From 6d9bf802e2e2749fba12b508124ff30cb4667f13 Mon Sep 17 00:00:00 2001 From: Max Brunsfeld Date: Tue, 7 Dec 2021 12:34:55 -0800 Subject: [PATCH] Don't pass GH auth header when following redirects for release assets --- crates/server/src/github.rs | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/crates/server/src/github.rs b/crates/server/src/github.rs index c7122b6e10..e5bcb45f30 100644 --- a/crates/server/src/github.rs +++ b/crates/server/src/github.rs @@ -208,9 +208,25 @@ impl RepoClient { "Authorization", self.installation_token_header(false).await?, ); - let client = surf::client().with(surf::middleware::Redirect::new(5)); + + let client = surf::client(); let mut response = client.send(request).await?; + // Avoid using `surf::middleware::Redirect` because that type forwards + // the original request headers to the redirect URI. In this case, the + // redirect will be to S3, which forbids us from supplying an + // `Authorization` header. + if response.status().is_redirection() { + if let Some(url) = response.header("location") { + let request = surf::get(url.as_str()).header("Accept", "application/octet-stream"); + response = client.send(request).await?; + } + } + + if !response.status().is_success() { + Err(anyhow!("failed to fetch release asset {} {}", tag, name))?; + } + Ok(response.take_body()) }