Skip to content
This repository has been archived by the owner on May 3, 2022. It is now read-only.

Commit

Permalink
fix and tests
Browse files Browse the repository at this point in the history
  • Loading branch information
bryanmacfarlane committed Apr 23, 2020
1 parent ab10999 commit fbd1377
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 0 deletions.
44 changes: 44 additions & 0 deletions __tests__/basics.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,50 @@ describe('basics', () => {
done()
})

it('does not pass auth with diff hostname redirects', async done => {
let headers = {
"accept": "application/json",
"authorization": "shhh"
}
let res: httpm.HttpClientResponse = await _http.get(
'https://httpbin.org/redirect-to?url=' +
encodeURIComponent('https://www.httpbin.org/get'),
headers
)

expect(res.message.statusCode).toBe(200)
let body: string = await res.readBody()
let obj: any = JSON.parse(body)
// httpbin "fixes" the casing
expect(obj.headers["Authorization"]).toBeUndefined()
expect(obj.headers["authorization"]).toBeUndefined()
expect(obj.url).toBe('https://www.httpbin.org/get')

done()
})

it('does not pass Auth with diff hostname redirects', async done => {
let headers = {
"Accept": "application/json",
"Authorization": "shhh"
}
let res: httpm.HttpClientResponse = await _http.get(
'https://httpbin.org/redirect-to?url=' +
encodeURIComponent('https://www.httpbin.org/get'),
headers
)

expect(res.message.statusCode).toBe(200)
let body: string = await res.readBody()
let obj: any = JSON.parse(body)
// httpbin "fixes" the casing
expect(obj.headers["Authorization"]).toBeUndefined()
expect(obj.headers["authorization"]).toBeUndefined()
expect(obj.url).toBe('https://www.httpbin.org/get')

done()
})

it('does basic head request', async done => {
let res: httpm.HttpClientResponse = await _http.head(
'http://httpbin.org/get'
Expand Down
10 changes: 10 additions & 0 deletions index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -386,6 +386,16 @@ export class HttpClient {
// which will leak the open socket.
await response.readBody()

// strip authorization header if redirected to a different hostname
if (parsedRedirectUrl.hostname !== parsedUrl.hostname) {
for(let header in headers){
// header names are case insensitive
if (header.toLowerCase() === "authorization") {
delete headers[header]
}
}
}

// let's make the request with the new redirectUrl
info = this._prepareRequest(verb, parsedRedirectUrl, headers)
response = await this.requestRaw(info, data)
Expand Down

0 comments on commit fbd1377

Please sign in to comment.