Raise error when sending credentials over HTTP

hashhar · claude · hashhar · commit 1b981b4c9888 · 2026-04-16T00:12:40.000+05:30
Aligns with the Java client behavior where TLS/SSL is required for
authentication. The error message matches the Java client phrasing:
"TLS/SSL is required for authentication."

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/tests/unit/test_dbapi.py b/tests/unit/test_dbapi.py
@@ -18,6 +18,7 @@
 from httpretty import httprettified
 from requests import Session
 
+import trino.exceptions
 from tests.unit.oauth_test_utils import _get_token_requests
 from tests.unit.oauth_test_utils import _post_statement_requests
 from tests.unit.oauth_test_utils import GetTokenCallback
@@ -27,6 +28,7 @@
 from tests.unit.oauth_test_utils import SERVER_ADDRESS
 from tests.unit.oauth_test_utils import TOKEN_RESOURCE
 from trino import constants
+from trino.auth import BasicAuthentication
 from trino.auth import OAuth2Authentication
 from trino.dbapi import connect
 from trino.dbapi import Connection
@@ -362,3 +364,12 @@ def test_default_encoding_zstd():
 def test_default_encoding_all():
     connection = Connection("host", 8080, user="test")
     assert connection._client_session.encoding == ["json+zstd", "json+lz4", "json"]
+
+
+def test_error_when_auth_over_http():
+    with pytest.raises(trino.exceptions.TrinoAuthError, match="TLS/SSL is required for authentication"):
+        Connection("mytrinoserver.domain", auth=BasicAuthentication("u", "p"))
+
+
+def test_no_error_when_auth_over_https():
+    Connection("mytrinoserver.domain", http_scheme=constants.HTTPS, auth=BasicAuthentication("u", "p"))
diff --git a/trino/dbapi.py b/trino/dbapi.py
@@ -215,6 +215,13 @@ def __init__(
         else:
             self.http_scheme = constants.HTTP
 
+        if auth is not None and self.http_scheme == constants.HTTP:
+            raise trino.exceptions.TrinoAuthError(
+                "TLS/SSL is required for authentication. "
+                "To use HTTPS, specify 'https://' in the host URL (which takes precedence "
+                "over http_scheme), or, if the host URL has no scheme, pass http_scheme='https'."
+            )
+
         # Infer connection port: `hostname` takes precedence over explicit `port` argument
         # If none is given, use default based on HTTP protocol
         default_port = constants.DEFAULT_TLS_PORT if self.http_scheme == constants.HTTPS else constants.DEFAULT_PORT
