[Python-Dev] urllib2.HTTPBasicAuthHandler doesn't work with GitHub API

Matěj Cepl mcepl at redhat.com
Mon Nov 4 15:11:12 CET 2013 

Hi,

GitHub API v3 is intentionally broken (see
http://developer.github.com/v3/auth/):

> The main difference is that the RFC requires unauthenticated requests
> to be answered with 401 Unauthorized responses. In many places, this
> would disclose the existence of user data. Instead, the GitHub API
> responds with 404 Not Found. This may cause problems for HTTP
> libraries that assume a 401 Unauthorized response. The solution is to
> manually craft the Authorization header.

Unfortunately, urllib2.HTTPBasicAuthHandler relies on the
standard-conformant behavior. So a naive programmer (like me) who wants
to program against GitHub API using urllib2 (and foolishly ignores this
comment about the API non-conformance, because he thinks GitHub wouldn't
be that stupid and break all Python applications) writes something like
the attached script, spends couple of hours hitting this issue, until he
tries python-requests (which work) and his (mistaken) conclusion is that
urllib2 is a piece of crap which should never be used again.

I am not sure how widespread is this breaking of RFC, but it seems to me
that quite a lot (e.g., http://stackoverflow.com/a/9698319/164233 which
just en passant expects urllib2 authentication stuff to be useless), and
the question is whether it shouldn't be documented somehow and/or
urllib2.HTTPBasicAuthHandler shouldn't be modified to try add
Authenticate header first.

Any suggestions?

Best,

Matěj

-- 
http://www.ceplovi.cz/matej/, Jabber: mcepl at ceplovi.cz
GPG Finger: 89EF 4BC6 288A BF43 1BAB  25C3 E09F EF25 D964 84AC

For a successful technology, reality must take precedence over
public relations, for nature cannot be fooled.
    -- R. P. Feynman's concluding sentence
       in his appendix to the Challenger Report
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test3_create_1.py
Type: text/x-python
Size: 2453 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-dev/attachments/20131104/0d954e0d/attachment.py>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/python-dev/attachments/20131104/0d954e0d/attachment.sig>

More information about the Python-Dev mailing list