Express: Router does not pass authentication header in a redirect

Created on 25 Apr 2018  路  4Comments  路  Source: expressjs/express

I am making a POST request to my Express-based API, and I notice that when I redirect, the authentication header does not get passed on, while any other headers (even nonsense ones) will make it past the redirect. Is this the intended behaviour?

The client makes a POST request

var requestPackage = require('request');

requestPackage.post({
    url: 'API_URL',
    auth: {
        bearer: 'API_TOKEN',
    },
    headers: {
        'lorem-ipsum': 'DOLOR SIT AMET'
    },
    json: {
        'nunc tristique felis': 'id fringilla feugiat',
    },
});

and the server performs the redirect (using status code 307 so that the headers get passed through)

var expressRouter = require('express').Router();

expressRouter.post('/API_PATH_ALPHA', function (req, res, next) {
    console.log({
        customHeader: req.headers['lorem-ipsum'],
        authorisazion: req.headers.authorization,
    });

    return res.redirect(307, '/API_PATH_BETA');
});

expressRouter.post('/API_PATH_BETA', function (req, res, next) {
    console.log({
        customHeader: req.headers['lorem-ipsum'],
        authorisazion: req.headers.authorization, // undefined
    });

    return res.type('txt').send('Hello');
});
picture rosano

Most helpful comment

A redirect is not handled by the server. You can use a tool like Wireshark to see how the redirect is working. The server just sends back a response saying to redirect and you client makes a new request to the new location.

picture dougwilson on 25 Apr 2018
2

All 4 comments

It is your web browser that is not sending the header. The browser does that by design. https://stackoverflow.com/questions/28564961/authorization-header-is-lost-on-redirect

As far as I know there is nothing that can be changed in Express.js or any other web framework to make this work. If you know what specifically we have to change, I'm happy to reopen and make the change.

dougwilson picture dougwilson on 25 Apr 2018
👍1

Hmm, the client isn't actually a browser, it's an iOS app (using NSURLRequest which I think is the equivalent of curl.). I guess I was under the impression that once the request is made, the redirect (passing of headers) is handled completely by the server, but perhaps I was mistaken?

rosano picture rosano on 25 Apr 2018

A redirect is not handled by the server. You can use a tool like Wireshark to see how the redirect is working. The server just sends back a response saying to redirect and you client makes a new request to the new location.

dougwilson picture dougwilson on 25 Apr 2018
2

You have taught me something Doug, thank you!

rosano picture rosano on 25 Apr 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ZeddYu picture ZeddYu  路  3Comments
gaurav5430 picture gaurav5430  路  3Comments
zackarychapple picture zackarychapple  路  3Comments
ER-GAIBI picture ER-GAIBI  路  3Comments
extensionsapp picture extensionsapp  路  3Comments