The retry logic and code used by ProxyBasicAuthHandler and ProxyDigestAuthHandler are same as normal authentication handlers. While this reuse is good, there is a problem that, on authentication failure, the HTTPError code is hardcoded to 401, whereas for Proxy cases it should have been 407.

The problematic line is this:


    def http_error_auth_reqed(self, auth_header, host, req, headers):
            ...
            raise HTTPError(req.full_url, 401, "digest auth failed",
                            headers, None)

can be changed by:
- Passing the errcode as arg.
- Or getting it from headers.

In 3.x, http_error_auth_reqed is a method of urllib.request.AbstractBasicAuthHandler
(20.5.8. AbstractBasicAuthHandler Objects in 3.1 lib manual)

Slipped under the radar?

This is still an issue and the relevant RFC part and a unittest would be as below. I would propose adding a new keyword argument with 401 as default value to ensure backwards compatibility with older versions. I can propose a PR if agreed and also improve test case since changing the hard coded status code from 401 to 407 doesn't seem to cause any failure.


https://tools.ietf.org/html/rfc7235#section-3.2

3.2.  407 Proxy Authentication Required

   The 407 (Proxy Authentication Required) status code is similar to 401
   (Unauthorized), but it indicates that the client needs to
   authenticate itself in order to use a proxy.  The proxy MUST send a
   Proxy-Authenticate header field (Section 4.3) containing a challenge
   applicable to that proxy for the target resource.  The client MAY
   repeat the request with a new or replaced Proxy-Authorization header
   field (Section 4.4).

unittest

diff --git a/Lib/test/test_urllib2_localnet.py b/Lib/test/test_urllib2_localnet.py
index 591b48d6d4..ab8dd32795 100644
--- a/Lib/test/test_urllib2_localnet.py
+++ b/Lib/test/test_urllib2_localnet.py
@@ -357,9 +357,9 @@ class ProxyAuthTests(unittest.TestCase):
         self.proxy_digest_handler.add_password(self.REALM, self.URL,
                                                self.USER, self.PASSWD+"bad")
         self.digest_auth_handler.set_qop("auth")
-        self.assertRaises(urllib.error.HTTPError,
-                          self.opener.open,
-                          self.URL)
+        with self.assertRaises(urllib.error.HTTPError) as cm:
+            self.opener.open(self.URL)
+        self.assertEqual(cm.exception.code, 407)

     def test_proxy_with_no_password_raises_httperror(self):
         self.digest_auth_handler.set_qop("auth")

$ ./python.exe -m unittest -v test.test_urllib2_localnet.ProxyAuthTests.test_proxy_with_bad_password_raises_httperror
test_proxy_with_bad_password_raises_httperror (test.test_urllib2_localnet.ProxyAuthTests) ... FAIL

======================================================================
FAIL: test_proxy_with_bad_password_raises_httperror (test.test_urllib2_localnet.ProxyAuthTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/Users/karthikeyansingaravelan/stuff/python/cpython/Lib/test/test_urllib2_localnet.py", line 362, in test_proxy_with_bad_password_raises_httperror
    self.assertEqual(cm.exception.code, 407)
AssertionError: 401 != 407

----------------------------------------------------------------------
Ran 1 test in 0.160s

FAILED (failures=1)