Fix problematic retransmission of authentication token #436
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The retransmission of the authentication token to the server providing the artifact caused the following errors when using Artifacts v4: HTTPError: Response code 400 (Authentication information is not given in the correct format. Check the value of Authorization header.) It looks like the service serving the artifacts does not expect the authentication header, and therefore complaines about inproper use of the authentication header.
This was referenced May 4, 2024
|
I also created an alternative solution at #438. While the change is a bit larger, the resulting code looks better to me. |
10 tasks
|
Hi @JojOatXGME, thanks for looking into this. Yes, you are correct, the authentication header must be added only if the new download location has the same domain. The #438 looks good to me. |
|
I will close this one in favor of #438 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Should fix #343 and also fix #363. While taking a short look at the implementation, I was wondering if we are actually supposed to retransmit the authentication header. I took a short look at the API documentation, which reinforced my suspicion by not mentioning any authentication requirements. I therefore just tried to remove the headers from the request, and it worked according to my tests.
Note that the HTTP specification also suggests that you may not want to re-transmit the authentication header. Some google research suggested that you should only re-transmit the header if the target of the redirect is on the same domain.
https://www.rfc-editor.org/rfc/rfc9110.html#section-15.4-6.2.1