aleph

2025-07-15T13:29:06.855599Z

I noticed that Alephโ€™s HTTP client follows redirects by just replacing the URL and possibly the method. It will however keep all other request options, in particular any credentials from the original request. That means that by default, if one sends credentials to an endpoint that responds with a redirect, Aleph will happily send these credentials along. Iโ€™m not saying this behaviour is wrong, but I noticed that while debugging this scenario: GitHubโ€™s Asset download REST endpoint requires authentication using a bearer token, and will respond with a 302 to a CDN URL. There seems to be some load balancing between different CDN providers and my redirect sometimes succeeded (AWS) and sometimes failed with 403 Unauthorized (Azure). Turned out that the Azure CDN choked on the access token from the original GitHub API request. So from now on I will make sure to set :follow-redirects false whenever my request contains credentials. I got a bad feeling that this is not the default, so I am sharing it here to hear other peopleโ€™s opinions ๐Ÿ™‚

๐Ÿค” 1
2025-07-15T13:31:49.163819Z

And of course in my scenario it is slightly annoying that I need to follow the redirect myself. Maybe it would be good to provide some form of hook to modify the redirect request before it is followed? It also did not help with debugging that I had no access to the failed request map when the redirect request threw an exception because of the 403.

dergutemoritz 2025-07-15T14:48:40.366199Z

According to https://datatracker.ietf.org/doc/html/rfc9110#section-15.4 you are right that we should remove Authorization (and also Cookie)

dergutemoritz 2025-07-15T14:48:48.426389Z

Quoting the relevant bit: > Consider removing header fields that were not automatically generated by the implementation (i.e., those present in the request because they were added by the calling context) where there are security implications; this includes but is not limited to Authorization and Cookie.

dergutemoritz 2025-07-15T14:49:24.382609Z

Well, okay, it doesn't say we must do this

dergutemoritz 2025-07-15T14:49:37.466859Z

There could of course also be valid reasons for wanting to preserve them

2025-07-15T14:50:10.400499Z

Yeah, true. I also think most client libs out there would forward all headers

dergutemoritz 2025-07-15T14:50:21.799499Z

So maybe default to the recommended behavior but provide an option for preserving?

dergutemoritz 2025-07-15T14:50:52.349659Z

That section mentions a whole bunch of other things to consider when following redirects which Aleph doesn't really do

dergutemoritz 2025-07-15T14:52:09.835109Z

Called by handle-redirects which does implement some of the method-related semantics

dergutemoritz 2025-07-15T14:52:47.328549Z

I'll file a ticket at least ๐Ÿ™‚

1
2025-07-15T14:53:25.997079Z

I was looking at the source code as well ๐Ÿ™‚ One could argue that Aleph is not a user agent by itself, so some of the RFC recommendations might not apply here: > Remove header fields that were automatically generated by the implementation A browser might add headers, but Aleph does not, right?

dergutemoritz 2025-07-15T14:54:47.980089Z

Indeed, I think none of those apply

๐Ÿ‘ 1
dergutemoritz 2025-07-15T15:10:38.141269Z

WDYT: https://github.com/clj-commons/aleph/issues/759

dergutemoritz 2025-07-15T15:11:48.797429Z

Would be interesting to also look at what other clients are doing

dergutemoritz 2025-07-15T15:13:58.125199Z

https://github.com/clj-commons/aleph/issues/759#issuecomment-3074076708 ๐Ÿ˜„

๐Ÿ˜„ 1
2025-07-15T15:14:12.464239Z

I had a quick look at Javaโ€™s HTTP Client (OpenJDK). Did not actually run it, but looked at the code. They seem to copy โ€œuser headersโ€ as well.

๐Ÿ‘ 1
dergutemoritz 2025-07-15T15:23:06.642199Z

heh bingo

dergutemoritz 2025-07-15T15:23:33.633739Z

Would you be so kind to also add that to the issue? ๐Ÿ™

๐Ÿ‘ 1
dergutemoritz 2025-07-15T15:23:44.617899Z

Had to update my comment about clj-http just now

dergutemoritz 2025-07-15T15:24:05.581319Z

but it still boils down to the same default behavior

dergutemoritz 2025-07-15T15:30:39.716819Z

I probably won't get around to working on this any time soon. Patches welcome, tho ๐Ÿ™‚

dergutemoritz 2025-07-15T15:30:57.177589Z

I take it you can live with your workaround for the time being?

2025-07-15T15:31:44.180459Z

Yeah, sure! I can see if I can come up with a patch, but I cannot make promises right now ๐Ÿ™‚

๐Ÿคž 1
2025-07-15T15:33:22.207029Z

Thanks for being so responsive @dergutemoritz โ€” really appreciate it!

dergutemoritz 2025-07-15T15:33:32.747959Z

Happy to provide feedback / rubber ducking

dergutemoritz 2025-07-15T15:33:38.660009Z

You're welcome ๐Ÿ™

dergutemoritz 2025-07-15T15:33:43.884399Z

Thanks for choosing Aleph โ„ข๏ธ ๐Ÿ˜„

๐Ÿ˜„ 1