add_credentials method doesn't work ('Authorization': 'Basic string' header isn't sending to web-server)

[SergeyMatsiupa]

environment: OS xUbuntu 18.04.4; Python 3.6.9; httplib2 0.18.1 (gzip)
summary: executing h.add_credentials('user', 'password', 'localhost') code isn't sending HTTP-header 'Authorization': 'Basic <encoded_string>' to the web-server
STR:

• install any appropriate (with HTTP-headers logging) web-server to the localhost
• check out that HTTP-headers for incoming requests are logging by this web-server
• execute the test Python-code:

import httplib2, json
h = httplib2.Http()
data = {"quantity":1,"product":21,"product_code":"1006"}
data = json.dumps(data)
restEndpointURL='http://localhost:8000/'
h.add_credentials('user', 'password', 'localhost')
headersDict={'Content-Type':'application/json','accept':'application/json'}
response, content = h.request(restEndpointURL,'POST',data,headers=headersDict)

• execute corresponding pure curl-request (for comparison):

curl -v --user user:password 'http://localhost:8000/'  -H 'Content-Type: application/json' -H 'Host: localhost:8000' -H 'Accept: application/json' -H 'User-Agent: Python-httplib2/0.9.2 (gzip)' -H 'Accept-Encoding: gzip, deflate' --request POST --data '{"quantity":1,"product":21,"product_code":"1006"}' 

• compare corresponding records in the web-server logs (for the httplib2-request and for the curl-request)

ER: HTTP-header for the httplib2-request is present in web-server logs in format like 'Authorization': 'Basic <encoded_string>' as well as for corresponding curl-request

[SergeyMatsiupa]

well, I done some investigations and found out something interesting in the code of library:
(httplib2/init.py, class Http, method _request:

if response.status == 401:
    for authorization in self._auth_from_challenge(
        host, request_uri, headers, response, content
    ):
        authorization.request(method, request_uri, headers, body)
        (response, content) = self._conn_request(
            conn, request_uri, method, body, headers
        )
        if response.status != 401:
            self.authorizations.append(authorization)
            authorization.response(response, body)
            break

According to this logic - 1) first httplib2.request will try to open the url without any credentials 2) if it received a 401 response code - it will retry the request by adding the credentials header. And this is not normal, because: 1) 2 physical requests are sent instead of 1 and 2) the web server can send a response code different from 401 (for example, in the case of 2 options on the web server - for registered and anonymous users, such as my one).
Therefore, I suggest changing this logic, for example - if something was written in self.credentials, then the 1st request should be sent with these credentials right away.

[temoto]

AFAIK, so far we're good.

RFC7235#4.2

The "Authorization" header field allows a user agent to authenticate itself with an origin server -- usually, but not necessarily, after receiving a 401 (Unauthorized) response.

Of course, sending authorization header on first request is a nice enhancement, patches are welcome. It must be guarded with option switch defaulting to current behavior.

[SergeyMatsiupa]

Thnks!
Possibly I'll try to write such patch later but rather you can do it in the next release by yourself - I'm not so good in Python for this moment :(