Don't pass GH auth header when following redirects for release assets

2021-12-07 12:34:55 -08:00 · 2021-12-07 12:34:55 -08:00 · 6d9bf802e2
commit 6d9bf802e2
parent 703e8e626d
1 changed files with 17 additions and 1 deletions
--- a/crates/server/src/github.rs
+++ b/crates/server/src/github.rs
@ -208,9 +208,25 @@ impl RepoClient {
                "Authorization",
                self.installation_token_header(false).await?,
            );
-        let client = surf::client().with(surf::middleware::Redirect::new(5));
+
+        let client = surf::client();
        let mut response = client.send(request).await?;

+        // Avoid using `surf::middleware::Redirect` because that type forwards
+        // the original request headers to the redirect URI. In this case, the
+        // redirect will be to S3, which forbids us from supplying an
+        // `Authorization` header.
+        if response.status().is_redirection() {
+            if let Some(url) = response.header("location") {
+                let request = surf::get(url.as_str()).header("Accept", "application/octet-stream");
+                response = client.send(request).await?;
+            }
+        }
+
+        if !response.status().is_success() {
+            Err(anyhow!("failed to fetch release asset {} {}", tag, name))?;
+        }
+
        Ok(response.take_body())
    }