Url with authority isn't supported and the request leak the password in plain text

[yangby-cryptape]

In latest stable version of reqwest (v0.9.22), a url with authority (contain a username, password) isn't supported and the request will leak the password in plain text.

A simple example:

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let url = "http://username:password@localhost:12345/";
    let json = serde_json::json!({
        "id": 2,
        "jsonrpc": "2.0",
        "method": "test",
        "params": []
    });
    let req = reqwest::Client::new().post(url).json(&json);
    println!("{:#?}", req);
    Ok(())
}

The output is:

RequestBuilder {
    client: Client,
    request: Ok(
        Request {
            method: POST,
            url: "http://username:password@localhost:12345/",
            headers: {
                "content-type": "application/json",
            },
        },
    ),
}

And, if we send this request to a http server, the response will be 401 Unauthorized (test with a nginx server).

[seanmonstar]

Closed via #735