Fix HTTP basic auth credentials being stripped from instance URLs

Preserve user:pass credentials in instance URLs so Invidious instances behind nginx reverse proxies with HTTP basic auth work correctly (#926). Add displayURL property to mask credentials in the UI.
2026-04-09 17:16:57 +00:00 · 2026-03-27 17:12:04 +01:00
parent 8a54e1ddbb
commit 2db78c429e
3 changed files with 38 additions and 5 deletions
--- a/Yattee/Models/Instance.swift
+++ b/Yattee/Models/Instance.swift
@@ -119,6 +119,17 @@ struct Instance: Identifiable, Codable, Hashable, Sendable {
        name ?? url.host ?? url.absoluteString
    }

+    /// Returns the URL string with embedded credentials stripped for safe display in the UI.
+    var displayURL: String {
+        guard var components = URLComponents(url: url, resolvingAgainstBaseURL: false),
+              components.user != nil else {
+            return url.absoluteString
+        }
+        components.user = nil
+        components.password = nil
+        return components.url?.absoluteString ?? url.absoluteString
+    }
+
    var contentSource: ContentSource {
        type.contentSource(for: url)
    }
@@ -268,10 +279,6 @@ extension Instance {
            components.path = String(components.path.dropLast())
        }

-        // Strip embedded credentials (security best practice)
-        components.user = nil
-        components.password = nil
-
        return components.url
    }
 }
--- a/Yattee/Views/Settings/EditSourceView.swift
+++ b/Yattee/Views/Settings/EditSourceView.swift
@@ -124,7 +124,7 @@ private struct EditRemoteServerContent: View {
        Form {
            Section {
                LabeledContent(String(localized: "sources.field.type"), value: instance.type.displayName)
-                LabeledContent(String(localized: "sources.field.url"), value: instance.url.absoluteString)
+                LabeledContent(String(localized: "sources.field.url"), value: instance.displayURL)
            }

            Section {