New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authorization header shouldn't be forwarded across redirects #450
Comments
i could have sworn this was fixed in a pull request, are you sure this is an issue on master? |
Yep, pretty sure, happens with both the version on NPM and direct from github. |
Hi all, I'm also experiencing this issue. Any news here? I'm, using the latest npm version (2.42.0) |
this was just fixed, and should be fixed in the latest npm version. |
ahh, yea, good catch :) |
@mikofski a better approach would be to create a new issue, and reference all other issues there instead of spamming the same content in all threads. GitHub puts back reference links to them. I removed your posts in the other 3 issues. |
Yep, open another one, and link to the other issue from there. |
Authorization headers are getting preserved even after redirects to a different server, which breaks if the target of the redirect isn't expecting Authorization (e.g. Amazon S3 throws a 400 error).
Ideally the behaviour would be the same as in curl or requesting the URL in a browser
For example:
Outputs:
This is currently breaking NPM with links to GitHub private repo tarballs using basic auth, as they redirect to S3
The text was updated successfully, but these errors were encountered: