Do not attach authorization header in bearerAuthPlugin if response is…

… a redirect Signed-off-by: carabasdaniel <[email protected]>
open-policy-agent · Jan 24, 2025 · 5414806 · 5414806
1 parent b032e3b
commit 5414806
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/v1/plugins/rest/auth.go b/v1/plugins/rest/auth.go
@@ -126,10 +126,14 @@ type bearerAuthPlugin struct {
 	// encode is set to true for the OCIDownloader because
 	// it expects tokens in plain text but needs them in base64.
 	encode bool
+	logger logging.Logger
 }
 
 func (ap *bearerAuthPlugin) NewClient(c Config) (*http.Client, error) {
 	t, err := DefaultTLSConfig(c)
+
+	ap.logger = c.logger
+
 	if err != nil {
 		return nil, err
 	}
@@ -166,7 +170,12 @@ func (ap *bearerAuthPlugin) Prepare(req *http.Request) error {
 		token = base64.StdEncoding.EncodeToString([]byte(token))
 	}
 
-	req.Header.Add("Authorization", fmt.Sprintf("%v %v", ap.Scheme, token))
+	if req.Response != nil && (req.Response.StatusCode == http.StatusPermanentRedirect || req.Response.StatusCode == http.StatusTemporaryRedirect) {
+		ap.logger.Debug("not attaching authorization header as the response contains a redirect")
+	} else {
+		ap.logger.Debug("attaching authorization header")
+		req.Header.Add("Authorization", fmt.Sprintf("%v %v", ap.Scheme, token))
+	}
 	return nil
 }