tests/test_wscall.py

@@ -104,6 +104,15 @@ def test_webservice_auto_sign(http_requests, pub):
     assert 'orig=example.net' not in http_requests.get_last('url')
     assert 'signature=' in http_requests.get_last('url')
 
+    # do not auto sign if there's http basic authentication
+    wscall.request = {'url': 'http://foo:bar@idp.example.net'}
+    try:
+        wscall.call()
+    except Exception:
+        pass
+    assert 'orig=example.net' not in http_requests.get_last('url')
+    assert 'signature=' not in http_requests.get_last('url')
+
 
 def test_webservice_post_with_no_payload(http_requests, pub):
     NamedWsCall.wipe()

wcs/wscalls.py

@@ -95,7 +95,9 @@ def call_webservice(
         variables = get_publisher().substitutions.get_context_variables(mode='lazy')
         url = get_variadic_url(url, variables)
 
-    if not request_signature_key:
+    parsed = urllib.parse.urlparse(url)
+
+    if not request_signature_key and '@' not in parsed.netloc:
         try:
             request_signature_key, orig = get_secret_and_orig(url)
         except MissingSecret:
@@ -106,7 +108,6 @@ def call_webservice(
             qs_data['orig'] = orig
 
     if qs_data:  # merge qs_data into url
-        parsed = urllib.parse.urlparse(url)
         qs = list(urllib.parse.parse_qsl(parsed.query))
         for key, value in qs_data.items():
             try: