Problem

When using HTTP Basic authentication, the library does not inform users about the security and performance implications. As noted in issue #183, HTTP Basic auth has concerns documented in RFC7617, and sends credentials on each request, which impacts both security and performance compared to session-based authentication.

Changes

This PR adds a UserWarning when AuthMethod.BASIC is used during login, using language from the Redfish specification:

Note: The IETF has highlighted security concerns with HTTP Basic authentication. While HTTPS is required for the usage of HTTP Basic authentication, there are other concerns implementers need to be aware of that RFC7617 documents. This functionality can be restricted or disabled with the HTTPBasicAuth property in the AccountService resource.

For improved performance and security, a client should use the session management interface to create a Redfish login session.

Files Modified

• src/redfish/rest/v1.py: Added warnings.warn() call in the login() method when auth == AuthMethod.BASIC
• tests/rest/test_v1.py: Added test test_basic_auth_emits_warning to verify the warning is emitted with correct content

Test Results

tests/rest/test_v1.py::TestRedFishClient::test_basic_auth_emits_warning PASSED
tests/rest/test_v1.py::TestRedFishClient::test_redfish_client_no_root_resp PASSED
tests/rest/test_v1.py::TestRedFishClient::test_redfish_client_root_object_initialized_after_login PASSED

All other existing tests continue to pass. The one pre-existing failing test (test_redfish_client) was already failing before this change due to network behavior with mock URLs.

References

• Issue: Warning when using basic auth mode #183
• Redfish Specification: DSP0266