httpie / cli

🥧 HTTPie CLI — modern, user-friendly command-line HTTP client for the API era. JSON support, colors, sessions, downloads, plugins & more.
https://httpie.io
BSD 3-Clause "New" or "Revised" License
33.95k stars 3.68k forks source link

Can't suppress Authorization header #666

Open rherrick opened 6 years ago

rherrick commented 6 years ago

I'm testing a REST API function that destroys user sessions in our application. As part of this, I need to be able to make requests as a user whose sessions have been destroyed, using the session ID of one of the now-invalid sessions. The problem is that I can't reference the session without httpie re-authorizing the user credentials through the Authorization header. I added 'Authorization;' as specified in the documentation, but it has no effect (the code below uses " around the header, but I also tried ' as a delimiter with the same result):

`$ http --verbose --session=user1 server/rest/function "Authorization;" GET /rest/function HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate Authorization: Basic cGVvbjpwZW9u Connection: keep-alive Cookie: JSESSIONID=19F568677E4B5F6C7A8F1671109853D2; SESSION_EXPIRATION_TIME="1522268454340,900000" Host: xnatdev.xnat.org User-Agent: HTTPie/0.9.9

HTTP/1.1 200 OK Accept-Ranges: bytes Content-Security-Policy: frame-ancestors 'self' Content-Type: application/json Date: Wed, 28 Mar 2018 20:24:46 GMT Proxy-Connection: Keep-alive Server: nginx/1.10.3 (Ubuntu) Set-Cookie: SESSION_EXPIRATION_TIME="1522268686695,900000"; Version=1; Path=/ Transfer-Encoding: chunked Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block`

I understand the session preserves the auth credentials but it seems that should be suppressed if the header is specified to be sent as empty. It would also be nice to simply be able to exclude a particular header, e.g. "-Authorization" or something similar which would completely omit that header from the request rather than pass the header with no value.

jonchun commented 6 years ago

This behavior is expected for the Authorization header. httpie is using the Requests library internally, so certain headers are overwritten as described in this comment here

Most importantly, here:

Requests has the opposite approach: headers are the lowest source of truth, and we feel quite happy to replace many kinds of headers that the user sets. Some examples:

  • We will replace Authorization headers when an alternative auth source is found.
  • We will remove Authorization headers when you get redirected off-host.
  • We will replace Proxy-Authorization headers when you provide proxy credentials in the URL.
  • We will replace Content-Length headers when we can determine the length of the content.

I found this an interesting problem, so I've made PR https://github.com/jakubroztocil/httpie/pull/673 to address this.

I added a quick plugin to explicitly disable HTTP Authentication. You can use this by setting --auth-type=disabled.