fix: Avoid auth on cross-origin redirects#4364
Conversation
c2629ca to
a575f64
Compare
alexandear
left a comment
There was a problem hiding this comment.
Could you create an issue first with the problem you're trying to resolve, and once we've confirmed it, we can proceed with a review?
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #4364 +/- ##
=======================================
Coverage 97.51% 97.51%
=======================================
Files 193 193
Lines 19519 19543 +24
=======================================
+ Hits 19033 19057 +24
Misses 269 269
Partials 217 217 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
Thanks for the guidance. I opened an issue describing the behavior this PR addresses: I also added focused coverage for the redirect-origin helper so the new behavior is covered more directly. I’m happy to adjust the PR based on the maintainers’ preferred direction. |
gmlewis
left a comment
There was a problem hiding this comment.
Thank you, @huynhtrungcsc!
LGTM with the same comments I made in #4363.
Awaiting second LGTM+Approval from any other contributor to this repo before merging.
gmlewis
left a comment
There was a problem hiding this comment.
Since you added defaultPort (is this function really necessary?!?), your code coverage went down, so if you want to keep it, it needs its own unit test.
|
Added direct unit coverage for Local verification:
|
stevehipwell
left a comment
There was a problem hiding this comment.
I have the same issue with this as I do with #4363, this need further discussion around the actual context rather than a rushed PR.
|
Understood. I agree this belongs in the same broader discussion as #4363 before changing transport behavior. I will pause further implementation changes here as well and use #4365 to clarify the expected redirect/auth boundary first. Once that direction is settled, I can update this PR accordingly or close it if maintainers prefer a different approach. |
Summary
BasicAuthTransportcredentials on cross-origin redirect requests.UnauthenticatedRateLimitedTransportcredentials on cross-origin redirect requests.Fixes #4365