fix: don't re-stamp bearer token on a cross-origin-redirect 401

A cross-origin redirect re-issue reaches the AUTH stage stripped of its
Authorization header and tagged with the internal cross-origin marker, so
the stage forwards it credential-free. If the foreign host answered that
request with a 401 + WWW-Authenticate, the challenge hook unconditionally
re-stamped Authorization: Bearer <token> onto the server-chosen host and
re-drove it through the chain — leaking the caller's token cross-origin and
bypassing the HTTPS guard, which only the first pass through process()
enforces.

The challenge hook now returns null (surfacing the 401 unchanged) when the
rejected request carried no Authorization header, since that only happens
when the AUTH stage deliberately suppressed stamping. Route the bearer
header value through a single bearerHeaderValue() helper shared by stamping
and the eviction match so the two cannot drift, and document that a subclass
customizing the header format must override it. Add a test for a
cross-origin-marked request that 401s.

Author: OmarAlJarrah

sdk-core/api/sdk-core.api

@@ -756,6 +756,7 @@ public class org/dexpace/sdk/core/http/pipeline/steps/BearerTokenAuthStep : org/
 	public synthetic fun <init> (Lorg/dexpace/sdk/core/http/auth/BearerTokenProvider;Ljava/util/List;Ljava/time/Duration;Lorg/dexpace/sdk/core/util/Clock;ILkotlin/jvm/internal/DefaultConstructorMarker;)V
 	protected fun authorizeRequest (Lorg/dexpace/sdk/core/http/request/Request;)Lorg/dexpace/sdk/core/http/request/Request;
 	protected fun authorizeRequestOnChallenge (Lorg/dexpace/sdk/core/http/request/Request;Lorg/dexpace/sdk/core/http/response/Response;)Lorg/dexpace/sdk/core/http/request/Request;
+	protected fun bearerHeaderValue (Ljava/lang/String;)Ljava/lang/String;
 }
 
 public final class org/dexpace/sdk/core/http/pipeline/steps/DefaultAsyncInstrumentationStep : org/dexpace/sdk/core/http/pipeline/AsyncHttpStep {

sdk-core/src/main/kotlin/org/dexpace/sdk/core/http/pipeline/steps/BearerTokenAuthStep.kt

@@ -51,6 +51,11 @@ import kotlin.concurrent.withLock
  * method (the in-step hook is not gated by retry-safety), so a non-idempotent POST is
  * re-authenticated too.
  *
+ * A request that reaches the challenge hook carrying **no** `Authorization` header is a
+ * cross-origin redirect re-issue whose credential the AUTH stage deliberately suppressed
+ * (see [CrossOriginRedirectMarker]). In that case the hook re-stamps nothing and surfaces the
+ * 401 unchanged, so the caller's token is never attached to a server-chosen foreign host.
+ *
  * ## Errors from [provider]
  *
  *  - Throws → propagated. The exception is **not** cached, so a subsequent request
@@ -62,7 +67,9 @@ import kotlin.concurrent.withLock
  *
  * Eviction-on-401 is built in. Users wanting to customise challenge handling further (e.g.
  * inspect the `WWW-Authenticate` scheme before deciding to refresh) can override
- * [authorizeRequestOnChallenge].
+ * [authorizeRequestOnChallenge]. A subclass that changes the stamped header format by
+ * overriding [authorizeRequest] must also override [bearerHeaderValue] so the eviction match
+ * keeps recognising the rejected token.
  *
  * Thread-safety: see Caching above.
  * Cancellation: token fetch may block; the [provider] is expected to respect interrupts.
@@ -83,16 +90,24 @@ public open class BearerTokenAuthStep
         override fun authorizeRequest(request: Request): Request {
             val token = currentToken()
             return request.newBuilder()
-                .setHeader(HttpHeaderName.AUTHORIZATION.caseSensitiveName, "Bearer ${token.token}")
+                .setHeader(HttpHeaderName.AUTHORIZATION.caseSensitiveName, bearerHeaderValue(token.token))
                 .build()
         }
 
         /**
          * On a 401 challenge, evict the token that was just rejected and re-stamp [request]
          * with a freshly fetched one so [AuthStep]'s single retry carries a new credential.
          *
-         * Eviction is scoped to the exact token that produced the 401 (matched against the
-         * `Authorization` header [request] carried): if a concurrent request already refreshed
+         * Returns `null` — surfacing the 401 unchanged with no retry — when [request] carried no
+         * `Authorization` header. A request reaches this hook credential-free only when the AUTH
+         * stage deliberately suppressed stamping, i.e. a cross-origin redirect re-issue (see
+         * [CrossOriginRedirectMarker]). Re-stamping there would attach the caller's bearer token
+         * to a server-chosen foreign host and re-drive it through the chain, leaking the token
+         * cross-origin and bypassing the HTTPS guard that only [AuthStep.process]'s first pass
+         * enforces. Refusing to re-stamp preserves that suppression.
+         *
+         * Otherwise eviction is scoped to the exact token that produced the 401 (matched against
+         * the `Authorization` header [request] carried): if a concurrent request already refreshed
          * the cache, that newer token is preserved and reused for the retry rather than being
          * discarded. The subsequent [currentToken] call then re-fetches only when the cache is
          * actually empty, so a 401 storm across threads still funnels through the same
@@ -101,26 +116,38 @@ public open class BearerTokenAuthStep
         override fun authorizeRequestOnChallenge(
             request: Request,
             response: Response,
-        ): Request {
-            evictRejectedToken(request.headers.get(HttpHeaderName.AUTHORIZATION))
+        ): Request? {
+            // No credential on the rejected request means stamping was suppressed (cross-origin
+            // redirect). Do not re-attach one: surface the 401 unchanged.
+            val rejectedHeader = request.headers.get(HttpHeaderName.AUTHORIZATION) ?: return null
+            evictRejectedToken(rejectedHeader)
             return authorizeRequest(request)
         }
 
         /**
          * Clears [cachedToken] iff it is still the token whose stamped header is [rejectedHeader].
          * Guarded by the same [lock] as the refresh path so the read-compare-clear is atomic
-         * against a concurrent refresh.
+         * against a concurrent refresh. Routes the comparison through [bearerHeaderValue] so it
+         * stays in lock-step with the value [authorizeRequest] stamps.
          */
-        private fun evictRejectedToken(rejectedHeader: String?) {
-            if (rejectedHeader == null) return
+        private fun evictRejectedToken(rejectedHeader: String) {
             lock.withLock {
                 val current = cachedToken ?: return
-                if ("Bearer ${current.token}" == rejectedHeader) {
+                if (bearerHeaderValue(current.token) == rejectedHeader) {
                     cachedToken = null
                 }
             }
         }
 
+        /**
+         * The `Authorization` header value for [token]. Single source of truth shared by
+         * [authorizeRequest] (stamping) and [evictRejectedToken] (the eviction match), so the two
+         * never drift. A subclass that overrides [authorizeRequest] to emit a different header
+         * format must override this too, or eviction will stop matching and a rejected token will
+         * be re-fetched but never cleared.
+         */
+        protected open fun bearerHeaderValue(token: String): String = "Bearer $token"
+
         private fun currentToken(): BearerToken {
             // Fast path: lock-free volatile read; return the cached token if it's still valid.
             cachedToken?.takeIf { !it.isExpiredAt(clock.now(), refreshMargin) }?.let { return it }

sdk-core/src/test/kotlin/org/dexpace/sdk/core/http/pipeline/steps/BearerTokenAuthStepTest.kt

@@ -26,6 +26,7 @@ import kotlin.test.Test
 import kotlin.test.assertEquals
 import kotlin.test.assertFailsWith
 import kotlin.test.assertNotNull
+import kotlin.test.assertNull
 import kotlin.test.assertTrue
 
 class BearerTokenAuthStepTest {
@@ -293,6 +294,43 @@ class BearerTokenAuthStepTest {
         assertEquals(2, fetches.get())
     }
 
+    @Test
+    fun `cross-origin-marked request that 401s is surfaced unchanged without stamping a token`() {
+        // A cross-origin redirect re-issue is stripped of its Authorization header and tagged
+        // with the internal marker, so it reaches the foreign host with no credential. If that
+        // host 401s, the challenge path must NOT stamp the caller's bearer token onto the
+        // foreign host (that would leak the token cross-origin and bypass the HTTPS/cross-origin
+        // suppression). The 401 must surface unchanged with no token fetch.
+        val fetches = AtomicInteger(0)
+        val provider =
+            BearerTokenProvider { _, _ ->
+                BearerToken("token-${fetches.incrementAndGet()}", futureExpiry)
+            }
+        val fake =
+            FakeHttpClient()
+                .enqueue { status(401).header("WWW-Authenticate", "Bearer realm=\"x\"") }
+        val pipeline =
+            HttpPipelineBuilder(fake)
+                .append(BearerTokenAuthStep(provider, listOf("scope"), clock = clock))
+                .build()
+
+        // Mimic DefaultRedirectStep's cross-origin re-issue: no Authorization, marker present.
+        val markedRequest =
+            Request.builder()
+                .method(Method.GET)
+                .url("https://foreign.example.org/resource")
+                .addHeader(CrossOriginRedirectMarker.MARKER_HEADER, CrossOriginRedirectMarker.MARKER_VALUE)
+                .build()
+
+        val response = pipeline.send(markedRequest)
+
+        assertEquals(401, response.status.code, "the cross-origin 401 must surface unchanged")
+        assertEquals(1, fake.callCount, "no retry: the credential-free request must not be re-stamped")
+        assertEquals(0, fetches.get(), "no token must be fetched for a credential-free cross-origin request")
+        // The (single) request that reached the foreign host carried no Authorization header.
+        assertNull(fake.requests.single().headers.get(HttpHeaderName.AUTHORIZATION))
+    }
+
     // ---- Helpers ----
 
     private fun getRequest(): Request =