fix: add removal of auth headers if port changes

src/http/httpClient/Middleware/Options/RedirectHandlerOption.cs

@@ -55,7 +55,7 @@ public int MaxRedirect
 
         /// <summary>
         /// The default implementation for scrubbing sensitive headers during redirects.
-        /// This method removes Authorization and Cookie headers when the host or scheme changes,
+        /// This method removes Authorization and Cookie headers when the host, scheme, or port changes,
         /// and removes ProxyAuthorization headers when no proxy is configured or the proxy is bypassed for the new URI.
         /// </summary>
         /// <param name="request">The HTTP request message to modify.</param>
@@ -68,10 +68,11 @@ public static void DefaultScrubSensitiveHeaders(HttpRequestMessage request, Uri
             if(originalUri == null) throw new ArgumentNullException(nameof(originalUri));
             if(newUri == null) throw new ArgumentNullException(nameof(newUri));
 
-            // Remove Authorization and Cookie headers if http request's scheme or host changes
-            var isDifferentHostOrScheme = !newUri.Host.Equals(originalUri.Host, StringComparison.OrdinalIgnoreCase) ||
-                !newUri.Scheme.Equals(originalUri.Scheme, StringComparison.OrdinalIgnoreCase);
-            if(isDifferentHostOrScheme)
+            // Remove Authorization and Cookie headers if http request's scheme, host, or port changes
+            var isDifferentOrigin = !newUri.Host.Equals(originalUri.Host, StringComparison.OrdinalIgnoreCase) ||
+                !newUri.Scheme.Equals(originalUri.Scheme, StringComparison.OrdinalIgnoreCase) ||
+                newUri.Port != originalUri.Port;
+            if(isDifferentOrigin)
             {
                 request.Headers.Authorization = null;
                 request.Headers.Remove("Cookie");

tests/http/httpClient/Middleware/RedirectHandlerTests.cs

@@ -282,6 +282,74 @@ public async Task RedirectWithSameHostShouldKeepAuthHeader()
             }
         }
 
+        [Theory]
+        [InlineData(HttpStatusCode.MovedPermanently)]  // 301
+        [InlineData(HttpStatusCode.Found)]  // 302
+        [InlineData(HttpStatusCode.TemporaryRedirect)]  // 307
+        [InlineData((HttpStatusCode)308)] // 308
+        public async Task RedirectWithDifferentPortShouldRemoveAuthHeader(HttpStatusCode statusCode)
+        {
+            using(var httpRequestMessage = new HttpRequestMessage(HttpMethod.Get, "http://example.org:8080/foo"))
+            {
+                // Arrange
+                httpRequestMessage.Headers.Authorization = new AuthenticationHeaderValue("fooAuth", "aparam");
+                var redirectResponse = new HttpResponseMessage(statusCode);
+                redirectResponse.Headers.Location = new Uri("http://example.org:9090/bar");
+                this._testHttpMessageHandler.SetHttpResponse(redirectResponse, new HttpResponseMessage(HttpStatusCode.OK));// sets the mock response
+                // Act
+                var response = await _invoker.SendAsync(httpRequestMessage, new CancellationToken());
+                // Assert
+                Assert.NotSame(response.RequestMessage, httpRequestMessage);
+                Assert.Equal(response.RequestMessage?.RequestUri?.Host, httpRequestMessage.RequestUri?.Host);
+                Assert.NotEqual(response.RequestMessage?.RequestUri?.Port, httpRequestMessage.RequestUri?.Port);
+                Assert.Null(response.RequestMessage?.Headers.Authorization);
+            }
+        }
+
+        [Theory]
+        [InlineData(HttpStatusCode.MovedPermanently)]  // 301
+        [InlineData(HttpStatusCode.Found)]  // 302
+        [InlineData(HttpStatusCode.TemporaryRedirect)]  // 307
+        [InlineData((HttpStatusCode)308)] // 308
+        public async Task RedirectWithDifferentPortShouldRemoveCookieHeader(HttpStatusCode statusCode)
+        {
+            using(var httpRequestMessage = new HttpRequestMessage(HttpMethod.Get, "http://example.org:8080/foo"))
+            {
+                // Arrange
+                httpRequestMessage.Headers.Add("Cookie", "session=abc123");
+                var redirectResponse = new HttpResponseMessage(statusCode);
+                redirectResponse.Headers.Location = new Uri("http://example.org:9090/bar");
+                this._testHttpMessageHandler.SetHttpResponse(redirectResponse, new HttpResponseMessage(HttpStatusCode.OK));// sets the mock response
+                // Act
+                var response = await _invoker.SendAsync(httpRequestMessage, new CancellationToken());
+                // Assert
+                Assert.NotSame(response.RequestMessage, httpRequestMessage);
+                Assert.Equal(response.RequestMessage?.RequestUri?.Host, httpRequestMessage.RequestUri?.Host);
+                Assert.NotEqual(response.RequestMessage?.RequestUri?.Port, httpRequestMessage.RequestUri?.Port);
+                Assert.False(response.RequestMessage?.Headers.Contains("Cookie"));
+            }
+        }
+
+        [Fact]
+        public async Task RedirectWithSamePortShouldKeepAuthHeader()
+        {
+            using(var httpRequestMessage = new HttpRequestMessage(HttpMethod.Post, "http://example.org:8080/foo"))
+            {
+                // Arrange
+                httpRequestMessage.Headers.Authorization = new AuthenticationHeaderValue("fooAuth", "aparam");
+                var redirectResponse = new HttpResponseMessage(HttpStatusCode.Redirect);
+                redirectResponse.Headers.Location = new Uri("http://example.org:8080/bar");
+                this._testHttpMessageHandler.SetHttpResponse(redirectResponse, new HttpResponseMessage(HttpStatusCode.OK));// sets the mock response
+                // Act
+                var response = await _invoker.SendAsync(httpRequestMessage, new CancellationToken());
+                // Assert
+                Assert.NotSame(response.RequestMessage, httpRequestMessage);
+                Assert.Equal(response.RequestMessage?.RequestUri?.Host, httpRequestMessage.RequestUri?.Host);
+                Assert.Equal(response.RequestMessage?.RequestUri?.Port, httpRequestMessage.RequestUri?.Port);
+                Assert.NotNull(response.RequestMessage?.Headers.Authorization);
+            }
+        }
+
         [Fact]
         public async Task RedirectWithRelativeUrlShouldKeepRequestHost()
         {