From 1b981b4c98887f0f614c35094a2fc09efaefd9d7 Mon Sep 17 00:00:00 2001
From: Ashhar Hasan <ashhar.hasan@starburstdata.com>
Date: Fri, 6 Mar 2026 20:10:08 +0530
Subject: [PATCH] Raise error when sending credentials over HTTP

Aligns with the Java client behavior where TLS/SSL is required for
authentication. The error message matches the Java client phrasing:
"TLS/SSL is required for authentication."

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 tests/unit/test_dbapi.py | 11 +++++++++++
 trino/dbapi.py           |  7 +++++++
 2 files changed, 18 insertions(+)

diff --git a/tests/unit/test_dbapi.py b/tests/unit/test_dbapi.py
index e3821bba..d94226c1 100644
--- a/tests/unit/test_dbapi.py
+++ b/tests/unit/test_dbapi.py
@@ -18,6 +18,7 @@
 from httpretty import httprettified
 from requests import Session
 
+import trino.exceptions
 from tests.unit.oauth_test_utils import _get_token_requests
 from tests.unit.oauth_test_utils import _post_statement_requests
 from tests.unit.oauth_test_utils import GetTokenCallback
@@ -27,6 +28,7 @@
 from tests.unit.oauth_test_utils import SERVER_ADDRESS
 from tests.unit.oauth_test_utils import TOKEN_RESOURCE
 from trino import constants
+from trino.auth import BasicAuthentication
 from trino.auth import OAuth2Authentication
 from trino.dbapi import connect
 from trino.dbapi import Connection
@@ -362,3 +364,12 @@ def test_default_encoding_zstd():
 def test_default_encoding_all():
     connection = Connection("host", 8080, user="test")
     assert connection._client_session.encoding == ["json+zstd", "json+lz4", "json"]
+
+
+def test_error_when_auth_over_http():
+    with pytest.raises(trino.exceptions.TrinoAuthError, match="TLS/SSL is required for authentication"):
+        Connection("mytrinoserver.domain", auth=BasicAuthentication("u", "p"))
+
+
+def test_no_error_when_auth_over_https():
+    Connection("mytrinoserver.domain", http_scheme=constants.HTTPS, auth=BasicAuthentication("u", "p"))
diff --git a/trino/dbapi.py b/trino/dbapi.py
index 42eeb547..3cc61952 100644
--- a/trino/dbapi.py
+++ b/trino/dbapi.py
@@ -215,6 +215,13 @@ def __init__(
         else:
             self.http_scheme = constants.HTTP
 
+        if auth is not None and self.http_scheme == constants.HTTP:
+            raise trino.exceptions.TrinoAuthError(
+                "TLS/SSL is required for authentication. "
+                "To use HTTPS, specify 'https://' in the host URL (which takes precedence "
+                "over http_scheme), or, if the host URL has no scheme, pass http_scheme='https'."
+            )
+
         # Infer connection port: `hostname` takes precedence over explicit `port` argument
         # If none is given, use default based on HTTP protocol
         default_port = constants.DEFAULT_TLS_PORT if self.http_scheme == constants.HTTPS else constants.DEFAULT_PORT