Skip to content
This repository was archived by the owner on May 3, 2022. It is now read-only.

Commit fbd1377

Browse files
bryanmacfarlanebryanmacfarlane
committed
fix and tests
1 parent ab10999 commit fbd1377

File tree

2 files changed

+54
-0
lines changed

2 files changed

+54
-0
lines changed

__tests__/basics.test.ts

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -179,6 +179,50 @@ describe('basics', () => {
179179
done()
180180
})
181181

182+
it('does not pass auth with diff hostname redirects', async done => {
183+
let headers = {
184+
"accept": "application/json",
185+
"authorization": "shhh"
186+
}
187+
let res: httpm.HttpClientResponse = await _http.get(
188+
'https://httpbin.org/redirect-to?url=' +
189+
encodeURIComponent('https://www.httpbin.org/get'),
190+
headers
191+
)
192+
193+
expect(res.message.statusCode).toBe(200)
194+
let body: string = await res.readBody()
195+
let obj: any = JSON.parse(body)
196+
// httpbin "fixes" the casing
197+
expect(obj.headers["Authorization"]).toBeUndefined()
198+
expect(obj.headers["authorization"]).toBeUndefined()
199+
expect(obj.url).toBe('https://www.httpbin.org/get')
200+
201+
done()
202+
})
203+
204+
it('does not pass Auth with diff hostname redirects', async done => {
205+
let headers = {
206+
"Accept": "application/json",
207+
"Authorization": "shhh"
208+
}
209+
let res: httpm.HttpClientResponse = await _http.get(
210+
'https://httpbin.org/redirect-to?url=' +
211+
encodeURIComponent('https://www.httpbin.org/get'),
212+
headers
213+
)
214+
215+
expect(res.message.statusCode).toBe(200)
216+
let body: string = await res.readBody()
217+
let obj: any = JSON.parse(body)
218+
// httpbin "fixes" the casing
219+
expect(obj.headers["Authorization"]).toBeUndefined()
220+
expect(obj.headers["authorization"]).toBeUndefined()
221+
expect(obj.url).toBe('https://www.httpbin.org/get')
222+
223+
done()
224+
})
225+
182226
it('does basic head request', async done => {
183227
let res: httpm.HttpClientResponse = await _http.head(
184228
'http://httpbin.org/get'

index.ts

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -386,6 +386,16 @@ export class HttpClient {
386386
// which will leak the open socket.
387387
await response.readBody()
388388

389+
// strip authorization header if redirected to a different hostname
390+
if (parsedRedirectUrl.hostname !== parsedUrl.hostname) {
391+
for(let header in headers){
392+
// header names are case insensitive
393+
if (header.toLowerCase() === "authorization") {
394+
delete headers[header]
395+
}
396+
}
397+
}
398+
389399
// let's make the request with the new redirectUrl
390400
info = this._prepareRequest(verb, parsedRedirectUrl, headers)
391401
response = await this.requestRaw(info, data)

0 commit comments

Comments
 (0)