From c78f1248413e733ec34b2a293cace2dacdc922bf Mon Sep 17 00:00:00 2001
From: Konstantin Kopachev <tenzzor@gmail.com>
Date: Wed, 27 Jan 2021 22:07:21 -0800
Subject: [PATCH] Remove curl auth on cross-domain redirects without BC break

---
 src/RedirectMiddleware.php       | 17 +++++++++++------
 tests/RedirectMiddlewareTest.php |  2 +-
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/src/RedirectMiddleware.php b/src/RedirectMiddleware.php
index 888a7d52e..89c06526b 100644
--- a/src/RedirectMiddleware.php
+++ b/src/RedirectMiddleware.php
@@ -88,6 +88,16 @@ public function checkRedirect(RequestInterface $request, array $options, Respons
         $this->guardMax($request, $response, $options);
         $nextRequest = $this->modifyRequest($request, $options, $response);
 
+        // If authorization is handled by curl, unset it if host is different.
+        if ($request->getUri()->getHost() !== $nextRequest->getUri()->getHost()
+            && defined('\CURLOPT_HTTPAUTH')
+        ) {
+            unset(
+                $options['curl'][\CURLOPT_HTTPAUTH],
+                $options['curl'][\CURLOPT_USERPWD]
+            );
+        }
+
         if (isset($options['allow_redirects']['on_redirect'])) {
             ($options['allow_redirects']['on_redirect'])(
                 $request,
@@ -148,7 +158,7 @@ private function guardMax(RequestInterface $request, ResponseInterface $response
         }
     }
 
-    public function modifyRequest(RequestInterface $request, array &$options, ResponseInterface $response): RequestInterface
+    public function modifyRequest(RequestInterface $request, array $options, ResponseInterface $response): RequestInterface
     {
         // Request modifications to apply.
         $modify = [];
@@ -191,11 +201,6 @@ public function modifyRequest(RequestInterface $request, array &$options, Respon
         // Remove Authorization header if host is different.
         if ($request->getUri()->getHost() !== $modify['uri']->getHost()) {
             $modify['remove_headers'][] = 'Authorization';
-
-            // If authorization is handled by curl, unset it too
-            if (defined('\CURLOPT_HTTPAUTH') && defined('\CURLOPT_USERPWD')) {
-                unset($options['curl'][\CURLOPT_HTTPAUTH], $options['curl'][\CURLOPT_USERPWD]);
-            }
         }
 
         return Psr7\Utils::modifyRequest($request, $modify);
diff --git a/tests/RedirectMiddlewareTest.php b/tests/RedirectMiddlewareTest.php
index b904e0e5c..1e0841a27 100644
--- a/tests/RedirectMiddlewareTest.php
+++ b/tests/RedirectMiddlewareTest.php
@@ -306,7 +306,7 @@ static function (RequestInterface $request) {
      */
     public function testRemoveCurlAuthorizationOptionsOnRedirect($auth)
     {
-        if (!defined('\CURLOPT_HTTPAUTH') || !defined('\CURLOPT_USERPWD')) {
+        if (!defined('\CURLOPT_HTTPAUTH')) {
             self::markTestSkipped('ext-curl is required for this test');
         }