllib2.HTTPBasicAuthHandler doesn't work with GitHub API
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]