master 3d02c8aabf: Disable auth-source-pass-extra-query-keywords by default

[F. Jason Park]

branch: master
commit 3d02c8aabfde88219dd8b6053a59de261308bc2f
Author: F. Jason Park <jp@neverwas.me>
Commit: F. Jason Park <jp@neverwas.me>

    Disable auth-source-pass-extra-query-keywords by default
    
    * doc/misc/auth.texi: Mention subdomain matching in
    `auth-source-pass-extra-query-keywords' section.
    * etc/NEWS: Mention the loss of traditional auth-source-pass features
    when `auth-source-pass-extra-query-keywords' is enabled.
    * lisp/auth-source-pass (auth-source-pass-extra-query-keywords): Set
    default to nil.  Mention domain matching in doc string.
    (auth-source-pass--match-regexp): Allow username to contain "@".
    * lisp/erc/erc-compat.el:
    (erc-compat--29-auth-source-pass--retrieve-parsed): Adjust regexp.
    * test/lisp/auth-source-pass-tests.el
    (auth-source-pass-extra-query-keywords--suffixed-user): make plain
    username more email-like.
    (Bug#58985.)
---
 doc/misc/auth.texi                  | 11 ++++++-----
 etc/NEWS                            |  3 ++-
 lisp/auth-source-pass.el            |  9 +++++----
 lisp/erc/erc-compat.el              |  2 +-
 test/lisp/auth-source-pass-tests.el | 24 ++++++++++++------------
 5 files changed, 26 insertions(+), 23 deletions(-)

diff --git a/doc/misc/auth.texi b/doc/misc/auth.texi
index 872e5f88f5..83728be0a5 100644
--- a/doc/misc/auth.texi
+++ b/doc/misc/auth.texi
@@ -560,11 +560,12 @@ favors the @samp{rms@@gnu.org.gpg} form for usernames 
over the
 param was provided.
 
 In general, if you prefer idiosyncrasies traditionally exhibited by
-this backend, such as prioritizing field count in a filename, try
-setting this option to @code{nil}.  But, if you experience problems
-predicting the outcome of searches relative to other auth-source
-backends or encounter code expecting to query multiple backends
-uniformly, try flipping it back to @code{t} (the default).
+this backend, such as prioritizing field count in a filename or
+matching against subdomain labels, keep this option set to @code{nil}
+(the default).  But, if you experience problems predicting the outcome
+of searches relative to other auth-source backends or encounter code
+expecting to query multiple backends uniformly, try flipping it to
+@code{t}.
 @end defvar
 
 @node Help for developers
diff --git a/etc/NEWS b/etc/NEWS
index 7b64752f46..0ffc849fec 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -1410,7 +1410,8 @@ database stored on disk.
 *** New user option 'auth-source-pass-extra-query-keywords'.
 Whether to recognize additional keyword params, like ':max' and
 ':require', as well as accept lists of query terms paired with
-applicable keywords.
+applicable keywords.  This disables most known behavioral quirks
+unique to auth-source-pass, such as wildcard subdomain matching.
 
 ** Dired
 
diff --git a/lisp/auth-source-pass.el b/lisp/auth-source-pass.el
index dc274843e1..74d3808448 100644
--- a/lisp/auth-source-pass.el
+++ b/lisp/auth-source-pass.el
@@ -55,12 +55,13 @@
   :type 'string
   :version "27.1")
 
-(defcustom auth-source-pass-extra-query-keywords t
+(defcustom auth-source-pass-extra-query-keywords nil
   "Whether to consider additional keywords when performing a query.
 Specifically, when the value is t, recognize the `:max' and
 `:require' keywords and accept lists of query parameters for
-certain keywords, such as `:host' and `:user'.  Also, wrap all
-returned secrets in a function and forgo any further results
+certain keywords, such as `:host' and `:user'.  Beyond that, wrap
+all returned secrets in a function and don't bother considering
+subdomains when matching hosts.  Also, forgo any further results
 filtering unless given an applicable `:require' argument.  When
 this option is nil, do none of that, and enact the narrowing
 behavior described toward the bottom of the Info node `(auth) The
@@ -110,7 +111,7 @@ HOSTS can be a string or a list of strings."
 (defun auth-source-pass--match-regexp (s)
   (rx-to-string ; autoloaded
    `(: (or bot "/")
-       (or (: (? (group-n 20 (+ (not (in ?\  ?/ ?@ ,s)))) "@")
+       (or (: (? (group-n 20 (+ (not (in ?\  ?/ ,s)))) "@")
               (group-n 10 (+ (not (in ?\  ?/ ?@ ,s))))
               (? ,s (group-n 30 (+ (not (in ?\  ?/ ,s))))))
            (: (group-n 11 (+ (not (in ?\  ?/ ?@ ,s))))
diff --git a/lisp/erc/erc-compat.el b/lisp/erc/erc-compat.el
index 66a9a615e3..abbaafcd93 100644
--- a/lisp/erc/erc-compat.el
+++ b/lisp/erc/erc-compat.el
@@ -176,7 +176,7 @@ If START or END is negative, it counts from the end."
 ;; This hard codes `auth-source-pass-port-separator' to ":"
 (defun erc-compat--29-auth-source-pass--retrieve-parsed (seen e port-number-p)
   (when (string-match (rx (or bot "/")
-                          (or (: (? (group-n 20 (+ (not (in " /@")))) "@")
+                          (or (: (? (group-n 20 (+ (not (in " /:")))) "@")
                                  (group-n 10 (+ (not (in " /:@"))))
                                  (? ":" (group-n 30 (+ (not (in " /:"))))))
                               (: (group-n 11 (+ (not (in " /:@"))))
diff --git a/test/lisp/auth-source-pass-tests.el 
b/test/lisp/auth-source-pass-tests.el
index 6e6671efca..1107e09b51 100644
--- a/test/lisp/auth-source-pass-tests.el
+++ b/test/lisp/auth-source-pass-tests.el
@@ -697,29 +697,29 @@ machine Libera.Chat password b
 ;; with slightly more realistic and less legible values.
 
 (ert-deftest auth-source-pass-extra-query-keywords--suffixed-user ()
-  (let ((store (sort (copy-sequence '(("x.com:42/bar" (secret . "a"))
-                                      ("bar@x.com" (secret . "b"))
+  (let ((store (sort (copy-sequence '(("x.com:42/b@r" (secret . "a"))
+                                      ("b@r@x.com" (secret . "b"))
                                       ("x.com" (secret . "?"))
-                                      ("bar@y.org" (secret . "c"))
+                                      ("b@r@y.org" (secret . "c"))
                                       ("fake.com" (secret . "?"))
-                                      ("fake.com/bar" (secret . "d"))
-                                      ("y.org/bar" (secret . "?"))
-                                      ("bar@fake.com" (secret . "e"))))
+                                      ("fake.com/b@r" (secret . "d"))
+                                      ("y.org/b@r" (secret . "?"))
+                                      ("b@r@fake.com" (secret . "e"))))
                      (lambda (&rest _) (zerop (random 2))))))
     (auth-source-pass--with-store store
       (auth-source-pass-enable)
       (let* ((auth-source-pass-extra-query-keywords t)
              (results (auth-source-search :host '("x.com" "fake.com" "y.org")
-                                          :user "bar"
+                                          :user "b@r"
                                           :require '(:user) :max 5)))
         (dolist (result results)
           (setf (plist-get result :secret) (auth-info-password result)))
         (should (equal results
-                       '((:host "x.com" :user "bar" :secret "b")
-                         (:host "x.com" :user "bar" :port "42" :secret "a")
-                         (:host "fake.com" :user "bar" :secret "e")
-                         (:host "fake.com" :user "bar" :secret "d")
-                         (:host "y.org" :user "bar" :secret "c"))))))))
+                       '((:host "x.com" :user "b@r" :secret "b")
+                         (:host "x.com" :user "b@r" :port "42" :secret "a")
+                         (:host "fake.com" :user "b@r" :secret "e")
+                         (:host "fake.com" :user "b@r" :secret "d")
+                         (:host "y.org" :user "b@r" :secret "c"))))))))
 
 ;; This is a more distilled version of `suffixed-user', above.  It
 ;; better illustrates that search order takes precedence over "/user"