From 4e8321af97c9fe1cf645788d077cf67e69c8eef7 Mon Sep 17 00:00:00 2001
From: AJ ONeal <aj@therootcompany.com>
Date: Mon, 20 Apr 2026 09:59:27 -0600
Subject: [PATCH] fix: restore auth stripping on redirect, keyed off AuthHeader

---
 net/httpcache/httpcache.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/net/httpcache/httpcache.go b/net/httpcache/httpcache.go
index 467bf0a..498c9ea 100644
--- a/net/httpcache/httpcache.go
+++ b/net/httpcache/httpcache.go
@@ -121,6 +121,15 @@ func (c *Cacher) Fetch() (updated bool, err error) {
 	}
 
 	client := &http.Client{Timeout: timeout, Transport: transport}
+	if c.AuthHeader != "" {
+		// Strip auth before following any redirect — redirect targets (e.g.
+		// presigned S3/R2 URLs) must not receive our credentials.
+		authHeader := c.AuthHeader
+		client.CheckRedirect = func(req *http.Request, via []*http.Request) error {
+			req.Header.Del(authHeader)
+			return nil
+		}
+	}
 
 	resp, err := client.Do(req)
 	if err != nil {