Add config option to allow preserveAuthorizationOnRedirect?

[jaredstehler]

Would it be possible to add a config override to disable the strip-auth feature host check? (i.e. something like preserveAuthorizationOnRedirect?)

Our setup rewrites the httprequest host and port using a bunch of custom routing logic which involves many aspects of the original request (host, path, control headers), and we have some internal endpoints which return 307 redirects to the un-rewritten service domain host (i.e. internal.services.myco). This code relies on the old behavior of 2.12.3, which propagated the authorization header when following the redirect.

Alternatively, if I could configure some mechanism to allow auth propagation on redirects (i.e. Function<org.asynchttpclient.uri.Uri, Boolean>) I could pass in ((uri) -> uri.getHost().endswith(".services.myco"))

I understand this change was put in place to remediate a cve, but in our case these particular httpclients are specially configured as "internal-only".

In the meantime I'm exploring a workaround with a ResponseFilter; will post update with my findings.

[jaredstehler]

i was able to get my desired behavior with a custom response filter and

return new FilterContext.FilterContextBuilder<>(ctx)
        .request(buildRedirectRequest(request, redirectUri, statusCode, redirectCount + 1))
        .replayRequest(true)
        .build();

this feature request is perhaps too niche to include in the library, since there's a viable workaround.