Move auth rebuild to its own method.

author Cory Benfield <lukasaoz@gmail.com>

Wed, 12 Mar 2014 19:22:11 +0000 (19:22 +0000)

committer Cory Benfield <lukasaoz@gmail.com>

Wed, 12 Mar 2014 19:22:11 +0000 (19:22 +0000)
author Cory Benfield <lukasaoz@gmail.com>
Wed, 12 Mar 2014 19:22:11 +0000 (19:22 +0000)
committer Cory Benfield <lukasaoz@gmail.com>
Wed, 12 Mar 2014 19:22:11 +0000 (19:22 +0000)
diff --git a/requests/sessions.py b/requests/sessions.py

index 425db22ca6fbe6e422b1e6dd61f9185915adf372..4c24984eb781f2ceae8f7ac1ef498e0c24e0498b 100644 (file)
--- a/requests/sessions.py
+++ b/requests/sessions.py
@@ -154,19 +154,7 @@ class SessionRedirectMixin(object):
              prepared_request._cookies.update(self.cookies)
              prepared_request.prepare_cookies(prepared_request._cookies)
  
-            if 'Authorization' in headers:
-                # If we get redirected to a new host, we should strip out any
-                # authentication headers.
-                original_parsed = urlparse(resp.request.url)
-                redirect_parsed = urlparse(url)
-
-                if (original_parsed.hostname != redirect_parsed.hostname):
-                    del headers['Authorization']
-
-            # .netrc might have more auth for us.
-            new_auth = get_netrc_auth(url) if self.trust_env else None
-            if new_auth is not None:
-                prepared_request.prepare_auth(new_auth)
+            self.rebuild_auth(prepared_request, resp)
  
              resp = self.send(
                  prepared_request,
@@ -183,6 +171,31 @@ class SessionRedirectMixin(object):
              i += 1
              yield resp
  
+    def rebuild_auth(self, prepared_request, response):
+        """
+        When being redirected we may want to strip authentication from the
+        request to avoid leaking credentials. This method intelligently removes
+        and reapplies authentication where possible to avoid credential loss.
+        """
+        headers = prepared_request.headers
+        url = prepared_request.url
+
+        if 'Authorization' in headers:
+            # If we get redirected to a new host, we should strip out any
+            # authentication headers.
+            original_parsed = urlparse(response.request.url)
+            redirect_parsed = urlparse(url)
+
+            if (original_parsed.hostname != redirect_parsed.hostname):
+                del headers['Authorization']
+
+        # .netrc might have more auth for us on our new host.
+        new_auth = get_netrc_auth(url) if self.trust_env else None
+        if new_auth is not None:
+            prepared_request.prepare_auth(new_auth)
+
+        return
+
  
  class Session(SessionRedirectMixin):
      """A Requests session.
author	Cory Benfield <lukasaoz@gmail.com>
	Wed, 12 Mar 2014 19:22:11 +0000 (19:22 +0000)
committer	Cory Benfield <lukasaoz@gmail.com>
	Wed, 12 Mar 2014 19:22:11 +0000 (19:22 +0000)