fix: preserve auth header across multi-hop redirect chains

mnriem · mnriem · commit 105f03b3d0e1 · 2026-04-28T16:56:27.000-05:00
- Read Authorization from both headers and unredirected_hdrs in
  _StripAuthOnRedirect to survive multi-hop chains within allowed hosts
- Add test_multi_hop_redirect_within_hosts_preserves_auth
- 1832 tests passing
diff --git a/src/specify_cli/authentication/http.py b/src/specify_cli/authentication/http.py
@@ -54,7 +54,10 @@ def __init__(self, hosts: tuple[str, ...]) -> None:
         self._hosts = hosts
 
     def redirect_request(self, req, fp, code, msg, headers, newurl):
-        original_auth = req.get_header("Authorization")
+        original_auth = (
+            req.get_header("Authorization")
+            or req.unredirected_hdrs.get("Authorization")
+        )
         new_req = super().redirect_request(req, fp, code, msg, headers, newurl)
         if new_req is not None:
             hostname = (urlparse(newurl).hostname or "").lower()
diff --git a/tests/test_authentication.py b/tests/test_authentication.py
@@ -686,6 +686,29 @@ def test_redirect_outside_hosts_strips_auth(self):
         assert new_req.headers.get("Authorization") is None
         assert new_req.unredirected_hdrs.get("Authorization") is None
 
+    def test_multi_hop_redirect_within_hosts_preserves_auth(self):
+        """Auth survives a multi-hop redirect chain within allowed hosts."""
+        from specify_cli.authentication.http import _StripAuthOnRedirect
+        from urllib.request import Request
+        import io
+        hosts = ("github.com", "codeload.github.com", "objects-origin.githubusercontent.com")
+        handler = _StripAuthOnRedirect(hosts)
+
+        # First hop: github.com → codeload.github.com
+        req1 = Request("https://github.com/org/repo", headers={"Authorization": "Bearer tok"})
+        req2 = handler.redirect_request(req1, io.BytesIO(b""), 302, "Found", {},
+                                        "https://codeload.github.com/org/repo/zip")
+        assert req2 is not None
+        auth2 = req2.get_header("Authorization") or req2.unredirected_hdrs.get("Authorization")
+        assert auth2 == "Bearer tok"
+
+        # Second hop: codeload.github.com → objects-origin.githubusercontent.com
+        req3 = handler.redirect_request(req2, io.BytesIO(b""), 302, "Found", {},
+                                        "https://objects-origin.githubusercontent.com/asset")
+        assert req3 is not None
+        auth3 = req3.get_header("Authorization") or req3.unredirected_hdrs.get("Authorization")
+        assert auth3 == "Bearer tok"
+
 
 # ---------------------------------------------------------------------------
 # _fetch_latest_release_tag delegation
