bug#72526: 31.0.50; [PATCH] Fix url-basic-auth secret search when passing username and/or port

["Björn Bidar via Bug reports for GNU Emacs, the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>]

Eli Zaretskii <eliz@gnu.org> writes:

>> From: Björn Bidar <bjorn.bidar@thaodan.de>
>> Cc: 72526@debbugs.gnu.org
>> Date: Mon, 19 Aug 2024 09:54:09 +0300
>> 
>> Eli Zaretskii <eliz@gnu.org> writes:
>> 
>> >> From: Björn Bidar <bjorn.bidar@thaodan.de>
>> >> Cc: 72526@debbugs.gnu.org
>> >> Date: Sun, 18 Aug 2024 15:30:22 +0300
>> >> 
>> >> Eli Zaretskii <eliz@gnu.org> writes:
>> >> 
>> >> 1. url-basic-auth-store uses the 'server' as in the '<server>:<port>' in
>> >>    url-basic-auth-storage. I did not want to change the existing format
>> >>    as I don't know the implications.
>> >
>> > Can you calculate a separate variable once, and then use 'server' and
>> > that new variable, each one where appropriate?  It simply doesn't look
>> > clean to recalculate the same value several times.
>> >
>> >> 2. I tested calling auth-source-search with :user nil and without :user
>> >>    in both cases the result was the same, from this I imply that calling
>> >>    auth-source-search with :user nil is ok.
>> >
>> > Wouldn't it be cleaner to omit :user if the value is nil?
>> 
>> It would, how would one do such thing in lisp except of course
>> having two separate calls one with :user and one without :user.
>> For C it would be normal to just pass NULL if the argument is optional
>> (beginner in lisp).
>> 
>> >>    Yes if auth-source-search doesn't find a user for the url
>> >>    url-basic-auth will prompt the user for a user.
>> >>    Why is it a good idea to derive the user by url-basic-auth?
>> >>    Because HTTP basic authentication uses the as specific in RFC 3986
>> >>    section 3.2.1. Using it in this function to infer the user from the
>> >>    url just follows the standard as already in other programs/Emacs
>> >>    packages.
>> >>    If the user has specified the username they want to identify with
>> >>    at the server asking for it would be redundant and not confirming to
>> >>    the standard.
>> >
>> > What does the current code do in that case?  Does it completely fail,
>> > or does it prompt for the username?  If the latter, it would be a
>> > change in behavior, won't it?
>> 
>> Currently it does ask for the user even if the caller sends the user in the
>> url. It would be change of behavior, however it is expected that the user is
>> used in HTTP basic authentication if the the url is 'http://user@host'.
>> I don't think any caller would call the function in such a way without
>> expecting that user is the username used in the call.
>
> Thanks, so I installed the patch on the master branch, and I'm now
> closing this bug.

Would it make sense to apply it to Emacs 30.1 too?

What about the other patch? Should :user only be passed to
auth-source-search if there was a user in the url for the patch to be
ok?