fix: preserve authentication headers on same-domain redirects

[jrosskopf]

Summary

Fixes #3 - GENESIS Online data loading issue where GET requests return home page HTML instead of expected API data.

Root cause: httplib's automatic redirect following (set_follow_location(true)) strips Authorization headers on redirects for security, causing authenticated requests to lose credentials after redirects.

Solution: Implement manual redirect handling that:

• Preserves auth headers for same-domain redirects (e.g., Genesis API)
• Strips auth headers for cross-domain redirects (security best practice)
• Handles HTTP 303 See Other by changing method to GET (per HTTP spec)
• Respects configurable max redirects limit (default: 10)
• Fixes relative URL resolution for paths starting with /

Changes

• src/include/http_client.hpp: Add max_redirects to HttpParams, add IsRedirectStatus() helper, add IsSameDomain() to HttpUrl
• src/http_client.cpp: Disable auto-redirects, implement manual redirect loop in SendRequest(), fix relative URL handling

Test Plan

• Build passes: GEN=ninja make debug
• All tests pass: make test_debug (221 assertions, 0 failures)
• Manual test: SELECT status, url FROM http_get('https://httpbin.org/redirect/5'); → returns 200 with final URL
• Auth preservation: SELECT content FROM http_get('https://httpbin.org/redirect-to?url=%2Fheaders', auth := 'token', auth_type := 'BEARER'); → shows Authorization: Bearer token in headers
• Test with Genesis API (requires credentials from issue reporter)

Behavior Summary

Scenario	Behavior
Same-domain redirect (301/302/307/308)	Follow with auth headers preserved
Same-domain 303 See Other	Follow with GET method, auth preserved
Cross-domain redirect	Follow WITHOUT auth headers (security)
Max redirects exceeded	Return last redirect response

---

Note

Implements secure, manual redirect handling and fixes URL merging.

• Handle redirects in HttpClient::SendRequest instead of httplib auto-follow; set_follow_location(false)
• Preserve sensitive headers on same-origin redirects via HttpUrl::IsSameOrigin; strip on cross-origin; resolve Location relative URLs (including leading / paths) correctly
• Change method to GET for 301/302/303; preserve method for 307/308
• Add HttpParams::max_redirects (default 10) and IsRedirectStatus helper
• Update URL merge logic for absolute paths and introduce effective-port origin checks

^{Written by Cursor Bugbot for commit 0a85c75. This will update automatically on new commits. Configure here.}

[cursor]

This is the final PR Bugbot will review for you during this billing cycle

Your free Bugbot reviews will reset on January 15

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Auth headers leak on redirects to different ports

The IsSameDomain function only compares hostnames, ignoring the port. When a redirect goes from one port to a different port on the same host (e.g., from api.example.com:443 to api.example.com:8080), the Authorization header is preserved. Different ports can host entirely different services with separate access controls, so credentials intended for one service could be leaked to an unrelated service on a different port. The existing HttpUrl::Equals method correctly considers port for URL equality, suggesting this was an oversight.

 

[Copilot]

Pull request overview

This PR implements manual redirect handling to fix authentication issues with the GENESIS Online API. The change addresses cases where automatic redirects were stripping Authorization headers, causing authenticated requests to fail after redirects.

Key changes:

• Added manual redirect handling that preserves auth headers for same-domain redirects while stripping them for cross-domain redirects
• Disabled httplib's automatic redirect following to enable custom redirect logic
• Fixed relative URL resolution to treat paths starting with / as absolute from server root

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.

File	Description
src/include/http_client.hpp	Added IsSameDomain() method, max_redirects parameter, and IsRedirectStatus() helper for redirect handling
src/http_client.cpp	Implemented manual redirect loop with auth preservation logic, disabled auto-redirects, and changed URL resolution for absolute paths

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

When stripping authentication on cross-domain redirects, only the Authorization header is removed. However, there are other security-sensitive headers that should also be stripped, such as:

• Cookie / Set-Cookie (may contain session tokens)
• Proxy-Authorization (proxy credentials)
• WWW-Authenticate (authentication challenges)
• Custom auth headers (e.g., X-API-Key, X-Auth-Token)

Consider reviewing and expanding the list of headers to strip on cross-domain redirects for comprehensive security.

Suggested change

	request.headers.erase("Authorization");
	ERPL_TRACE_DEBUG("HTTP_CLIENT", "Cross-domain redirect - removing Authorization header");
	// Remove standard authentication-related headers (case-insensitive)
	static const std::vector<std::string> sensitive_headers = {
	"authorization",
	"proxy-authorization",
	"cookie",
	"set-cookie",
	"www-authenticate"
	};
	std::vector<std::string> headers_to_erase;
	headers_to_erase.reserve(request.headers.size());
	for (const auto &header_kv : request.headers) {
	std::string header_name_lower = header_kv.first;
	std::transform(header_name_lower.begin(), header_name_lower.end(),
	header_name_lower.begin(),
	[](unsigned char c) { return static_cast<char>(std::tolower(c)); });
	bool is_sensitive = std::find(sensitive_headers.begin(), sensitive_headers.end(),
	header_name_lower) != sensitive_headers.end();
	// Also treat common custom auth headers as sensitive
	if (!is_sensitive) {
	if (header_name_lower.rfind("x-api-key", 0) == 0 ||
	header_name_lower.rfind("x-auth-token", 0) == 0 ||
	header_name_lower.find("authorization") != std::string::npos ||
	header_name_lower.find("authenticate") != std::string::npos ||
	header_name_lower.find("token") != std::string::npos) {
	is_sensitive = true;
	}
	}
	if (is_sensitive) {
	headers_to_erase.push_back(header_kv.first);
	}
	}
	for (const auto &name : headers_to_erase) {
	request.headers.erase(name);
	}
	ERPL_TRACE_DEBUG("HTTP_CLIENT",
	"Cross-domain redirect - removed authentication-related headers");

[Copilot]

The IsSameDomain() implementation only compares the host, but should also compare the scheme and port for proper security. Consider this scenario: a redirect from https://example.com:443 to http://example.com:80 would be considered "same domain" and preserve auth headers, but this is a cross-protocol redirect that could expose credentials over an unencrypted connection.

Similarly, redirects between different ports on the same host (e.g., https://example.com:443 to https://example.com:8080) might represent different services and should not automatically preserve auth headers.

Update the implementation to compare scheme and port as well.

Suggested change

	bool HttpUrl::IsSameDomain(const HttpUrl& other) const {
	// Normalize the port, mapping empty ports to scheme defaults where appropriate.
	// This allows "http://example.com" and "http://example.com:80" to be treated as the same,
	// while still distinguishing different explicit ports and different schemes.
	static std::string NormalizePort(const std::string &scheme, const std::string &port) {
	if (!port.empty()) {
	return port;
	}
	auto lower_scheme = ToLower(scheme);
	if (lower_scheme == "http") {
	return "80";
	}
	if (lower_scheme == "https") {
	return "443";
	}
	return port;
	}
	bool HttpUrl::IsSameDomain(const HttpUrl& other) const {
	auto this_scheme = ToLower(scheme);
	auto other_scheme = ToLower(other.scheme);
	if (this_scheme != other_scheme) {
	return false;
	}
	auto this_port = NormalizePort(this_scheme, port);
	auto other_port = NormalizePort(other_scheme, other.port);
	if (this_port != other_port) {
	return false;
	}

[Copilot]

This change in URL resolution behavior for paths starting with / appears to be incorrect and breaks existing test expectations.

Looking at the test at line 98-101 in test/cpp/test_http_client.cpp, when merging base URL https://services.odata.org/v4/northwind/northwind.svc/Customers with relative URL /Customers?$skiptoken='ERNSH', the expected result is https://services.odata.org/v4/northwind/northwind.svc/Customers?$skiptoken='ERNSH'.

However, with this new implementation, a path starting with / is treated as an absolute path from the server root, which would produce https://services.odata.org/Customers?$skiptoken='ERNSH' instead. This is actually the correct behavior according to RFC 3986, but it contradicts the existing test expectations and may break existing functionality.

The PR description mentions "Fixes relative URL resolution for paths starting with /", but the test suite expects the old behavior. Either the test needs to be updated to reflect the correct RFC 3986 behavior, or this code change needs to be reverted.

[Copilot]

The HTTP 301 and 302 redirect handling is incomplete. According to the HTTP specification:

• 301 (Moved Permanently) and 302 (Found): Historically, browsers change POST/PUT/PATCH to GET, but RFC 7231 says the method should be preserved. Most clients follow the historical behavior.
• 307 (Temporary Redirect) and 308 (Permanent Redirect): The method and body MUST be preserved.

Currently, the code:

1. Handles 303 correctly (changes to GET)
2. Doesn't explicitly handle 301/302 method changes
3. Doesn't preserve request body for 307/308

For 301/302 redirects with POST/PUT/PATCH methods, the code should either:

• Change the method to GET and clear the body (matching browser behavior), or
• Document that it preserves the method (deviating from common practice)

For 307/308 redirects, the request body must be preserved even when not changing the method.

[Copilot]

When redirect_count reaches max_redirects, the code falls through to the retry logic or returns the redirect response. This means the final redirect response (e.g., a 301 or 302 status) is returned to the caller instead of an error indicating that max redirects was exceeded.

Consider throwing a more informative error when max redirects is reached, or at minimum, add a debug log message before falling through to indicate that the redirect limit was hit.

Suggested change

	}
	}
	} else if (IsRedirectStatus(status) && redirect_count >= http_params.max_redirects) {
	// Redirect response received, but we have reached the maximum number of redirects
	ERPL_TRACE_DEBUG(
	"HTTP_CLIENT",
	"Max redirects reached (" + std::to_string(http_params.max_redirects) +
	"), not following further redirects");

[Copilot]

The redirect handling logic introduced in this PR lacks test coverage. While the PR description mentions manual testing with httpbin.org endpoints, there are no automated tests for:

1. Redirect status codes (301, 302, 303, 307, 308)
2. Same-domain vs cross-domain redirect behavior
3. Authorization header preservation/stripping
4. HTTP method changes on 303 redirects
5. Max redirect limit enforcement

Consider adding comprehensive test cases to prevent regressions, especially for the security-critical auth header handling.

[Copilot]

When a redirect is followed, the retry counter n_tries is reset to 0. However, this means that if a server keeps responding with retryable errors (408, 429, 503, 504) after redirects, the total number of retries could exceed http_params.retries * (redirect_count + 1).

For example, with 10 max redirects and 3 retries, a pathological server could cause up to 33 retry attempts (3 retries × 11 requests).

Consider whether this is the intended behavior, or if there should be a global retry limit that persists across redirects.

Suggested change

n_tries = 0; // Reset retry counter for the new redirect request

[cursor]

Query strings incorrectly preserved on redirects with absolute paths

The redirect handling uses MergeWithBaseUrlIfRelative which incorrectly inherits query parameters from the original URL when the redirect target has a path but no query. Per RFC 3986, when a redirect has a path (e.g., /v2/data), the query should come from the redirect URL (empty in this case), not inherited from the base. This causes requests like https://api.example.com/v1?token=secret redirecting to /v2 to incorrectly become https://api.example.com/v2?token=secret, potentially leaking sensitive query parameters to unintended endpoints. Before this PR, httplib handled redirects correctly; now the manual handling has this regression.

Additional Locations (1)

• src/http_client.cpp#L855-L856

 

[cursor]

Protocol-relative redirect URLs resolve to wrong host

Protocol-relative URLs (like //other.com/path) in redirect Location headers are incorrectly handled. The check for absolute URLs looks for ://, but protocol-relative URLs lack this pattern. When a redirect returns Location: //other.com/path, the code treats it as a path starting with /, setting the path to //other.com/path while keeping the original host. This produces https://original.com//other.com/path instead of https://other.com/path, causing the request to go to the wrong server entirely. Before this PR, httplib's automatic redirect handling would have resolved these correctly.

Additional Locations (1)

• src/http_client.cpp#L855-L856