Closed botan closed 3 months ago
Seems somewhat related to https://github.com/r-lib/httr/issues/626, but in your example the hostname is the same. ... Oh but the protocol is different.
Anyway, I think setting unrestrict_auth
will solve your problem:
library(httr2)
request("http://httpbin.org/redirect-to?url=https://httpbin.org/bearer") |>
req_auth_bearer_token("TOKEN") |>
req_options(unrestricted_auth = 1) |>
req_perform(verbosity = 1)
It sorted out my problem. Thank you very much!
Would you consider setting this behaviour as the default in the future? It's the default for most HTTP clients.
I do not believe it is the default because it is security risk. I'd need a strong reason to justify overriding this:
By default, libcurl only sends credentials and Authentication headers to the initial hostname as given in the original URL, to avoid leaking username + password to other sites.
I see your point. I meant to refer to the other popular libraries. For instance, in Python:
>>> import requests
>>> requests.get(
... "http://httpbin.org/redirect-to?url=https://httpbin.org/bearer",
... headers={"Authorization": "Bearer TOKEN"},
... ).json()
{'authenticated': True, 'token': 'TOKEN'}
>>> import httpx
>>> httpx.get(
... "http://httpbin.org/redirect-to?url=https://httpbin.org/bearer",
... headers={"Authorization": "Bearer TOKEN"},
... follow_redirects=True,
... ).json()
{'authenticated': True, 'token': 'TOKEN'}
But I appreciate the security concerns. Thanks again!
Thank you for the fantastic package!
I'm having issues when sending requests with authentication headers if the server redirects the request since
req_perform()
clears the authentication header. I'm not sure if this is a bug or a security feature, but it is inconvenient for use cases where users trust the redirection targets. It would be great if users could explicitly specifyreq_perform(preserve_auth = TRUE)
to maintain the authentication state during redirects, with the default beingFALSE
if needed for security reasons.