Adding redirectLocationTrusted option to retain authorization header on redirect domain change

README.md

@@ -781,6 +781,7 @@ The first argument can be either a `url` or an `options` object. The only requir
 - `followAllRedirects` - follow non-GET HTTP 3xx responses as redirects (default: `false`)
 - `followOriginalHttpMethod` - by default we redirect to HTTP method GET. you can enable this property to redirect to the original HTTP method (default: `false`)
 - `maxRedirects` - the maximum number of redirects to follow (default: `10`)
+- `redirectLocationTrusted` - if a redirect causes a domain change then the authorization header is, by default, prevented from being sent to the new location. If this option is set to true then the authorization header will be retained.
 - `removeRefererHeader` - removes the referer header when a redirect happens (default: `false`). **Note:** if true, referer header set in the initial request is preserved during redirect chain.
 
 ---

lib/redirect.js

@@ -14,6 +14,7 @@ function Redirect (request) {
   this.redirects = []
   this.redirectsFollowed = 0
   this.removeRefererHeader = false
+  this.redirectLocationTrusted = false
 }
 
 Redirect.prototype.onRequest = function (options) {
@@ -40,6 +41,9 @@ Redirect.prototype.onRequest = function (options) {
   if (options.followOriginalHttpMethod !== undefined) {
     self.followOriginalHttpMethod = options.followOriginalHttpMethod
   }
+  if (options.redirectLocationTrusted !== undefined) {
+    self.redirectLocationTrusted = options.redirectLocationTrusted
+  }
 }
 
 Redirect.prototype.redirectTo = function (response) {
@@ -131,9 +135,11 @@ Redirect.prototype.onResponse = function (response) {
       request.removeHeader('host')
       request.removeHeader('content-type')
       request.removeHeader('content-length')
-      if (request.uri.hostname !== request.originalHost.split(':')[0]) {
-        // Remove authorization if changing hostnames (but not if just
-        // changing ports or protocols).  This matches the behavior of curl:
+      if (request.uri.hostname !== request.originalHost.split(':')[0] &&
+        !self.redirectLocationTrusted) {
+        // Unless specifically set via 'redirectLocationTrusted' remove any authorization
+        // if changing hostnames (but not if just changing ports or protocols).
+        // This matches the behavior of curl:
         // https://github.com/bagder/curl/blob/6beb0eee/lib/http.c#L710
         request.removeHeader('authorization')
       }

tests/test-redirect-auth.js

@@ -5,6 +5,7 @@ var request = require('../index')
 var util = require('util')
 var tape = require('tape')
 var destroyable = require('server-destroy')
+var extend = require('extend')
 
 var s = server.createServer()
 var ss = server.createSSLServer()
@@ -66,9 +67,10 @@ function handleRequests (srv) {
 handleRequests(s)
 handleRequests(ss)
 
-function runTest (name, redir, expectAuth) {
+function runTest (name, redir, additionalOpts, expectAuth) {
   tape('redirect to ' + name, function (t) {
-    request(redir.src, function (err, res, body) {
+    var opts = extend({url: redir.src}, additionalOpts)
+    request(opts, function (err, res, body) {
       t.equal(err, null)
       t.equal(res.request.uri.href, redir.dst)
       t.equal(res.statusCode, 200)
@@ -83,19 +85,33 @@ function runTest (name, redir, expectAuth) {
 function addTests () {
   runTest('same host and protocol',
     redirect.from('http', 'localhost').to('http', 'localhost'),
+    {},
     true)
 
   runTest('same host different protocol',
     redirect.from('http', 'localhost').to('https', 'localhost'),
+    {},
     true)
 
   runTest('different host same protocol',
     redirect.from('https', '127.0.0.1').to('https', 'localhost'),
+    {},
     false)
 
   runTest('different host and protocol',
     redirect.from('http', 'localhost').to('https', '127.0.0.1'),
+    {},
     false)
+
+  runTest('different host same protocol, redirectLocationTrusted enabled',
+    redirect.from('https', '127.0.0.1').to('https', 'localhost'),
+    {redirectLocationTrusted: true},
+    true)
+
+  runTest('different host and protocol, redirectLocationTrusted enabled',
+    redirect.from('http', 'localhost').to('https', '127.0.0.1'),
+    {redirectLocationTrusted: true},
+    true)
 }
 
 tape('setup', function (t) {