Issue mentioned and followed up at: https://github.com/r-lib/httr/issues/626 https://community.rstudio.com/t/possible-to-drop-authentication-header-on-redirects-in-httr/44358
This issue happens when:
- httr sends a GET call to a URL which requires an "Authorization" header
- the API constructs a redirect to a pre-signed URL which is returned as the response to the original GET request, for which no authentication is required
- the httr client sends the same "Authorization" header on the redirect URL as it did on the URL of the original GET call
- a 401 is returned because the bearer token is not valid for the redirect URL
It seems that "Authorization" headers should not be sent when a redirect is followed. But this is a common issue even in e.g. browsers (so this might be broader than httr): Authorization header when following redirects
The following example works (http redirect to https), but requires writing a function separate from httr. Can httr handle this type of use case directly or is it best practice to write custom wrappers for this ?
Example (adapted from https://github.com/r-lib/httr/issues/626) :
library(httr)
# Ensure curl version is higher than 7.58: https://curl.se/docs/CVE-2018-1000007.html
curl::curl_version()$version
# Call URL without following to redirect
resp <- GET(
"http://github.com",
config(followlocation = FALSE),
authenticate("user", "pwd", type = "basic")
)
# Check response of URL, which contains the redirect within the location field
resp
redirected_url <- headers(resp)[["location"]]
# Call redirect URL without authentication
resp_redirect <- GET(redirected_url)
Console outputs:
> curl::curl_version()$version
[1] "7.60.0"
> resp
Response [http://github.com/]
Date: 2022-08-24 09:11
Status: 301
Content-Type: <unknown>
<EMPTY BODY>
> redirected_url
[1] "https://github.com/"
> resp_redirect
Response [https://github.com/]
Date: 2022-08-24 09:12
Status: 200
Content-Type: text/html; charset=utf-8
Size: 301 kB
