Authentication for non https schems

Hi Community,
I recently was trying to link latest Collect app to an openrosa server thats running on http and was getting a 401 response.
On investigating i realised in OkHttpOpenRosaServerClientProvider line 98

  if (scheme.equalsIgnoreCase("https")) {
daBuilder.with("basic", new BasicAuthenticator(cred));
}

why would the client send auth info to only https servers?

Basic auth is only secure if you send the auth through the encrypted channel that HTTPS provides. See https://en.wikipedia.org/wiki/Basic_access_authentication#Security for more.

Thank you @yanokwa, the reality is that there are many who will want to test the app on non https channels, shouldn't we let the app send auth info and its upon the server host to ensure sacurity, other than dropping that info.

If you don't have a secure channel, the auth is sent in cleartext and is subject to a man-in-the-middle attack.

ODK is often used for projects where privacy and security matter. We default to doing things securely unless there is a really good reason. Testing on non-HTTPs channels is not a good reason.

If this is a blocker for you, you can make these changes on your fork. I don't recommend it, but it's your choice.

I get You. Thank you.