From 9693c347d57db6eeb466ae189f829255fb99229c Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <frase@frase.id.au>
Date: Sun, 9 Jun 2024 14:29:53 +0200
Subject: [PATCH] cabal-install: allow Basic authentication in curl transport

Allow the curl transport to use Basic authentication, if and only if
the url scheme is HTTPS (i.e. TLS will be used).  Retain the
existing behaviour (force Digest scheme) for insecure requests.

This change is required to support upcoming hackage-server changes.
The wget transport already supports Basic authentication.
---
 cabal-install/src/Distribution/Client/HttpUtils.hs |  8 +++++++-
 changelog.d/pr-10089                               | 12 ++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 changelog.d/pr-10089

diff --git a/cabal-install/src/Distribution/Client/HttpUtils.hs b/cabal-install/src/Distribution/Client/HttpUtils.hs
index 3c6d6045082..25195be248c 100644
--- a/cabal-install/src/Distribution/Client/HttpUtils.hs
+++ b/cabal-install/src/Distribution/Client/HttpUtils.hs
@@ -520,12 +520,18 @@ curlTransport prog =
             (Just (Left (uname, passwd)), _) -> Just $ Left (uname ++ ":" ++ passwd)
             (Nothing, Just a) -> Just $ Left a
             (Nothing, Nothing) -> Nothing
+      let authnSchemeArg
+            -- When using TLS, we can accept Basic authentication.  Let curl
+            -- decide based on the scheme(s) offered by the server.
+            | isHttpsURI uri = "--anyauth"
+            -- When not using TLS, force Digest scheme
+            | otherwise = "--digest"
       case mbAuthStringToken of
         Just (Left up) ->
           progInvocation
             { progInvokeInput =
                 Just . IODataText . unlines $
-                  [ "--digest"
+                  [ authnSchemeArg
                   , "--user " ++ up
                   ]
             , progInvokeArgs = ["--config", "-"] ++ progInvokeArgs progInvocation
diff --git a/changelog.d/pr-10089 b/changelog.d/pr-10089
new file mode 100644
index 00000000000..ed322194e21
--- /dev/null
+++ b/changelog.d/pr-10089
@@ -0,0 +1,12 @@
+synopsis: `curl` transport now supports Basic authentication
+packages: cabal-install
+prs: #10089
+
+description: {
+
+- The `curl` HTTP transport previously only supported the HTTP Digest
+  authentication scheme.  Basic authentication is now supported
+  when using HTTPS; Curl will use the scheme offered by the server.
+  The `wget` transport already supports HTTPS.
+
+}