Impossible to use ':' in the username part.

[LEW21]

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the bug has not already been reported

Description

userinfo part is being automatically percent-decoded, so that both 'A%3AB' and 'A:B' end up being decoded as 'a:b' - while the former means (user "A:B") and the later (user "A" with password "B").

The spec itself uses this production:

userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )

which means that : definitely is a special character, and should be treated specially here. They even treat it specially later:

Applications should not render as clear text any data after the first colon (":") character found within a userinfo subcomponent unless the data after the colon is the empty string (indicating no password).

Proposed solutions:

A) do not decode userinfo - just return it as a percent-encoded string
B) return userinfo as an array of :-separated decoded parts (['A:B'] or ['A', 'B'] in this example).

[LEW21]

Note that IMAP URLs have different behavior for * vs percent-encoded '*` too:

https://datatracker.ietf.org/doc/html/rfc5092#section-3.2

   The string ";AUTH=*" indicates that the client SHOULD select an
   appropriate authentication mechanism.  (Though the '*' character in
   this usage is not strictly a delimiter, it is being treated like a
   sub-delim [[URI-GEN](https://datatracker.ietf.org/doc/html/rfc5092#ref-URI-GEN)] in this instance.  It MUST NOT be percent-encoded
   in this usage, as ";AUTH=%2A" will not match this production.)

So it's probably better not to percent-decode at all.

[zekth]

Thanks for the report. What do you mean by impossible to use ? Could you write a reproduceable case? eg:

'use strict'

const fastifyURI = require('.')
const urijs = require('uri-js')

const url = "http://User:Pass@example.com:123/one/space"
console.log("parse", url)
console.log("urijs", urijs.parse(url))
console.log("fast-uri", fastifyURI.parse(url))

const schema = {
    scheme: 'uri',
    userinfo: 'Foo:Bar',
    host: 'example.com',
    port: 1,
    path: 'path',
    query: 'query',
    fragment: 'fragment'
}

console.log("serialize", schema)
console.log("urijs", urijs.serialize(schema))
console.log("fast-uri", fastifyURI.serialize(schema))

Results in:

parse http://User:Pass@example.com:123/one/space
urijs {
  scheme: 'http',
  userinfo: 'User:Pass',
  host: 'example.com',
  port: 123,
  path: '/one/space',
  query: undefined,
  fragment: undefined,
  reference: 'absolute'
}
fast-uri {
  scheme: 'http',
  userinfo: 'User:Pass',
  host: 'example.com',
  port: 123,
  path: '/one/space',
  query: undefined,
  fragment: undefined,
  reference: 'absolute'
}
serialize {
  scheme: 'uri',
  userinfo: 'Foo:Bar',
  host: 'example.com',
  port: 1,
  path: 'path',
  query: 'query',
  fragment: 'fragment'
}
urijs uri://Foo:Bar@example.com:1/path?query#fragment
fast-uri uri://Foo:Bar@example.com:1/path?query#fragment

[LEW21]

(sorry, I've made a mistake in the previous example, posting correct one now:)

'use strict'

const fastifyURI = require('.')
const urijs = require('uri-js')

function getUsernameAndPassword(uri, parse) {
    const parsed = parse(uri)
    const colonPos = parsed.userinfo.indexOf(':')
    const username = colonPos != -1 ? parsed.userinfo.substring(0, colonPos) : parsed.userinfo
    const password = colonPos != -1 ? parsed.userinfo.substring(colonPos + 1) : undefined
    return {username, password}
}

const url = "http://A%3AB@example.com:123/one/space"
console.log("getUsernameAndPassword", url)
console.log("urijs", getUsernameAndPassword(url, urijs.parse))
console.log("fast-uri", getUsernameAndPassword(url, fastifyURI.parse))

output:

urijs { username: 'A%3AB', password: undefined }
fast-uri { username: 'A', password: 'B' }

[LEW21]

Thanks!