fix and tests

2025-04-22 02:02:29 +00:00 · 2020-04-23 16:26:28 -04:00 · 2020-04-23 16:26:28 -04:00 · fbd137758a
commit fbd137758a
parent ab10999b09
2 changed files with 54 additions and 0 deletions
--- a/tests/basics.test.ts
+++ b/tests/basics.test.ts
@ -179,6 +179,50 @@ describe('basics', () => {
    done()
  })

+  it('does not pass auth with diff hostname redirects', async done => {
+    let headers = {
+      "accept": "application/json",
+      "authorization": "shhh"
+    }
+    let res: httpm.HttpClientResponse = await _http.get(
+      'https://httpbin.org/redirect-to?url=' +
+        encodeURIComponent('https://www.httpbin.org/get'),
+        headers
+    )
+
+    expect(res.message.statusCode).toBe(200)
+    let body: string = await res.readBody()
+    let obj: any = JSON.parse(body)
+    // httpbin "fixes" the casing
+    expect(obj.headers["Authorization"]).toBeUndefined()
+    expect(obj.headers["authorization"]).toBeUndefined()
+    expect(obj.url).toBe('https://www.httpbin.org/get')
+
+    done()
+  })
+  
+  it('does not pass Auth with diff hostname redirects', async done => {
+    let headers = {
+      "Accept": "application/json",
+      "Authorization": "shhh"
+    }
+    let res: httpm.HttpClientResponse = await _http.get(
+      'https://httpbin.org/redirect-to?url=' +
+        encodeURIComponent('https://www.httpbin.org/get'),
+        headers
+    )
+
+    expect(res.message.statusCode).toBe(200)
+    let body: string = await res.readBody()
+    let obj: any = JSON.parse(body)
+    // httpbin "fixes" the casing
+    expect(obj.headers["Authorization"]).toBeUndefined()
+    expect(obj.headers["authorization"]).toBeUndefined()
+    expect(obj.url).toBe('https://www.httpbin.org/get')
+
+    done()
+  })  
+
  it('does basic head request', async done => {
    let res: httpm.HttpClientResponse = await _http.head(
      'http://httpbin.org/get'
--- a/index.ts
+++ b/index.ts
@ -386,6 +386,16 @@ export class HttpClient {
        // which will leak the open socket.
        await response.readBody()

+        // strip authorization header if redirected to a different hostname
+        if (parsedRedirectUrl.hostname !== parsedUrl.hostname) {
+          for(let header in headers){
+            // header names are case insensitive
+            if (header.toLowerCase() === "authorization") {
+              delete headers[header] 
+            }
+          }
+        }
+
        // let's make the request with the new redirectUrl
        info = this._prepareRequest(verb, parsedRedirectUrl, headers)
        response = await this.requestRaw(info, data)