Thank you for the fantastic package! I'm having issues when sending

Seems somewhat related to <a class="issue-link js-issue-link" data-error-text="Failed

Allow users to persist authentication headers during redirects about httr2 HOT 4 CLOSED

botan commented on July 19, 2024

Allow users to persist authentication headers during redirects

from httr2.

Comments (4)

hadley commented on July 19, 2024

Seems somewhat related to r-lib/httr#626, but in your example the hostname is the same. ... Oh but the protocol is different.

Anyway, I think setting unrestrict_auth will solve your problem:

library(httr2)

request("http://httpbin.org/redirect-to?url=https://httpbin.org/bearer") |> 
  req_auth_bearer_token("TOKEN") |> 
  req_options(unrestricted_auth = 1) |> 
  req_perform(verbosity = 1)

from httr2.

botan commented on July 19, 2024

It sorted out my problem. Thank you very much!

Would you consider setting this behaviour as the default in the future? It's the default for most HTTP clients.

from httr2.

hadley commented on July 19, 2024

I do not believe it is the default because it is security risk. I'd need a strong reason to justify overriding this:

By default, libcurl only sends credentials and Authentication headers to the initial hostname as given in the original URL, to avoid leaking username + password to other sites.

from httr2.

botan commented on July 19, 2024

I see your point. I meant to refer to the other popular libraries. For instance, in Python:

>>> import requests
>>> requests.get(
...     "http://httpbin.org/redirect-to?url=https://httpbin.org/bearer",
...     headers={"Authorization": "Bearer TOKEN"},
...     ).json()
{'authenticated': True, 'token': 'TOKEN'}
>>> import httpx
>>> httpx.get(
...     "http://httpbin.org/redirect-to?url=https://httpbin.org/bearer",
...     headers={"Authorization": "Bearer TOKEN"},
...     follow_redirects=True,
...     ).json()
{'authenticated': True, 'token': 'TOKEN'}