Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Fix issue #160, remove auth header on redirect #432

Closed
wants to merge 3 commits into from

2 participants

@EchoAbstract

This fix removes the authorization header when the host
that's being redirected to is different than the host
that's redirecting, if the hosts are the same then the
auth header remains the same.

Tests included.

This is try 2, I don't think the first pull request sent successfully.

@EchoAbstract EchoAbstract Fix issue #160, remove auth header on redirect
This fix removes the authorization header when the host
that's being redirected to is different than the host
that's redirecting, if the hosts are the same then the
auth header remains the same.

Tests included.
223a69a
main.js
@@ -674,12 +678,20 @@ Request.prototype.start = function () {
if (response.statusCode != 401) {
delete self.body
delete self._form
+
+ // Check for auth header and remove if the host doesn't match, issue #160
+ if (self.headers && url.parse(redirectTo).host !== self.originalHost){
@mikeal Owner
mikeal added a note

is it necessary to keep the "orginalHost" around? can't we just check the current host against the redirect url host before we do the forward and remove the authorization.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@EchoAbstract

Is there another variable that I can use to get the current host? I tried using the host header, but that's cleared prior to redirection. It's very possible I missed the variable that's used to store the current host. Let me know if there's a better way to do this.

@EchoAbstract EchoAbstract Remove access var, clean up tests
Per comment by @mikeal removed the references to
originalHost.

Since this is just hostname (not host + port) updated the unit
tests to use localhost ip instead of hostname, also removed
the extra server that's not required.
993489b
main.js
@@ -558,7 +558,10 @@ Request.prototype.start = function () {
return
}
- if (self.setHost) delete self.headers.host
@mikeal Owner
mikeal added a note

this style change shouldn't be in this pull req.

That was changed for the first commit to add a second statement and accidentally left during the second. Fixing now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@mikeal
Owner

this doesn't merge cleanly, please reopen when it does.

@mikeal mikeal closed this
@EchoAbstract EchoAbstract deleted the EchoAbstract:160-redirect-remove-basic-auth branch
@EchoAbstract EchoAbstract restored the EchoAbstract:160-redirect-remove-basic-auth branch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 11, 2013
  1. @EchoAbstract

    Fix issue #160, remove auth header on redirect

    EchoAbstract authored
    This fix removes the authorization header when the host
    that's being redirected to is different than the host
    that's redirecting, if the hosts are the same then the
    auth header remains the same.
    
    Tests included.
Commits on Feb 12, 2013
  1. @EchoAbstract

    Remove access var, clean up tests

    EchoAbstract authored
    Per comment by @mikeal removed the references to
    originalHost.
    
    Since this is just hostname (not host + port) updated the unit
    tests to use localhost ip instead of hostname, also removed
    the extra server that's not required.
Commits on Feb 20, 2013
  1. @EchoAbstract

    Revert left over change

    EchoAbstract authored
This page is out of date. Refresh to see the latest.
Showing with 47 additions and 1 deletion.
  1. +9 −0 main.js
  2. +38 −1 tests/test-redirect.js
View
9 main.js
@@ -559,6 +559,7 @@ Request.prototype.start = function () {
}
if (self.setHost) delete self.headers.host
+
if (self.timeout && self.timeoutTimer) {
clearTimeout(self.timeoutTimer)
self.timeoutTimer = null
@@ -674,12 +675,20 @@ Request.prototype.start = function () {
if (response.statusCode != 401) {
delete self.body
delete self._form
+
+ // Check for auth header and remove if the host doesn't match, issue #160
+ if (self.headers && url.parse(redirectTo).hostname !== self.host){
+ delete self.headers['authorization']
+ delete self.headers['Authorization']
+ }
}
+
if (self.headers) {
delete self.headers.host
delete self.headers['content-type']
delete self.headers['content-length']
}
+
if (log) log('Redirect to %uri due to status %status', {uri: self.uri, status: response.statusCode})
self.init()
return // Ignore the rest of the response
View
39 tests/test-redirect.js
@@ -6,12 +6,15 @@ var server = require('./server')
var s = server.createServer()
+
s.listen(s.port, function () {
var server = 'http://localhost:' + s.port;
var hits = {}
var passed = 0;
bouncer(301, 'temp')
+ bouncer(301, 'auth_same')
+ bouncer(301, 'auth_diff')
bouncer(302, 'perm')
bouncer(302, 'nope')
@@ -34,6 +37,17 @@ s.listen(s.port, function () {
res.end();
return;
}
+
+ // #160 Enusre that if we're hitting the auth_same_landing endpoint that we've
+ // kept our auth header (same host case)
+ if (landing === 'auth_same_landing'){
+ assert.notEqual(req.headers.authorization, undefined)
+ // #160 Enusre that if we're hitting the auth_diff_landing endpoint that we've
+ // deleted any auth header (diff host case)
+ } else if (landing === 'auth_diff_landing') {
+ assert.equal(req.headers.authorization, undefined)
+ }
+
// Make sure the cookie doesn't get included twice, see #139:
// Make sure cookies are set properly after redirect
assert.equal(req.headers.cookie, 'foo=bar; quux=baz; ham=eggs');
@@ -143,10 +157,33 @@ s.listen(s.port, function () {
done()
})
+
+ // Test for issue #160, Strip auth headers during redirect to different domain
+ request({uri: 'http://127.0.0.1:' + s.port + "/auth_diff", jar: jar, headers: {authorization: "Basic abcdef=", cookie: 'foo=bar'}}, function (er, res, body) {
+ if (er) throw er
+ if (res.statusCode !== 200) throw new Error('Status is not 200: '+res.statusCode)
+ assert.ok(hits.auth_diff, 'Original request is to /auth_diff')
+ assert.ok(hits.auth_diff_landing, 'Forward to diff auth landing URL')
+ assert.equal(body, 'auth_diff_landing', 'Got diff auth landing content')
+ passed += 1
+ done()
+ })
+
+ // Test for issue #160, keep auth headers during redirect to different domain
+ request({uri: server+'/auth_same', jar: jar, headers: {authorization: "Basic abcdef=", cookie: 'foo=bar'}}, function (er, res, body) {
+ if (er) throw er
+ if (res.statusCode !== 200) throw new Error('Status is not 200: '+res.statusCode)
+ assert.ok(hits.auth_same, 'Original request is to /auth_same')
+ assert.ok(hits.auth_same_landing, 'Forward to same auth landing URL')
+ assert.equal(body, 'auth_same_landing', 'Got same auth landing content')
+ passed += 1
+ done()
+ })
+
var reqs_done = 0;
function done() {
reqs_done += 1;
- if(reqs_done == 9) {
+ if(reqs_done == 10) {
console.log(passed + ' tests passed.')
s.close()
}
Something went wrong with that request. Please try again.