cabal-install: allow Basic authentication in curl transport

Allow the curl transport to use Basic authentication, if and only if the url scheme is HTTPS (i.e. TLS will be used). Retain the existing behaviour (force Digest scheme) for insecure requests. This change is required to support upcoming hackage-server changes. The wget transport already supports Basic authentication.
haskell · Aug 22, 2024 · 6364221 · 6364221
1 parent 95c3a5d
commit 6364221
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/cabal-install/src/Distribution/Client/HttpUtils.hs b/cabal-install/src/Distribution/Client/HttpUtils.hs
@@ -520,12 +520,18 @@ curlTransport prog =
             (Just (Left (uname, passwd)), _) -> Just $ Left (uname ++ ":" ++ passwd)
             (Nothing, Just a) -> Just $ Left a
             (Nothing, Nothing) -> Nothing
+      let authnSchemeArg
+            -- When using TLS, we can accept Basic authentication.  Let curl
+            -- decide based on the scheme(s) offered by the server.
+            | isHttpsURI uri = "--anyauth"
+            -- When not using TLS, force Digest scheme
+            | otherwise = "--digest"
       case mbAuthStringToken of
         Just (Left up) ->
           progInvocation
             { progInvokeInput =
                 Just . IODataText . unlines $
-                  [ "--digest"
+                  [ authnSchemeArg
                   , "--user " ++ up
                   ]
             , progInvokeArgs = ["--config", "-"] ++ progInvokeArgs progInvocation

diff --git a/changelog.d/pr-10089 b/changelog.d/pr-10089
@@ -0,0 +1,12 @@
+synopsis: `curl` transport now supports Basic authentication
+packages: cabal-install
+prs: #10089
+
+description: {
+
+- The `curl` HTTP transport previously only supported the HTTP Digest
+  authentication scheme.  Basic authentication is now supported
+  when using HTTPS; Curl will use the scheme offered by the server.
+  The `wget` transport already supports HTTPS.
+
+}