feat: improve HTTP redirects behavior

.github/pull_request_template.md

@@ -9,6 +9,6 @@ Bug fixes and new features should include tests whenever possible.
 ##### Checklist
 <!-- Remove items that do not apply. For completed items, change [ ] to [x]. -->
 
-- [ ] `npm test` passes (tip: `npm run lint-fix` can correct most style issues)
+- [ ] `npm test` passes (tip: `npm run lint:fix` can correct most style issues)
 - [ ] tests are included
 - [ ] documentation is changed or added

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "package-lock.json|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-11-09T19:29:53Z",
+  "generated_at": "2023-11-27T13:52:22Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -96,7 +96,7 @@
         "hashed_secret": "bc2f74c22f98f7b6ffbc2f67453dbfa99bce9a32",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 97,
+        "line_number": 111,
         "type": "Secret Keyword",
         "verified_result": null
       }

lib/request-wrapper.ts

@@ -1,4 +1,4 @@
-/* eslint-disable class-methods-use-this */
+/* eslint-disable class-methods-use-this, no-restricted-syntax */
 
 /**
  * (C) Copyright IBM Corp. 2014, 2023.
@@ -238,6 +238,20 @@ export class RequestWrapper {
       data = await this.gzipRequestBody(data, headers);
     }
 
+    // Holds the hostname of the current request.
+    // It's used between redirects.
+    let currentHost = new URL(url).hostname;
+
+    // Headers that are considered being safe
+    // and can be copied during HTTP redirects
+    // on the `cloud.ibm.com` namespace.
+    const safeHeaders = {
+      Authorization: headers.Authorization,
+      Cookie: headers.Cookie,
+      Cookie2: headers.Cookie2,
+      'WWW-Authenticate': headers['WWW-Authenticate'],
+    };
+
     const requestParams = {
       url,
       method,
@@ -247,6 +261,21 @@ export class RequestWrapper {
       raxConfig: this.raxConfig,
       responseType: options.responseType || 'json',
       paramsSerializer: { serialize: (params) => stringify(params) },
+      maxRedirects: 10,
+      beforeRedirect: (nextRequest: any) => {
+        if (shouldCopySafeHeadersOnRedirect(currentHost, nextRequest.hostname)) {
+          for (const [name, value] of Object.entries(safeHeaders)) {
+            // Copy the header to the redirected request if it's defined
+            // and not already present.
+            if (value && nextRequest.headers[name] === undefined) {
+              nextRequest.headers[name] = value;
+            }
+          }
+
+          // Update the host for the next redirect.
+          currentHost = nextRequest.hostname;
+        }
+      },
     };
 
     return this.axiosInstance(requestParams).then(
@@ -580,3 +609,8 @@ function ensureJSONResponseBodyIsObject(response: any): any | string {
 
   return dataAsObject;
 }
+
+// Returns true iff safe headers should be copied to a redirected request.
+function shouldCopySafeHeadersOnRedirect(fromHost: string, toHost: string): boolean {
+  return fromHost.endsWith('.cloud.ibm.com') && toHost.endsWith('.cloud.ibm.com');
+}

test/unit/redirect.test.js

@@ -0,0 +1,211 @@
+/**
+ * Copyright 2023 IBM Corp. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+const nock = require('nock');
+const { AxiosError } = require('axios');
+const { NoAuthAuthenticator, BaseService } = require('../../dist');
+
+// Disable real network connections.
+nock.disableNetConnect();
+
+const safeHeaders = {
+  Authorization: 'foo',
+  Cookie: 'baz',
+  Cookie2: 'baz2',
+  'WWW-Authenticate': 'bar',
+};
+
+function initService(url) {
+  const service = new BaseService({
+    authenticator: new NoAuthAuthenticator(),
+    serviceUrl: url,
+  });
+
+  const parameters = {
+    options: {
+      method: 'GET',
+      url: '/',
+      headers: safeHeaders,
+    },
+    defaultOptions: {
+      serviceUrl: url,
+    },
+  };
+
+  return { service, parameters };
+}
+
+describe('Node Core redirects', () => {
+  afterEach(() => {
+    nock.cleanAll();
+  });
+
+  it('should include safe headers within cloud.ibm.com domain', async () => {
+    const url1 = 'http://region1.cloud.ibm.com';
+    const url2 = 'http://region2.cloud.ibm.com';
+
+    const { service, parameters } = initService(url1);
+
+    const scopes = [
+      nock(url1)
+        .matchHeader('Authorization', safeHeaders.Authorization)
+        .matchHeader('Cookie', safeHeaders.Cookie)
+        .matchHeader('Cookie2', safeHeaders.Cookie2)
+        .matchHeader('WWW-Authenticate', safeHeaders['WWW-Authenticate'])
+        .get('/')
+        .reply(302, 'just about to redirect', { Location: url2 }),
+      nock(url2)
+        .matchHeader('Authorization', safeHeaders.Authorization)
+        .matchHeader('Cookie', safeHeaders.Cookie)
+        .matchHeader('Cookie2', safeHeaders.Cookie2)
+        .matchHeader('WWW-Authenticate', safeHeaders['WWW-Authenticate'])
+        .get('/')
+        .reply(200, 'successfully redirected'),
+    ];
+
+    const result = await service.createRequest(parameters);
+    expect(result.result).toBe('successfully redirected');
+    expect(result.status).toBe(200);
+
+    // Ensure all mocks satisfied.
+    scopes.forEach((s) => s.done());
+  });
+
+  it('should exclude safe headers from cloud.ibm.com to not cloud.ibm.com domain', async () => {
+    const url1 = 'http://region1.cloud.ibm.com';
+    const url2 = 'http://region2.notcloud.ibm.com';
+
+    const { service, parameters } = initService(url1);
+
+    const scopes = [
+      nock(url1)
+        .matchHeader('Authorization', safeHeaders.Authorization)
+        .matchHeader('Cookie', safeHeaders.Cookie)
+        .matchHeader('Cookie2', safeHeaders.Cookie2)
+        .matchHeader('WWW-Authenticate', safeHeaders['WWW-Authenticate'])
+        .get('/')
+        .reply(302, 'just about to redirect', { Location: url2 }),
+      nock(url2)
+        .matchHeader('Authorization', (val) => val === undefined)
+        .matchHeader('Cookie', (val) => val === undefined)
+        .matchHeader('Cookie2', safeHeaders.Cookie2)
+        .matchHeader('WWW-Authenticate', safeHeaders['WWW-Authenticate'])
+        .get('/')
+        .reply(200, 'successfully redirected'),
+    ];
+
+    const result = await service.createRequest(parameters);
+
+    expect(result.result).toBe('successfully redirected');
+    expect(result.status).toBe(200);
+
+    // Ensure all mocks satisfied.
+    scopes.forEach((s) => s.done());
+  });
+
+  it('should exclude safe headers from not cloud.ibm.com to cloud.ibm.com domain', async () => {
+    const url1 = 'http://region2.notcloud.ibm.com';
+    const url2 = 'http://region1.cloud.ibm.com';
+
+    const { service, parameters } = initService(url1);
+
+    const scopes = [
+      nock(url1)
+        .matchHeader('Authorization', safeHeaders.Authorization)
+        .matchHeader('Cookie', safeHeaders.Cookie)
+        .matchHeader('Cookie2', safeHeaders.Cookie2)
+        .matchHeader('WWW-Authenticate', safeHeaders['WWW-Authenticate'])
+        .get('/')
+        .reply(302, 'just about to redirect', { Location: url2 }),
+      nock(url2)
+        .matchHeader('Authorization', (val) => val === undefined)
+        .matchHeader('Cookie', (val) => val === undefined)
+        .matchHeader('Cookie2', safeHeaders.Cookie2)
+        .matchHeader('WWW-Authenticate', safeHeaders['WWW-Authenticate'])
+        .get('/')
+        .reply(200, 'successfully redirected'),
+    ];
+
+    const result = await service.createRequest(parameters);
+
+    expect(result.result).toBe('successfully redirected');
+    expect(result.status).toBe(200);
+
+    // Ensure all mocks satisfied.
+    scopes.forEach((s) => s.done());
+  });
+
+  it('should exclude safe headers from not cloud.ibm.com to not cloud.ibm.com domain', async () => {
+    const url1 = 'http://region1.notcloud.ibm.com';
+    const url2 = 'http://region2.notcloud.ibm.com';
+
+    const { service, parameters } = initService(url1);
+
+    const scopes = [
+      nock(url1)
+        .matchHeader('Authorization', safeHeaders.Authorization)
+        .matchHeader('Cookie', safeHeaders.Cookie)
+        .matchHeader('Cookie2', safeHeaders.Cookie2)
+        .matchHeader('WWW-Authenticate', safeHeaders['WWW-Authenticate'])
+        .get('/')
+        .reply(302, 'just about to redirect', { Location: url2 }),
+      nock(url2)
+        .matchHeader('Authorization', (val) => val === undefined)
+        .matchHeader('Cookie', (val) => val === undefined)
+        .matchHeader('Cookie2', safeHeaders.Cookie2)
+        .matchHeader('WWW-Authenticate', safeHeaders['WWW-Authenticate'])
+        .get('/')
+        .reply(200, 'successfully redirected'),
+    ];
+
+    const result = await service.createRequest(parameters);
+
+    expect(result.result).toBe('successfully redirected');
+    expect(result.status).toBe(200);
+
+    // Ensure all mocks satisfied.
+    scopes.forEach((s) => s.done());
+  });
+
+  it('should fail due to exhaustion', async () => {
+    const scopes = [];
+    for (let i = 1; i <= 11; i++) {
+      scopes.push(
+        nock(`http://region${i}.cloud.ibm.com`)
+          .matchHeader('Authorization', safeHeaders.Authorization)
+          .matchHeader('Cookie', safeHeaders.Cookie)
+          .matchHeader('Cookie2', safeHeaders.Cookie2)
+          .matchHeader('WWW-Authenticate', safeHeaders['WWW-Authenticate'])
+          .get('/')
+          .reply(302, 'just about to redirect', { Location: `http://region${i + 1}.cloud.ibm.com` })
+      );
+    }
+
+    const { service, parameters } = initService('http://region1.cloud.ibm.com');
+
+    let result;
+    let error;
+    try {
+      result = await service.createRequest(parameters);
+    } catch (err) {
+      error = err;
+    }
+
+    expect(result).toBeUndefined();
+    expect(error).not.toBeUndefined();
+    expect(error.statusText).toBe(AxiosError.ERR_FR_TOO_MANY_REDIRECTS);
+  });
+});