-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
url.resolve auth behavior if host does *not* change #8165
Comments
I'll take a look shortly! |
This is due to issue #1435 fixed in PR #1480 The fix however never takes in to account the case when host does not actually change - thus leading to this bug. at https://github.com/nodejs/node/blob/master/lib/url.js#L782 if (relative.host || relative.host === '') {
result.host = relative.host;
result.auth = null;
}
if (relative.hostname || relative.hostname === '') {
result.hostname = relative.hostname;
result.auth = null;
} Should be: if (relative.host || relative.host === '') {
if ( result.host !== relative.host ) result.auth = null;
result.host = relative.host;
}
if (relative.hostname || relative.hostname === '') {
if ( result.hostname !== relative.hostname ) result.auth = null;
result.hostname = relative.hostname;
} I've implemented a fix and a test case for this. @jasnell I'd be happy to provide a PR if you feel the solution is acceptable. |
Ok, I found this comment which suggests that However, they're even more lenient than your patch @imyller:
(both Chromium and Firefox) That is, it looks like in the browser, the |
@uhoh-itsmaciek Good point. Different port, different service, different auth - possibly. But I think the parameters are reversed in your example: It's If it is more correct, I can modify the PR to preserve I'd like to hear @jasnell 's feedback and throughts on this first. |
Oh great catch. Sorry, I'm relatively new to JS. Just for the record, this is the output with the correct invocation (again, both Chromium and FF):
Which is, I believe, how your patch handles this. It might make sense to add test cases to cover at least some of this to codify the expected behavior, but yeah, I defer to @jasnell. |
I won't open a PR until I'm sure we are on the right path here, but you can preview the changes at imyller@5cbab64 Test case for this is included in |
Right, I saw the basic test case you added; I meant we should test that same-hostname-different-port does strip out auth--that does not seem to be covered right now. |
Actually I've already found a separate bug with Currently adding that port changing test will fail for unrelated reasons to this I'd assume fixing two things in single PR is not encouraged. |
Fixes: nodejs#8165 Signed-off-by: Ilkka Myller <ilkka.myller@nodefield.com>
Fixes: nodejs#8165 PR-URL: nodejs#8215 Reviewed-By: James M Snell <jasnell@gmail.com>
#1480 was noted as a breaking change in node 6, but it looks like this also strips out auth information for cases where the host does not change:
As far as I can tell, these cases are not covered by the tests, so I'm not sure if this change is intentional, and it seems heavy-handed if so. This seems to be responsible for the issue I ran into in
follow-redirects
and I think it means thatfollow-redirects
in its current state is broken on node 6. I'd like to figure out if the proper place to fix this is here or infollow-redirects
.The text was updated successfully, but these errors were encountered: