From e7ff4db619473b9db63e1d78f79fd994e5ec6041 Mon Sep 17 00:00:00 2001 From: Adnan Jakati Date: Fri, 6 Feb 2026 21:50:27 -0500 Subject: [PATCH] fix: use OR operator in includesCredentials per WHATWG URL Standard MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The includesCredentials function used AND (&&) instead of OR (||), causing it to return false for URLs with only a username or only a password. Per WHATWG URL Standard ยง4.4, a URL includes credentials if its username OR its password is not the empty string. Fixes: https://github.com/nodejs/undici/issues/4815 --- lib/web/fetch/util.js | 2 +- test/fetch/includes-credentials.js | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 test/fetch/includes-credentials.js diff --git a/lib/web/fetch/util.js b/lib/web/fetch/util.js index 5e51bdd35aa..fe63cb3a9b0 100644 --- a/lib/web/fetch/util.js +++ b/lib/web/fetch/util.js @@ -1439,7 +1439,7 @@ function hasAuthenticationEntry (request) { */ function includesCredentials (url) { // A URL includes credentials if its username or password is not the empty string. - return !!(url.username && url.password) + return !!(url.username || url.password) } /** diff --git a/test/fetch/includes-credentials.js b/test/fetch/includes-credentials.js new file mode 100644 index 00000000000..3d8eb4c9278 --- /dev/null +++ b/test/fetch/includes-credentials.js @@ -0,0 +1,24 @@ +'use strict' + +const { test } = require('node:test') +const { includesCredentials } = require('../../lib/web/fetch/util') + +test('includesCredentials returns true for URL with both username and password', () => { + const url = new URL('http://user:pass@example.com') + require('node:assert').strictEqual(includesCredentials(url), true) +}) + +test('includesCredentials returns true for URL with only username', () => { + const url = new URL('http://user@example.com') + require('node:assert').strictEqual(includesCredentials(url), true) +}) + +test('includesCredentials returns true for URL with only password', () => { + const url = new URL('http://:pass@example.com') + require('node:assert').strictEqual(includesCredentials(url), true) +}) + +test('includesCredentials returns false for URL with no credentials', () => { + const url = new URL('http://example.com') + require('node:assert').strictEqual(includesCredentials(url), false) +})