Infinite Redirects http -> https #138
Description
I ran into an interesting situation trying to authorize with a server that had http redirected to https and the url given had a path in it.
Given a url to connect to like:
http://mysite.com/my/path/here
When we request a token, the following path is tried:
http://mysite.com/my/path/here/oauth/request_token
The server responds with a redirect and location of:
https://mysite.com/my/path/here/oauth/request_token
The part of the library that addresses the redirect is here:
https://github.com/oauth-xx/oauth-ruby/blob/master/lib/oauth/consumer.rb#L232
The path pulled from the location header is:
/my/path/here/oauth/request_token
and is checked against the original to detect infinite redirects, but the original is:
/oauth/request_token
So the new path is passed on to token_request. When the request is made we build a url from the path and the site here:
https://github.com/oauth-xx/oauth-ruby/blob/master/lib/oauth/consumer.rb#L360
Since the new path to try includes the path that is also on the site we get a url like:
http://mysite.com/my/path/here/my/path/here/oauth/request_token
Since the protocol is still http the remote server responds with a redirect again and again. This grows the path and continues as long as the client or remote server will allow.
The two points of pain I am having are:
- The protocol changed in the redirect. Should we accept the protocol change, raise an exception, or some other behavior to stop the infinite redirects?
- When building a new path from the redirect, how or should we account for there being a path on the site that is also in the redirect?
Wondering if you feel this is an issue that could/should be handled by this library. If so I would like to help.