Error 401 with the 'follow-redirects' library since version 1.15.8

[atjchen]

Describe the bug

Hello

My project uses Axios 1.9.0, and axios includes the following dependency:

"dependencies": { "follow-redirects": "^1.15.6" }

However, when the version of follow-redirects is >= 1.15.8, every POST request that returns a 303 with a Location URI fails with a 401 Unauthorized error.

To fix this, I added an override in my package.json:

"overrides": { "axios": { "follow-redirects": "1.15.7" } }

With this override, POST requests with redirects work correctly.

It looks like there’s a bug introduced in follow-redirects version 1.15.8.

The post in github follow redirects:

follow-redirects/follow-redirects#277

To Reproduce

No response

Code snippet

Expected behavior

No response

Axios Version

1.9.0

Adapter Version

No response

Browser

No response

Browser Version

No response

Node.js Version

20.18.1

OS

No response

Additional Library Versions

Additional context/Screenshots

[adarshmadrecha]

The issue was closed on follow-redirects follow-redirects/follow-redirects#277 and marked as invalid.
So, should this be closed as well?

[atjchen]

I still have the problem if i add in package.json: (version >= 1.15.8)

"overrides": {
"axios": {
"follow-redirects": "1.15.8"
}
},

[atjchen]

someone can help me about this problem?

[Heisen47]

can this issue be assigned to me? I can check it out

[spider-yamet]

Hello @DigitalBrainJS, @jasonsaayman, @JustinBeckwith Hope you are doing great!
Based on my research, I think this issue is still existing on this codebase, I hope to resolve this issue and let me suggest my approach for this and please let me know if I can proceed with this issue resolving.

Executive Summary

Issue: POST requests with auth configuration that receive 303 redirects fail with 401 Unauthorized when using follow-redirects >= 1.15.8.

Status: This is a valid axios issue that needs to be fixed in axios, despite follow-redirects marking the related issue as "invalid". The follow-redirects maintainers' decision actually confirms that axios should handle preserving its own configuration during redirects.

Proposed Solution: Preserve the auth option during redirects using the existing beforeRedirects mechanism, following the same pattern already used for proxy authentication.

---

Why This Issue Still Exists and Needs Fixing

1. Follow-Redirects Marked It as "Invalid" - This Confirms It's an Axios Issue

When follow-redirects maintainers marked issue #277 as "invalid", they were indicating:

• ✅ Not a bug in follow-redirects - The library is working as designed
• ✅ Expected behavior - follow-redirects handles redirects, but consuming libraries (like axios) should preserve their own configuration
• ✅ Axios responsibility - Axios should use the beforeRedirect hook to preserve axios-specific options like auth

This is actually evidence that axios needs to fix this, not a reason to ignore it.

2. User Confirmation: Problem Persists

The original reporter (atjchen) confirmed on June 16, 2025 that the issue still exists even with follow-redirects >= 1.15.8:

"I still have the problem if i add in package.json: (version >= 1.15.8)"

This demonstrates:

• The issue is real and reproducible
• It affects real users
• Current workarounds (pinning to 1.15.7) are not sustainable long-term

3. Code Analysis: Inconsistency in Current Implementation

Location: lib/adapters/http.js

The Problem:

• ✅ Proxy authentication IS preserved during redirects- uses beforeRedirects.proxy
• ❌ Regular authentication is NOT preserved (missing implementation)
• This creates an inconsistent user experience - same mechanism, different outcome

Root Cause:

• Auth is passed to follow-redirects initially
• But beforeRedirects doesn't store it
• dispatchBeforeRedirect doesn't restore it

4. Technical Root Cause

When follow-redirects processes a redirect (especially 303 See Other):

1. Axios passes auth initially
2. follow-redirects calls beforeRedirect hook with new options
3. Missing: dispatchBeforeRedirect doesn't restore the auth option
4. Result: Redirected request lacks authentication → 401 Unauthorized

---

Proposed Solution

Follow the existing proxy pattern to ensure consistency.

File: lib/adapters/http.js

Step 1: Store auth in beforeRedirects

• Add auth to beforeRedirects object (similar to how proxy is stored)

Step 2: Restore auth in dispatchBeforeRedirect

• Check if beforeRedirects.auth exists and restore it if missing

Why This Solution Works

1. ✅ Follows Existing Pattern: Uses the same mechanism as proxy auth preservation
2. ✅ Minimal Changes: Only 2 small code additions
3. ✅ Backward Compatible: Doesn't break existing functionality
4. ✅ Handles Edge Cases: Checks if auth exists before restoring
5. ✅ Works for All Redirect Types: 301, 302, 303, 307, 308

Testing Strategy

Add tests in test/unit/adapters/http.js:

• POST with 303 redirect + auth
• GET with 303 redirect + auth (regression)
• Multiple redirects with auth preserved
• Auth via URL credentials
• Different redirect status codes (302, 303, 307)

---

Implementation Plan

1. Implement fix in lib/adapters/http.js (2 small changes)
2. Add comprehensive tests
3. Verify compatibility with follow-redirects 1.15.7, 1.15.8+, and latest
4. Update CHANGELOG.md

---

**I'm ready to implement this fix and submit a PR with comprehensive tests. **

---

Regards

[devareddy05]

Opened PR: #10929

Fixes config.auth being dropped on same-origin redirects after follow-redirects 1.15.8, which caused the POST → 303 → GET Basic-auth flow to fail with 401 Unauthorized (issue #6929).
Auth is now restored only for same-origin redirects, while cross-origin redirects still drop credentials, preserving the existing T-R2 credential-leak protection.
Implementation follows the existing beforeRedirects.proxy hook pattern.

Happy if this helps 🙂