Authorization header shouldn't be forwarded across redirects

[jbt]

Authorization headers are getting preserved even after redirects to a different server, which breaks if the target of the redirect isn't expecting Authorization (e.g. Amazon S3 throws a 400 error).

Ideally the behaviour would be the same as in curl or requesting the URL in a browser

For example:

var app = require('express')();

app.get('*', function(req, res){
  res.redirect('http://aws-lightbox.s3.amazonaws.com/source/jquery.fancybox.css');
});

app.listen(5678)

require('request')('http://foo:bar@localhost:5678/', function(err,resp){
  console.log('Request', resp.statusCode);
});

require('child_process').exec('curl -L -w "%{http_code}" -o /dev/null http://foo:bar@localhost:5678/', function(err, resp){
  console.log('Curl', resp)
});

Outputs:

Request 400
Curl 200

This is currently breaking NPM with links to GitHub private repo tarballs using basic auth, as they redirect to S3

[mikeal]

i could have sworn this was fixed in a pull request, are you sure this is an issue on master?

[jbt]

Yep, pretty sure, happens with both the version on NPM and direct from github.

[ArVan]

Hi all, I'm also experiencing this issue. Any news here? I'm, using the latest npm version (2.42.0)

[mikeal]

this was just fixed, and should be fixed in the latest npm version.

[nylen]

You're thinking of @isaacs change to remove headers when proxying, right? That's a different issue - we still need to remove authorization headers on redirect to a different host. #1058 is a good start on this.

[mikeal]

ahh, yea, good catch :)

[simov]

@mikofski a better approach would be to create a new issue, and reference all other issues there instead of spamming the same content in all threads. GitHub puts back reference links to them.

I removed your posts in the other 3 issues.

[simov]

Yep, open another one, and link to the other issue from there.