Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clear Authorization header when redirecting cross-site #183

Merged
merged 12 commits into from
Feb 4, 2019
Merged

Clear Authorization header when redirecting cross-site #183

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
c7ac85c
Add specs for FollowRedirects :clear_authorization_header option
akilburge Jan 21, 2014
82205b7
Add new :clear_authorization_header option to FollowRedirects middleware
akilburge Jan 21, 2014
3c7a56a
Update .gitignore to the .idea/ folder created by RubyMine IDE
akilburge Jan 21, 2014
aa6a3da
Actually fix tests on Rubinius
sferik Jan 21, 2014
a217984
Merge branch 'clear-auth-header-on-redirects' of github.com:akilb/far…
kyoshidajp Dec 16, 2018
2a1f8e2
Clear Authorization header as default on redirect
kyoshidajp Dec 16, 2018
d64311c
Do not clear Authorization header on redirect to same host
kyoshidajp Dec 16, 2018
f3dc253
Refactor long line and method
kyoshidajp Dec 16, 2018
bf5e3b2
Update lib/faraday_middleware/response/follow_redirects.rb
iMacTia Feb 4, 2019
05b3ee9
Update lib/faraday_middleware/response/follow_redirects.rb
iMacTia Feb 4, 2019
42cd23b
Delete unnecessary return value
kyoshidajp Feb 4, 2019
c3f38c3
Use Faraday::Adapter::Test instead of sinatra
kyoshidajp Feb 4, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 33 additions & 4 deletions lib/faraday_middleware/response/follow_redirects.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,15 +45,24 @@ class FollowRedirects < Faraday::Middleware
# the "%" character which we assume already represents an escaped sequence.
URI_UNSAFE = /[^\-_.!~*'()a-zA-Z\d;\/?:@&=+$,\[\]%]/

AUTH_HEADER = 'Authorization'.freeze

# Public: Initialize the middleware.
#
# options - An options Hash (default: {}):
# :limit - A Numeric redirect limit (default: 3)
# :standards_compliant - A Boolean indicating whether to respect
# :limit - A Numeric redirect limit (default: 3)
# :standards_compliant - A Boolean indicating whether to respect
# the HTTP spec when following 301/302
# (default: false)
# :callback - A callable that will be called on redirects
# :callback - A callable that will be called on redirects
# with the old and new envs
# :cookies - An Array of Strings (e.g.
# ['cookie1', 'cookie2']) to choose
# cookies to be kept, or :all to keep
# all cookies (default: []).
# :clear_authorization_header - A Boolean indicating whether the request
# Authorization header should be cleared on
# redirects (default: true)
def initialize(app, options = {})
super(app)
@options = options
Expand Down Expand Up @@ -89,7 +98,9 @@ def perform_with_redirection(env, follows)
end

def update_env(env, request_body, response)
env[:url] += safe_escape(response['location'] || '')
redirect_from_url = env[:url].to_s
redirect_to_url = safe_escape(response['location'] || '')
env[:url] += redirect_to_url

if convert_to_get?(response)
env[:method] = :get
Expand All @@ -98,6 +109,8 @@ def update_env(env, request_body, response)
env[:body] = request_body
end

clear_authorization_header(env, redirect_from_url, redirect_to_url)

ENV_TO_CLEAR.each {|key| env.delete key }

env
Expand Down Expand Up @@ -130,5 +143,21 @@ def safe_escape(uri)
'%' + match.unpack('H2' * match.bytesize).join('%').upcase
}
end

def clear_authorization_header(env, from_url, to_url)
return env if redirect_to_same_host?(from_url, to_url)
return env unless @options.fetch(:clear_authorization_header, true)

env[:request_headers].delete(AUTH_HEADER)
end

def redirect_to_same_host?(from_url, to_url)
return true if to_url.start_with?('/')

from_uri = URI.parse(from_url)
to_uri = URI.parse(to_url)

[from_uri.scheme, from_uri.host, from_uri.port] == [to_uri.scheme, to_uri.host, to_uri.port]
end
end
end
112 changes: 112 additions & 0 deletions spec/unit/follow_redirects_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,118 @@
end
end

context "when clear_authorization_header option" do
context "is false" do
it "redirects with the original authorization headers" do
conn = connection(:clear_authorization_header => false) do |stub|
stub.get('/redirect') {
[301, {'Location' => '/found'}, '']
}
stub.get('/found') { |env|
[200, {'Content-Type' => 'text/plain'}, env[:request_headers]['Authorization']]
}
end
response = conn.get('/redirect') { |req|
req.headers['Authorization'] = 'success'
}

expect(response.body).to eq 'success'
end
end

context "is true" do
context "redirect to same host" do
it "redirects with the original authorization headers" do
conn = connection do |stub|
stub.get('http://localhost/redirect') do
[301, {'Location' => '/found'}, '']
end
stub.get('http://localhost/found') do |env|
[200, {}, env.request_headers["Authorization"]]
end
end
response = conn.get('http://localhost/redirect') do |req|
req.headers['Authorization'] = 'success'
end

expect(response.body).to eq 'success'
end
end

context "redirect to same host with explicitly port" do
it "redirects with the original authorization headers" do
conn = connection do |stub|
stub.get('http://localhost/redirect') do
[301, {'Location' => 'http://localhost:80/found'}, '']
end
stub.get('http://localhost/found') do |env|
[200, {}, env.request_headers["Authorization"]]
end
end
response = conn.get('http://localhost/redirect') { |req|
req.headers['Authorization'] = 'success'
}

expect(response.body).to eq 'success'
end
end

context "redirect to different scheme" do
it "redirects without original authorization headers" do
conn = connection do |stub|
stub.get('http://localhost/redirect') do
[301, {'Location' => 'https://localhost2/found'}, '']
end
stub.get('https://localhost2/found') do |env|
[200, {}, env.request_headers["Authorization"]]
end
end
response = conn.get('http://localhost/redirect') { |req|
req.headers['Authorization'] = 'failed'
}

expect(response.body).to eq nil
end
end

context "redirect to different host" do
it "redirects without original authorization headers" do
conn = connection do |stub|
stub.get('http://localhost/redirect') do
[301, {'Location' => 'http://localhost2/found'}, '']
end
stub.get('https://localhost2/found') do |env|
[200, {}, env.request_headers["Authorization"]]
end
end
response = conn.get('http://localhost/redirect') { |req|
req.headers['Authorization'] = 'failed'
}

expect(response.body).to eq nil
end
end

context "redirect to different port" do
it "redirects without original authorization headers" do
conn = connection do |stub|
stub.get('http://localhost:9090/redirect') do
[301, {'Location' => 'http://localhost:9091/found'}, '']
end
stub.get('http://localhost:9091/found') do |env|
[200, {}, env.request_headers["Authorization"]]
end
end
response = conn.get('http://localhost:9090/redirect') { |req|
req.headers['Authorization'] = 'failed'
}

expect(response.body).to eq nil
end
end
end
end

[301, 302].each do |code|
context "for an HTTP #{code} response" do
it_behaves_like 'a successful redirection', code
Expand Down