Don't include username/password components in Host header (#417)

* removed auth and port from host of header

* used URL attribute rather _uri_reference

* reverted removing port into host

* reverted username and password from header

* applied new copy_with with username and password

httpx/models.py

@@ -136,6 +136,10 @@ class URL:
     def authority(self) -> str:
         return self._uri_reference.authority or ""
 
+    @property
+    def userinfo(self) -> str:
+        return self._uri_reference.userinfo or ""
+
     @property
     def username(self) -> str:
         userinfo = self._uri_reference.userinfo or ""
@@ -635,7 +639,10 @@ class BaseRequest:
         has_connection = "connection" in self.headers
 
         if not has_host:
-            auto_headers.append((b"host", self.url.authority.encode("ascii")))
+            url = self.url
+            if url.userinfo:
+                url = url.copy_with(username=None, password=None)
+            auto_headers.append((b"host", url.authority.encode("ascii")))
         if not has_user_agent:
             auto_headers.append((b"user-agent", USER_AGENT.encode("ascii")))
         if not has_accept:

tests/client/test_headers.py

@@ -131,3 +131,22 @@ def test_header_does_not_exist():
     headers = models.Headers({"foo": "bar"})
     with pytest.raises(KeyError):
         del headers["baz"]
+
+
+def test_host_without_auth_in_header():
+    url = "http://username:password@example.org:80/echo_headers"
+
+    with Client(dispatch=MockDispatch()) as client:
+        response = client.get(url)
+
+    assert response.status_code == 200
+    assert response.json() == {
+        "headers": {
+            "accept": "*/*",
+            "accept-encoding": "gzip, deflate, br",
+            "connection": "keep-alive",
+            "host": "example.org:80",
+            "user-agent": f"python-httpx/{__version__}",
+            "authorization": "Basic dXNlcm5hbWU6cGFzc3dvcmQ=",
+        }
+    }