reqwest
reqwest copied to clipboard
Error on Removal of Authorization Headers on Redirect Follow
This line causes incompatibility with curl and or any other rest client https://github.com/seanmonstar/reqwest/blob/ae2d5216649c9be04074e7ae2c37b129e8768470/src/async_impl/client.rs#L1996
Upon redirect it removes the authorization header if the referrer is not same as the URL. And it breaks some of the API endpoints that requires Authorization header.
Version
reqwest 0.11 rust 1.63.0
I've debugged it and the problem with this is the cross_host
with the condition checking ports. On some API endpoint which upgrades the transport protocol the previous provides port 80 (insecure) and the next provides port 443 (secure).
https://github.com/seanmonstar/reqwest/blob/c6eb2c4fcbc3934b119772e0997d91671ff68dc7/src/redirect.rs#L237
Check =>
Some(
443,
)
Some(
80,
)
Do other tools not compare the ports? I honestly can't remember right now.
I've checked on curl and postman they allow authorization headers on the endpoint I was checking. I'm not sure if they do compare the ports :/
@seanmonstar upon checking on the python psf/requests library here is the code: https://github.com/psf/requests/blob/2a6f290bc09324406708a4d404a88a45d848ddf9/requests/sessions.py#L137
# Special case: allow http -> https redirect when using the standard
# ports. This isn't specified by RFC 7235, but is kept to avoid
# breaking backwards compatibility with older versions of requests
# that allowed any redirects on the same host.