NSURL, basic authentication and URL encoding

Question

I need to send the URL of a ICS file to the Calendar app so the user can subscribe to the internet calendar and I'm using UIApplication openURL.I'm building the URL using NSURLComponents and setting username and password.Username and password are URL encoded so if the user has special characters in the password they will be encoded (e.g. the @ sign will be %40).The Calendar application then tries to get the file. It doesn't send the credentials during the first GET, then it receives a 401 and then it does another request, time time sending the credential as HTTP Basic Authentication.Everything works fine if the user doesn't have special characters but fails otherwise because the server doesn't decode the password.Is there a way to avoid sending username and password without URL encoding?I'd like to avoid adding special logic on the server based on user agent or something like that.I can build the URL using NSURL URLWithString but this is not 100% reliable because the Calendar app might try to contact the wrong host in some cases.I also tried to add the encoding param during the challenge response as reported here https://tools.ietf.org/id/draft-reschke-basicauth-enc-00.html but it doesn't seem to affect the behavior.Thank you for you attentionVale

NotMyName · Answer

If you&#x27;re talking to an HTTP based calendar server that&#x27;s using HTTP Basic Authentication, then the process that you&#x27;re seeing where the client makes the request without credentials, receives the 401 response, and then resends the request with credentials is the expected sequence for HTTP Basic Authentication.  So your question "Is there a way to avoid sending username and password without URL encoding?" both how and why you&#x27;re doing what you&#x27;re doing.Note:  The enconding used for HTTP Basic Authentication isn&#x27;t the same as URL encoding.  The username:password credential is encoded in Base64, not URL escapes.  So if you encode the @ to %40 you&#x27;re doing it wrong.

 · Answer

Everything works fine if the user doesn&#x27;t have special characters but fails otherwise because the server doesn&#x27;t decode the password.I think you have to work this backwards from here.  What exactly is the server expecting here?  Can you post an example of an successful Basic authorisation with a non-ASCII password?Share and Enjoy — Quinn "The Eskimo!" Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail &#x3D; "eskimo" + "1" + "@apple.com"

vavvolo · Answer

Here&#x27;s the request/response when I build the request manually to validate username and password before sending the the URL to the calendar app.Note that the string bWVyZWRpdGg6VGVzdDEyMzRA is the base64 encoded of meredith:Test1234@HEAD /my-calendar-subscription-server/1632a50c-7b0c-4fb9-b46a-45c1de0ac291/calendar.ics HTTP/1.1Host: my-host.comAccept: */Content-Length: 0Connection: keep-aliveProxy-Connection: keep-aliveUser-Agent: my-app-ios/14 CFNetwork/758.1.6 Darwin/15.0.0Accept-Language: en-usAuthorization: Basic bWVyZWRpdGg6VGVzdDEyMzRAAccept-Encoding: gzip, deflateHTTP/1.1 200 OKCache-Control: no-cache, no-store, max-age&#x3D;0, must-revalidateContent-Length: 189Content-Type: text/calendar;charset&#x3D;UTF-8Date: Fri, 20 Nov 2015 10:44:08 GMTExpires: 0Pragma: no-cacheServer: Apache-Coyote/1.1X-Application-Context: application:default:4150X-Content-Type-Options: nosniffX-Frame-Options: DENYX-XSS-Protection: 1; mode&#x3D;blockConnection: keep-aliveThen I build the URL to pass it to the calendar app.I use NSURLComponent and this is the URL I pass to NSApplication openURLhttp://meredith:Test1234%40@my-host.com/my-calendar-subscription-server/1632a50c-7b0c-4fb9-b46a-45c1de0ac291/calendar.icsI set the password as it is using NSURLComponent setPassword, without any encoding, and of course they are URL encoded in the final URL.These are the requests sent by the Calendar appFirst requestGET /my-calendar-subscription-server/1632a50c-7b0c-4fb9-b46a-45c1de0ac291/calendar.ics HTTP/1.1Host: my-host.comProxy-Connection: keep-aliveAccept: text/calendarUser-Agent: iOS/9.1 (13B143) dataaccessd/1.0Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: keep-aliveHTTP/1.1 401 UnauthorizedCache-Control: no-cache, no-store, max-age&#x3D;0, must-revalidateContent-Language: enContent-Type: text/html;charset&#x3D;utf-8Date: Fri, 20 Nov 2015 10:44:08 GMTExpires: 0Pragma: no-cacheServer: Apache-Coyote/1.1WWW-Authenticate: Basic realm&#x3D;"MyRealm"X-Content-Type-Options: nosniffX-Frame-Options: DENYX-XSS-Protection: 1; mode&#x3D;blockContent-Length: 1104Connection: keep-aliveSecond requestGET /my-calendar-subscription-server/1632a50c-7b0c-4fb9-b46a-45c1de0ac291/calendar.ics HTTP/1.1Host: my-host.comConnection: keep-aliveProxy-Connection: keep-aliveAccept: text/calendarUser-Agent: iOS/9.1 (13B143) dataaccessd/1.0Accept-Language: en-usAuthorization: Basic bWVyZWRpdGg6VGVzdDEyMzQlNDA&#x3D;Accept-Encoding: gzip, deflateHTTP/1.1 401 UnauthorizedCache-Control: no-cache, no-store, max-age&#x3D;0, must-revalidateContent-Language: enContent-Type: text/html;charset&#x3D;utf-8Date: Fri, 20 Nov 2015 10:44:08 GMTExpires: 0Pragma: no-cacheServer: Apache-Coyote/1.1WWW-Authenticate: Basic realm&#x3D;"MyRealm"X-Content-Type-Options: nosniffX-Frame-Options: DENYX-XSS-Protection: 1; mode&#x3D;blockContent-Length: 1040Connection: keep-aliveNote that the string bWVyZWRpdGg6VGVzdDEyMzQlNDA&#x3D; is the base64 encoded of meredith:Test1234%40 so the server fails to validate username/password.What I&#x27;m asking is: it there a way to tell the Calendar app not to use the URL encoded version of username and password when it builds the base64 auth string?At the moment I&#x27;m solving this issue on the server side with a filter based on the user agent (if iOS then -&amp;gt; base64 decode -&amp;gt; URL decode -&amp;gt; base64 encode)Thank you for your attentionVale