Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

axios auth does not seem to be propagated on redirect in 1.15.4+ #243

Open
kevkcc opened this issue Jan 27, 2024 · 6 comments
Open

axios auth does not seem to be propagated on redirect in 1.15.4+ #243

kevkcc opened this issue Jan 27, 2024 · 6 comments
Assignees
@RubenVerborgh
Labels
bug

Comments

@kevkcc
Copy link

kevkcc commented Jan 27, 2024

I am seeing this issue as described in axios/axios#6179

This looks to be regression in 1.15.4 as it both workflows below work in 1.15.3. Whereas in 1.15.4+,

Basically this would return 401 after the redirect as the auth options don't seem to be propagated.

await axios.get('url_that_returns_301_and_then_redirects',
        { 
            auth: { 
                username: 'username',
                password: 'password'
            }
        });

whereas this works and returns 200:

await axios.get('url_that_redirects_and_returns_301',
        headers: {
                'Authorization': 'Basic base64_encoding_of_username_password',
            },

Through debugging, I can confirm it gets lost because the below works:

await axios.get('url_that_redirects_and_returns_301',
        { 
            auth: { 
                username: 'username',
                password: 'password'
            },
            beforeRedirect: (opts, res) => {
                 opts.auth = 'base64_encoding_of_username_password'
            }
        });
@RubenVerborgh RubenVerborgh self-assigned this Jan 29, 2024
@RubenVerborgh
Copy link
Collaborator

That shouldn't be the case indeed!

Are you sure it's not an HTTP/HTTPS redirect issue as in #192?

@kevkcc
Copy link
Author

kevkcc commented Jan 29, 2024

Yea it shouldn't be an HTTP/HTTPS redirect issue. Both URLs for my case are HTTPS. And even so, it looks like you fixed the issue in 1.14.9 and I'm seeing a broken workflow between 1.15.3 and 1.15.4.

@ThibaudCrespin
Copy link

Hi ! Any updates on this issue ? I'm facing the same problem with both URLs in HTTPS...

@RubenVerborgh
Copy link
Collaborator

It's on the backlog; current funds are too limited to put a dedicated person on this. I'm trying on a best-effort basis.

@GabrielScotaEE
Copy link

I was getting the same problem with version 1.15.2 (also tryed 1.15.3 and 1.15.6) on a login request where the POST request to make the login is a redirectable request, returnin 302 status (if I disable redirects). But if the redirects are enable I'm getting a 200 responso but the login was not success.
After some time searching for what's happening, I've found that in the redirect, the session cookies was not being set, so I got a redirect to login page again. To fix it I had to disable redirects, and check for the response status, if it's on the 300 range I'm getting the response cookies, adding them on headers and finally making the redirect request.

@kevkcc
Copy link
Author

kevkcc commented Mar 28, 2024

Yes, if you manually pass in the headers, it will work as I had originally reported (tapping into axios' beforeRedirect handler). Nevertheless, that is only a workaround and this is still a clear regression happening in 1.15.4+. As 1.15.4+ fixes vulnerability CVE-2023-26159, it would be great if this could be fixed and released such that we get a version of this library with both the vulnerability fix and no serious regression.

@RubenVerborgh RubenVerborgh mentioned this issue Apr 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RubenVerborgh RubenVerborgh

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@RubenVerborgh @kevkcc @ThibaudCrespin @GabrielScotaEE