Fix HTTP basic auth credentials being stripped from instance URLs

Preserve user:pass credentials in instance URLs so Invidious instances behind nginx reverse proxies with HTTP basic auth work correctly (#926). Add displayURL property to mask credentials in the UI.
2026-04-09 17:16:57 +00:00 · 2026-03-27 17:12:04 +01:00
parent 8a54e1ddbb
commit 2db78c429e
3 changed files with 38 additions and 5 deletions
--- a/Yattee/Models/Instance.swift
+++ b/Yattee/Models/Instance.swift
@@ -119,6 +119,17 @@ struct Instance: Identifiable, Codable, Hashable, Sendable {
        name ?? url.host ?? url.absoluteString
    }

+    /// Returns the URL string with embedded credentials stripped for safe display in the UI.
+    var displayURL: String {
+        guard var components = URLComponents(url: url, resolvingAgainstBaseURL: false),
+              components.user != nil else {
+            return url.absoluteString
+        }
+        components.user = nil
+        components.password = nil
+        return components.url?.absoluteString ?? url.absoluteString
+    }
+
    var contentSource: ContentSource {
        type.contentSource(for: url)
    }
@@ -268,10 +279,6 @@ extension Instance {
            components.path = String(components.path.dropLast())
        }

-        // Strip embedded credentials (security best practice)
-        components.user = nil
-        components.password = nil
-
        return components.url
    }
 }
--- a/Yattee/Views/Settings/EditSourceView.swift
+++ b/Yattee/Views/Settings/EditSourceView.swift
@@ -124,7 +124,7 @@ private struct EditRemoteServerContent: View {
        Form {
            Section {
                LabeledContent(String(localized: "sources.field.type"), value: instance.type.displayName)
-                LabeledContent(String(localized: "sources.field.url"), value: instance.url.absoluteString)
+                LabeledContent(String(localized: "sources.field.url"), value: instance.displayURL)
            }

            Section {
--- a/YatteeTests/ModelTests.swift
+++ b/YatteeTests/ModelTests.swift
@@ -248,6 +248,32 @@ struct InstanceTests {
        #expect(simpleHost?.scheme == "https")
    }

+    @Test("Instance URL normalization preserves embedded credentials")
+    func normalizeSourceURLPreservesCredentials() {
+        let url = Instance.normalizeSourceURL("https://user:pass@server.com")
+        #expect(url?.user == "user")
+        #expect(url?.password == "pass")
+        #expect(url?.host == "server.com")
+    }
+
+    @Test("Instance displayURL strips credentials")
+    func displayURLStripsCredentials() {
+        let instance = Instance(
+            type: .invidious,
+            url: URL(string: "https://user:pass@server.com")!
+        )
+        #expect(instance.displayURL == "https://server.com")
+    }
+
+    @Test("Instance displayURL returns absoluteString when no credentials")
+    func displayURLWithoutCredentials() {
+        let instance = Instance(
+            type: .invidious,
+            url: URL(string: "https://server.com")!
+        )
+        #expect(instance.displayURL == "https://server.com")
+    }
+
    @Test("Instance display name uses custom name if set")
    func displayNameCustom() {
        let instance = Instance(