node-fetch v3 basic auth in URL not working #1304
Comments
|
Woof this is a silly choice which prevents us from upgrading. We will pin node-fetch v2 for existing projects and migrate to axios for all new development as a result of this bug. |
|
@lachesis sorry to hear that you feel that way. The reasoning behind this restriction is to prevent potential security risks. Including credentials directly in the URL can expose sensitive information, especially if the URL is logged or sent over insecure channels. This could lead to unauthorized access to user accounts or other sensitive data. it's also b/c of how caching works. storing username + password in plain text in urls isn't such a good idea. using urls with credentials is discouraged b/c of reasons. if you do wish to use credentials then you can easily convert it into a basic authentication header instead. fetch(url, {
headers: {
Authorization: `Basic ${btoa(`${username}:${password}`)}`
}
})i would still recommend using fetch, as it's what's available in all env. right now. including browsers, web workers, react native, deno, node, bun and mostly anywhere. using axios dose not work everywhere cuz it rely on the old XHR or node's own http module. which in itself is a restriction cuz it can't run in deno, service worker, or cloudflare worker. you won't need any dependency at all right now as fetch is built in right into NodeJS itself starting from v18+ |
In node-fetch v2, we could set a username/password in the URL for Basic Auth.
Appears that v3 is silently discarding these from the URL, and need to be added using an Authorization header now.
This appears to match what the browsers (chrome at least) are doing:
I assume this is the desired behavior going forward? However there is no mention in the upgrade guide and it is a breaking change. Also I would prefer to see an error return rather than silently ignoring the credentials.
The text was updated successfully, but these errors were encountered: