[NXJS-139] Authorization header is sent when redirecting to a different host - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.7.0
Component/s: Node.js

Tags:
- nxfit
Sprint:
nxfit 10.2.5, nxfit 10.2.6
Story Points:
2

Description

The library we use (node-fetch) does not strip Authorization header when doing a redirect to a different host.
This lead to the following issue:

  ...
  doc
    .fetchBlob()
    .then(res => {
      debug('Downloaded asset', res);
      res.body.pipe(fs.createWriteStream(local_path));
    })
    .catch(err => {
       error('File save err: ', err);
    });

If that code redirects to s3 for instance, we end up with a 400

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>InvalidArgument</Code><Message>Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified</Message><ArgumentName>Authorization</ArgumentName><ArgumentValue>Basic XXXX</ArgumentValue><RequestId>XXXX</RequestId><HostId>XXXX=</HostId></Error>

What could be tried:

Use https://github.com/npm/node-fetch-npm instead, as they handle the strip of Authorization header. See https://github.com/npm/node-fetch-npm/pull/2
See how https://github.com/axios/axios handle that use case

Attachments

Issue Links

is related to

NXMOB-390 File download error on Android

Resolved

Activity

People

Assignee:

Thomas Roger

Reporter:

Thomas Roger

Participants:

Jenkins, Thomas Roger

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

2018-04-10 14:44

Updated:

2018-07-11 15:48

Resolved:

2018-05-22 16:03

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

30m