Skip to content

Proxy bypassed when URL contains username with empty password #324

New issue
New issue
Closed
#327
Closed
Proxy bypassed when URL contains username with empty password#324
#327
Assignees
barjin
Labels
bugSomething isn't working.t-toolingIssues with this label are in the ownership of the tooling team.
@bliuchak

Description

@bliuchak
bliuchak
opened on Nov 27, 2025

Version: 0.7.1 (impit-node)

When proxyUrl has a username with an empty password (e.g., http://user:@host:port), Impit silently bypasses the proxy and makes a direct connection instead.

Up to my investigation, this should be a bug on reqwest library. However it's possible to make a fix on impit side too.

Expected

Proxy should be used with Proxy-Authorization header containing the username.

Actual

Direct connection is made, proxy is completely bypassed.

Example

const { Impit } = require('impit');
const http = require('node:http');

async function main() {
    // Simple proxy that logs requests
    let proxyHit = false;
    const proxy = http.createServer((req, res) => {
        proxyHit = true;
        res.writeHead(200);
        res.end('OK');
    });
    await new Promise((r) => proxy.listen(0, '127.0.0.1', r));
    const proxyPort = proxy.address().port;

    // Test: username with empty password
    const impit = new Impit({
        proxyUrl: `http://user:@127.0.0.1:${proxyPort}`,
    });

    await impit.fetch('http://httpbin.org/get').catch(() => {});

    console.log('Proxy was used:', proxyHit); // Expected: true, Actual: false

    proxy.close();
}

main();

Metadata

Metadata

Assignees

Labels

bugSomething isn't working.t-toolingIssues with this label are in the ownership of the tooling team.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions