Redirect with authorization credentials to same host for relative paths

jnunemaker · May 6, 2020 · 01534e5 · 01534e5
1 parent 0986ff3
commit 01534e5
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/lib/httparty/request.rb b/lib/httparty/request.rb
@@ -299,7 +299,7 @@ def handle_response(body, &block)
     def handle_host_redirection
       check_duplicate_location_header
       redirect_path = options[:uri_adapter].parse(last_response['location']).normalize
-      return if redirect_path.relative? || path.host == redirect_path.host
+      return if redirect_path.relative? || path.host == redirect_path.host || uri.host == redirect_path.host
       @changed_hosts = true
     end
 

diff --git a/spec/httparty/request_spec.rb b/spec/httparty/request_spec.rb
@@ -1313,6 +1313,20 @@
         @request.send(:setup_raw_request)
         expect(@request.instance_variable_get(:@raw_request)['authorization']).to eq(@authorization)
       end
+
+      context 'when uri path is a relative path' do
+        before do
+          @request.path = '/v1'
+          @request.options[:base_uri] = 'http://api.foo.com'
+        end
+
+        it "should send Authorization header when redirecting to the same host" do
+          @redirect['location'] = 'http://api.foo.com/v2'
+          @request.perform
+          @request.send(:setup_raw_request)
+          expect(@request.instance_variable_get(:@raw_request)['authorization']).to eq(@authorization)
+        end
+      end
     end
   end