feat: implement fetchWithSelectiveRedirects for controlled redirect handling between apex/www and http/https versions of the same domain (#165)

Author: jakejarvis

lib/fetch.test.ts

@@ -1,6 +1,10 @@
 /* @vitest-environment node */
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { fetchWithTimeout, headThenGet } from "@/lib/fetch";
+import {
+  fetchWithSelectiveRedirects,
+  fetchWithTimeout,
+  headThenGet,
+} from "@/lib/fetch";
 
 const originalFetch = globalThis.fetch;
 
@@ -135,4 +139,262 @@ describe("lib/fetch", () => {
     expect(usedMethod).toBe("GET");
     expect(mock).toHaveBeenCalledTimes(2);
   });
+
+  describe("fetchWithSelectiveRedirects", () => {
+    it("returns non-redirect responses immediately", async () => {
+      const res = createResponse({ ok: true, status: 200 });
+      globalThis.fetch = vi.fn(async () => res) as unknown as typeof fetch;
+
+      const out = await fetchWithSelectiveRedirects(
+        "https://example.com",
+        {},
+        { timeoutMs: 50 },
+      );
+      expect(out).toBe(res);
+      expect(globalThis.fetch).toHaveBeenCalledTimes(1);
+    });
+
+    it("follows redirect from http to https on same domain", async () => {
+      const redirectRes = createResponse({
+        status: 301,
+        headers: new Headers({ location: "https://example.com/" }),
+      });
+      const finalRes = createResponse({ ok: true, status: 200 });
+
+      const mock = vi
+        .fn()
+        .mockResolvedValueOnce(redirectRes)
+        .mockResolvedValueOnce(finalRes);
+      globalThis.fetch = mock as unknown as typeof fetch;
+
+      const out = await fetchWithSelectiveRedirects(
+        "http://example.com/",
+        {},
+        { timeoutMs: 50 },
+      );
+      expect(out).toBe(finalRes);
+      expect(mock).toHaveBeenCalledTimes(2);
+      expect(mock).toHaveBeenNthCalledWith(
+        1,
+        "http://example.com/",
+        expect.objectContaining({ redirect: "manual" }),
+      );
+      expect(mock).toHaveBeenNthCalledWith(
+        2,
+        "https://example.com/",
+        expect.objectContaining({ redirect: "manual" }),
+      );
+    });
+
+    it("follows redirect from apex to www", async () => {
+      const redirectRes = createResponse({
+        status: 301,
+        headers: new Headers({ location: "https://www.example.com/" }),
+      });
+      const finalRes = createResponse({ ok: true, status: 200 });
+
+      const mock = vi
+        .fn()
+        .mockResolvedValueOnce(redirectRes)
+        .mockResolvedValueOnce(finalRes);
+      globalThis.fetch = mock as unknown as typeof fetch;
+
+      const out = await fetchWithSelectiveRedirects(
+        "https://example.com/",
+        {},
+        { timeoutMs: 50 },
+      );
+      expect(out).toBe(finalRes);
+      expect(mock).toHaveBeenCalledTimes(2);
+    });
+
+    it("follows redirect from www to apex", async () => {
+      const redirectRes = createResponse({
+        status: 301,
+        headers: new Headers({ location: "https://example.com/" }),
+      });
+      const finalRes = createResponse({ ok: true, status: 200 });
+
+      const mock = vi
+        .fn()
+        .mockResolvedValueOnce(redirectRes)
+        .mockResolvedValueOnce(finalRes);
+      globalThis.fetch = mock as unknown as typeof fetch;
+
+      const out = await fetchWithSelectiveRedirects(
+        "https://www.example.com/",
+        {},
+        { timeoutMs: 50 },
+      );
+      expect(out).toBe(finalRes);
+      expect(mock).toHaveBeenCalledTimes(2);
+    });
+
+    it("follows redirect from http://example.com to https://www.example.com", async () => {
+      const redirectRes = createResponse({
+        status: 301,
+        headers: new Headers({ location: "https://www.example.com/" }),
+      });
+      const finalRes = createResponse({ ok: true, status: 200 });
+
+      const mock = vi
+        .fn()
+        .mockResolvedValueOnce(redirectRes)
+        .mockResolvedValueOnce(finalRes);
+      globalThis.fetch = mock as unknown as typeof fetch;
+
+      const out = await fetchWithSelectiveRedirects(
+        "http://example.com/",
+        {},
+        { timeoutMs: 50 },
+      );
+      expect(out).toBe(finalRes);
+      expect(mock).toHaveBeenCalledTimes(2);
+    });
+
+    it("does NOT follow redirect to different domain", async () => {
+      const redirectRes = createResponse({
+        status: 301,
+        headers: new Headers({ location: "https://other.com/" }),
+      });
+
+      globalThis.fetch = vi.fn(
+        async () => redirectRes,
+      ) as unknown as typeof fetch;
+
+      const out = await fetchWithSelectiveRedirects(
+        "https://example.com/",
+        {},
+        { timeoutMs: 50 },
+      );
+      expect(out).toBe(redirectRes);
+      expect(globalThis.fetch).toHaveBeenCalledTimes(1);
+    });
+
+    it("does NOT follow redirect to different path", async () => {
+      const redirectRes = createResponse({
+        status: 301,
+        headers: new Headers({ location: "https://example.com/other-path" }),
+      });
+
+      globalThis.fetch = vi.fn(
+        async () => redirectRes,
+      ) as unknown as typeof fetch;
+
+      const out = await fetchWithSelectiveRedirects(
+        "https://example.com/",
+        {},
+        { timeoutMs: 50 },
+      );
+      expect(out).toBe(redirectRes);
+      expect(globalThis.fetch).toHaveBeenCalledTimes(1);
+    });
+
+    it("does NOT follow redirect with query params", async () => {
+      const redirectRes = createResponse({
+        status: 301,
+        headers: new Headers({
+          location: "https://example.com/?utm_source=test",
+        }),
+      });
+
+      globalThis.fetch = vi.fn(
+        async () => redirectRes,
+      ) as unknown as typeof fetch;
+
+      const out = await fetchWithSelectiveRedirects(
+        "https://example.com/",
+        {},
+        { timeoutMs: 50 },
+      );
+      expect(out).toBe(redirectRes);
+      expect(globalThis.fetch).toHaveBeenCalledTimes(1);
+    });
+
+    it("handles relative redirect URLs", async () => {
+      const redirectRes = createResponse({
+        status: 301,
+        headers: new Headers({ location: "/" }),
+      });
+
+      globalThis.fetch = vi.fn(
+        async () => redirectRes,
+      ) as unknown as typeof fetch;
+
+      const out = await fetchWithSelectiveRedirects(
+        "https://www.example.com/path",
+        {},
+        { timeoutMs: 50 },
+      );
+      // Relative redirect to "/" changes the path (/path -> /), so should NOT be followed
+      expect(out).toBe(redirectRes);
+      expect(globalThis.fetch).toHaveBeenCalledTimes(1);
+    });
+
+    it("throws on too many redirects", async () => {
+      const redirectRes = createResponse({
+        status: 301,
+        headers: new Headers({ location: "https://www.example.com/" }),
+      });
+
+      globalThis.fetch = vi.fn(
+        async () => redirectRes,
+      ) as unknown as typeof fetch;
+
+      await expect(
+        fetchWithSelectiveRedirects(
+          "https://example.com/",
+          {},
+          { timeoutMs: 50, maxRedirects: 2 },
+        ),
+      ).rejects.toThrow("Too many redirects");
+      expect(globalThis.fetch).toHaveBeenCalledTimes(3); // initial + 2 redirects
+    });
+
+    it("returns redirect response when no location header", async () => {
+      const redirectRes = createResponse({
+        status: 301,
+        headers: new Headers(),
+      });
+
+      globalThis.fetch = vi.fn(
+        async () => redirectRes,
+      ) as unknown as typeof fetch;
+
+      const out = await fetchWithSelectiveRedirects(
+        "https://example.com/",
+        {},
+        { timeoutMs: 50 },
+      );
+      expect(out).toBe(redirectRes);
+      expect(globalThis.fetch).toHaveBeenCalledTimes(1);
+    });
+
+    it("handles redirect chain: http -> https -> www", async () => {
+      const redirect1 = createResponse({
+        status: 301,
+        headers: new Headers({ location: "https://example.com/" }),
+      });
+      const redirect2 = createResponse({
+        status: 301,
+        headers: new Headers({ location: "https://www.example.com/" }),
+      });
+      const finalRes = createResponse({ ok: true, status: 200 });
+
+      const mock = vi
+        .fn()
+        .mockResolvedValueOnce(redirect1)
+        .mockResolvedValueOnce(redirect2)
+        .mockResolvedValueOnce(finalRes);
+      globalThis.fetch = mock as unknown as typeof fetch;
+
+      const out = await fetchWithSelectiveRedirects(
+        "http://example.com/",
+        {},
+        { timeoutMs: 50 },
+      );
+      expect(out).toBe(finalRes);
+      expect(mock).toHaveBeenCalledTimes(3);
+    });
+  });
 });

lib/fetch.ts

@@ -52,3 +52,105 @@ export async function headThenGet(
   );
   return { response: getRes, usedMethod: "GET" };
 }
+
+/**
+ * Checks if a redirect from one URL to another is allowed.
+ * Only allows redirects between apex/www or http/https versions of the same domain.
+ */
+function isAllowedRedirect(fromUrl: string, toUrl: string): boolean {
+  try {
+    const from = new URL(fromUrl);
+    const to = new URL(toUrl);
+
+    // Normalize hostnames by removing www. prefix for comparison
+    const normalizeHost = (host: string) => host.replace(/^www\./i, "");
+    const fromHost = normalizeHost(from.hostname);
+    const toHost = normalizeHost(to.hostname);
+
+    // Must be the same registrable domain (after removing www)
+    if (fromHost !== toHost) {
+      return false;
+    }
+
+    // Allow if path, search, and hash are the same (only scheme or www prefix changed)
+    const isSchemeLike =
+      from.pathname === to.pathname &&
+      from.search === to.search &&
+      from.hash === to.hash;
+    if (isSchemeLike) {
+      return true;
+    }
+
+    return false;
+  } catch {
+    // If URL parsing fails, don't allow redirect
+    return false;
+  }
+}
+
+/**
+ * Fetch with manual redirect handling that only follows redirects between
+ * apex/www or http/https versions of the same domain.
+ */
+export async function fetchWithSelectiveRedirects(
+  input: RequestInfo | URL,
+  init: RequestInit = {},
+  opts: { timeoutMs?: number; maxRedirects?: number } = {},
+): Promise<Response> {
+  const timeoutMs = opts.timeoutMs ?? 5000;
+  const maxRedirects = opts.maxRedirects ?? 5;
+
+  let currentUrl =
+    typeof input === "string" || input instanceof URL
+      ? input.toString()
+      : input.url;
+  let redirectCount = 0;
+
+  while (redirectCount <= maxRedirects) {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+
+    try {
+      const response = await fetch(currentUrl, {
+        ...init,
+        redirect: "manual",
+        signal: controller.signal,
+      });
+      clearTimeout(timer);
+
+      // Check if this is a redirect response
+      const isRedirect = response.status >= 300 && response.status < 400;
+      if (!isRedirect) {
+        return response;
+      }
+
+      // Get the redirect location
+      const location = response.headers.get("location");
+      if (!location) {
+        // No location header, return the redirect response as-is
+        return response;
+      }
+
+      // Resolve relative URLs
+      const nextUrl = new URL(location, currentUrl).toString();
+
+      // Check if we should follow this redirect
+      if (!isAllowedRedirect(currentUrl, nextUrl)) {
+        // Return the redirect response without following
+        return response;
+      }
+
+      // Follow the redirect
+      currentUrl = nextUrl;
+      redirectCount++;
+    } catch (err) {
+      clearTimeout(timer);
+      throw err;
+    }
+  }
+
+  // Max redirects exceeded
+  throw new Error(
+    `Too many redirects (${maxRedirects}) when fetching ${currentUrl}`,
+  );
+}