net/http: don't overwrite Authorization headers when URL has username

author Steve Streeting <steve@stevestreeting.com>

Thu, 25 Jun 2015 15:52:51 +0000 (16:52 +0100)

committer Russ Cox <rsc@golang.org>

Fri, 26 Jun 2015 17:32:12 +0000 (17:32 +0000)
author Steve Streeting <steve@stevestreeting.com>
Thu, 25 Jun 2015 15:52:51 +0000 (16:52 +0100)
committer Russ Cox <rsc@golang.org>
Fri, 26 Jun 2015 17:32:12 +0000 (17:32 +0000)
diff --git a/src/net/http/client.go b/src/net/http/client.go

index d5e3899fd3062b50cf8a4b789405443c4a574e86..02ac85a1d7e396cf0bdf2978b80d2ce322357ce4 100644 (file)
--- a/src/net/http/client.go
+++ b/src/net/http/client.go
@@ -212,7 +212,7 @@ func send(req *Request, t RoundTripper) (resp *Response, err error) {
                 req.Header = make(Header)
         }
  
-       if u := req.URL.User; u != nil {
+       if u := req.URL.User; u != nil && req.Header.Get("Authorization") == "" {
                 username := u.Username()
                 password, _ := u.Password()
                 req.Header.Set("Authorization", "Basic "+basicAuth(username, password))
diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go

index 12e165a5efaad39c84534e6782728ca909b92f47..10829a77900c5b81f8ba26ad4ba1808f5e50798c 100644 (file)
--- a/src/net/http/client_test.go
+++ b/src/net/http/client_test.go
@@ -843,6 +843,47 @@ func TestBasicAuth(t *testing.T) {
         }
  }
  
+func TestBasicAuthHeadersPreserved(t *testing.T) {
+       defer afterTest(t)
+       tr := &recordingTransport{}
+       client := &Client{Transport: tr}
+
+       // If Authorization header is provided, username in URL should not override it
+       url := "http://My%20User@dummy.faketld/"
+       req, err := NewRequest("GET", url, nil)
+       if err != nil {
+               t.Fatal(err)
+       }
+       req.SetBasicAuth("My User", "My Pass")
+       expected := "My User:My Pass"
+       client.Do(req)
+
+       if tr.req.Method != "GET" {
+               t.Errorf("got method %q, want %q", tr.req.Method, "GET")
+       }
+       if tr.req.URL.String() != url {
+               t.Errorf("got URL %q, want %q", tr.req.URL.String(), url)
+       }
+       if tr.req.Header == nil {
+               t.Fatalf("expected non-nil request Header")
+       }
+       auth := tr.req.Header.Get("Authorization")
+       if strings.HasPrefix(auth, "Basic ") {
+               encoded := auth[6:]
+               decoded, err := base64.StdEncoding.DecodeString(encoded)
+               if err != nil {
+                       t.Fatal(err)
+               }
+               s := string(decoded)
+               if expected != s {
+                       t.Errorf("Invalid Authorization header. Got %q, wanted %q", s, expected)
+               }
+       } else {
+               t.Errorf("Invalid auth %q", auth)
+       }
+
+}
+
  func TestClientTimeout(t *testing.T) {
         if testing.Short() {
                 t.Skip("skipping in short mode")
author	Steve Streeting <steve@stevestreeting.com>
	Thu, 25 Jun 2015 15:52:51 +0000 (16:52 +0100)
committer	Russ Cox <rsc@golang.org>
	Fri, 26 Jun 2015 17:32:12 +0000 (17:32 +0000)
src/net/http/client.go		patch \| blob \| history
src/net/http/client_test.go		patch \| blob \| history