On Thu, 6 Nov 2008, Josef Wolf wrote:

>>> Then, there's the edge-case of http://user@host/. This case gives 401
>>> in the current implementation.
>>
>> I don't understand. You mean "current" as in before your patch or after?
>> And 401 simply implies that the credentials are wrong, surely that syntax
>> doesn't unconditionally and always provide wrong credentials? I thought it
>> simply picked an empty password.
>
> It picks an empty password and returns a 401 if the server wants a non-empty
> password. I mean, it is somewhat inconsistent to prompt when --user omits
> the password and not to prompt when url-specification omits the password.

First, I disagree with it being inconsistent, but we're again switching to
talk about what the tool curl does or doesn't and that's not really the most
suitable subject for this list. The tool simply respects the URL that is
provided, as far as possible.

This suggested auth callback will need to support blank user name and blank
password too btw.

>> But what about multiple for the same auth-scheme then? Call the callback
>> once for each? There should probably be some magic return code for the
>> callback to signal back "bad realm" or something.
>
> Why not call them in turn until one succeeds or no more realms are left?
> something like
>
> foreach realm (realms) {
> if (get_credentials (realm)) return credentials;
> }
> return failure

Yes, that should work fine I think.

-- 
  / daniel.haxx.se