Raise error when sending credentials over HTTP#593
Raise error when sending credentials over HTTP#593hashhar wants to merge 1 commit intotrinodb:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a runtime warning when authentication is configured while using an insecure HTTP connection, to help prevent accidental credential exposure.
Changes:
- Emit a
UserWarninginConnection.__init__whenauthis set and the resolved scheme is HTTP. - Add unit tests asserting the warning is produced for HTTP and not produced for HTTPS.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
trino/dbapi.py |
Adds warning emission when auth is used over HTTP. |
tests/unit/test_dbapi.py |
Adds/updates tests to validate the new warning behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
hashhar
force-pushed
the
hashhar/improve-http-scheme
branch
from
828a7c7 to
ae59fe2
Compare
Can we imagine a future where Python client does unsafe thing by default in 10 years from now? Do you plan to convert warning into failure in a 1-2 release from now? |
|
I plan to convert to failure. Just want to see if there are known applications or setups which explode and provide a version they can pin to while they sort out insecure configs. |
Aligns with the Java client behavior where TLS/SSL is required for authentication. The error message matches the Java client phrasing: "TLS/SSL is required for authentication." Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
hashhar
force-pushed
the
hashhar/improve-http-scheme
branch
from
ae59fe2 to
1b981b4
Compare
hashhar
changed the title
|
@findepi made into an error, was near useless in current shape - i tested with some tools locally |
Description
Raises a
TrinoAuthErrorwhen authentication is configured while using an insecure HTTP connection. This aligns with the Java client behavior where TLS/SSL is strictly required for authentication — the Java client raises aRuntimeExceptionwith the message "TLS/SSL is required for authentication" in the same scenario.The error message follows the same phrasing as the Java client and includes Python-specific guidance on how to switch to HTTPS.
Non-technical explanation
Connecting with authentication over plain HTTP is now an error. Use
https://in the host URL or passhttp_scheme='https'.Release notes
( ) This is not user-visible or docs only and no release notes are required.
( ) Release notes are required, please propose a release note for me.
(x) Release notes are required, with the following suggested text: