fix(http): preserve basic auth on same-origin redirects (#6929)

[devareddy05]

Summary

config.auth (HTTP Basic credentials) was being lost on every redirect after follow-redirects 1.15.8 — including same-origin POST → 303 → GET, which is the most common Basic-auth redirect pattern and what users in #6929 hit (401 Unauthorized).

This restores auth on the redirected request only when the redirect target shares the original request's origin. Cross-origin redirects continue to drop credentials, so the T-R2 cross-host credential-leak mitigation documented in THREATMODEL.md is preserved.

Implementation mirrors the existing beforeRedirects.proxy pattern (a hook registered alongside beforeRedirects.config and invoked from dispatchBeforeRedirect).

Linked issue

Closes #6929

Changes

• lib/adapters/http.js: add beforeRedirects.auth hook that re-applies options.auth when the redirect URL's origin matches the original request origin; wire it into dispatchBeforeRedirect. Malformed redirect URLs fall through with auth left stripped (fail-safe).
• tests/unit/adapters/http.test.js: three new regression tests
  • same-origin 303 POST → GET preserves Basic auth (the exact Error 401 with the 'follow-redirects' library since version 1.15.8 #6929 scenario)
  • cross-origin 302 strips Basic auth (regression guard for T-R2)
  • multi-hop same-origin redirect chain preserves Basic auth
• PRE_RELEASE_CHANGELOG.md: bug-fix entry under Unreleased.

Security notes

• Same-origin = exact match on URL(redirectOptions.href).origin vs the parsed request URL's origin (protocol + hostname + port). This is the same notion of origin PR fix: custom auth headers not stripped on cross-origin redirects #10892 uses for cross-origin sensitive-header stripping.
• HTTPS → HTTP downgrade to the same hostname/port is not same-origin (different protocol), so credentials are still dropped on downgrade.
• No new public API surface; the hook is internal-only (analogous to beforeRedirects.proxy).

Checklist

• Tests added or updated (or N/A with reason)
• Docs / types updated if public API changed (index.d.ts and index.d.cts) — N/A, no public API change
• No breaking changes (or called out explicitly above)

_{AI-assisted (Claude Opus 4.7); commit subject is one line per author preference, disclosed here. Happy to amend in an Assisted-by: trailer if reviewers prefer.}

---

Summary by cubic

Restores HTTP Basic auth on same-origin redirects in the Node HTTP adapter to prevent 401s introduced by follow-redirects >= 1.15.8. Cross-origin redirects and malformed targets still strip credentials.

• Description

  • Added beforeRedirects.auth to re-apply options.auth when the redirect URL’s origin matches the original; invoked from dispatchBeforeRedirect.
  • Keeps security behavior: no restore on origin change or HTTPS→HTTP downgrade.
  • Added changelog entry under Bug Fixes.
  • Docs: update /docs/ to clarify Basic auth is restored only on same-origin redirects and not on HTTPS→HTTP.
  • SemVer: patch (bug fix, no public API change).

• Testing

  • Added unit tests:
    • same-origin 303 POST→GET preserves auth
    • cross-origin 302 strips auth
    • multi-hop same-origin chain preserves auth

^{Written for commit 62ca77a. Summary will update on new commits. Review in cubic}

[cubic-dev-ai]

No issues found across 3 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

_{Re-trigger cubic}