Add authorization header handling in proxy middleware

v1k45 · v1k45 · commit 1361789eec5a · 2025-06-03T18:50:17.000+05:30
- Implemented logic to pass the Authorization header to the target if the proxy URL includes user credentials.
- Added unit tests to verify behavior for both scenarios: with and without user credentials in the proxy URL.
diff --git a/middleware/proxy.go b/middleware/proxy.go
@@ -430,5 +430,16 @@ func proxyHTTP(tgt *ProxyTarget, c echo.Context, config ProxyConfig) http.Handle
 	}
 	proxy.Transport = config.Transport
 	proxy.ModifyResponse = config.ModifyResponse
+
+	// Handle authorization from target URL
+	if tgt.URL.User != nil {
+		originalDirector := proxy.Director
+		proxy.Director = func(req *http.Request) {
+			originalDirector(req)
+			password, _ := tgt.URL.User.Password()
+			req.SetBasicAuth(tgt.URL.User.Username(), password)
+		}
+	}
+
 	return proxy
 }
diff --git a/middleware/proxy_test.go b/middleware/proxy_test.go
@@ -1040,3 +1040,56 @@ func TestProxyWithConfigWebSocketTLS2NonTLS(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, sendMsg, recvMsg)
 }
+
+func TestProxyWithAuthorizationHeader(t *testing.T) {
+	// Scenario:
+	// A proxy target has user:pass in the url.
+	// The proxy should pass the Authorization header to the target.
+
+	var receivedAuthHeader string
+	// Arrange
+	t1 := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		receivedAuthHeader = r.Header.Get("Authorization")
+		fmt.Fprint(w, "target 1")
+	}))
+	defer t1.Close()
+	url1, _ := url.Parse(t1.URL)
+	url1.User = url.UserPassword("user1", "pass1")
+
+	e := echo.New()
+	tp := &testProvider{}
+	tp.target = &ProxyTarget{Name: "target 1", URL: url1}
+	e.Use(Proxy(tp))
+	rec := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	e.ServeHTTP(rec, req)
+
+	// Assert
+	assert.Equal(t, "target 1", rec.Body.String())
+	assert.Equal(t, "Basic dXNlcjE6cGFzczE=", receivedAuthHeader)
+
+	// Scenario:
+	// A proxy target does not have user:pass in the url.
+	// The proxy should not pass the Authorization header to the target.
+
+	receivedAuthHeader = ""
+	// Arrange
+	t2 := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		receivedAuthHeader = r.Header.Get("Authorization")
+		fmt.Fprint(w, "target 2")
+	}))
+	defer t2.Close()
+	url2, _ := url.Parse(t2.URL)
+
+	e = echo.New()
+	tp = &testProvider{}
+	tp.target = &ProxyTarget{Name: "target 2", URL: url2}
+	e.Use(Proxy(tp))
+	rec = httptest.NewRecorder()
+	req = httptest.NewRequest(http.MethodGet, "/", nil)
+	e.ServeHTTP(rec, req)
+
+	// Assert
+	assert.Equal(t, "target 2", rec.Body.String())
+	assert.Equal(t, "", receivedAuthHeader)
+}
