url.resolve auth issue

[stevenvachon]

require("url").resolve(
  "http://user:pass@fakeurl2.com:80/path/resource.html?query#hash",
  "http://fakeurl.com/path/resource.html?query#hash"
);

produces http://user:pass@fakeurl.com/path/resource.html?query#hash

Node.js has been doing this for as long as I've been using it. How can it be correct to add auth information from one absolute url to another absolute url?

[Fishrock123]

@stevenvachon what do you expect the output to be? The latter is supposed to be a relative URL.

[meandmycode]

Well, the documentation describes resolve as "Take a base URL, and a href URL, and resolve them as a browser would for an anchor tag. ".

So I would say that if it received a URL that had a protocol then it should just return that URL and not try to merge it in any way.

[Fishrock123]

cc @domenic?

[domenic]

Yeah seems very bad, confirmed. Does not match browsers (easy to test with new URL(input, base)) and I haven't confirmed with the spec but seems pretty unlikely to match it either.

[rlidwka]

I wonder what should happen in this case?

> url.resolve('mailto:user@example.org', 'example.com')
'mailto:user@example.com'

"user@" technically is auth info here.

[domenic]

I don't think so. @annevk can correct us but I am pretty sure that is a case where the "scheme data" comes into play, so the breakdown is scheme = mailto, scheme data = user@example.com, all others = null.

[stevenvachon]

is "scheme data" part of url.parse()? It uses "protocol" in the public export, anyway.

[domenic]

It's returned by pathname in browsers at least. https://url.spec.whatwg.org/#dom-urlutils-pathname