From b5cae5867ae09463326f597a62e88ecafe5cb3a6 Mon Sep 17 00:00:00 2001
From: Thomas Keppler <winfr34k@gmail.com>
Date: Wed, 21 Dec 2022 16:23:50 +0100
Subject: [PATCH] pro: Override authorization with manually set Authorization
 header

---
 Userland/Utilities/pro.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Userland/Utilities/pro.cpp b/Userland/Utilities/pro.cpp
index 0691aeb911..41d2bc634b 100644
--- a/Userland/Utilities/pro.cpp
+++ b/Userland/Utilities/pro.cpp
@@ -246,11 +246,12 @@ ErrorOr<int> serenity_main(Main::Arguments arguments)
     auto output_stream = ConditionalOutputFileStream { [&] { return should_save_stream_data; }, stdout };
 
     // https://httpwg.org/specs/rfc9110.html#authentication
-    if (!credentials.is_empty() && is_http_url) {
+    auto const has_credentials = !credentials.is_empty();
+    auto const has_manual_authorization_header = request_headers.contains("Authorization");
+    if (is_http_url && has_credentials && !has_manual_authorization_header) {
         // 11.2. Authentication Parameters
         // The authentication scheme is followed by additional information necessary for achieving authentication via
         // that scheme as (...) or a single sequence of characters capable of holding base64-encoded information.
-        // FIXME: Prevent overriding manually provided Authorization header
         auto const encoded_credentials = TRY(encode_base64(credentials.bytes()));
         auto const authorization = TRY(String::formatted("Basic {}", encoded_credentials));
         request_headers.set("Authorization", authorization.to_deprecated_string());