fix: avoid 401 failures for stream-backed request bodies

mcollina · mcollina · commit 30c88224c6cf · 2026-03-29T10:23:58.000Z
- Properly implement isTraversableNavigable() to return false in Node.js - Return 401 response directly for stream-backed bodies instead of throwing network error - Aligns with Fetch spec discussion in whatwg/fetch#1132 - Add regression tests for PUT with ReadableStream and POST with JSON body
diff --git a/AGENTS.md b/AGENTS.md
@@ -0,0 +1,19 @@
+# AGENTS.md
+
+This file contains non-discoverable guidance for AI agents working on this repository.
+
+## Landmines
+
+- **Global dispatcher symbol**: `Symbol.for('undici.globalDispatcher.1')` in `lib/global.js` must not change without incrementing the version number (breaking change). The number is not documented elsewhere.
+
+- **`installedExports` array**: Controls `undici.install()` behavior. Changes affect which globals are polyfilled. Only documented in `lib/global.js`.
+
+## Test-Specific Gotchas
+
+- **HTTP pipelining**: Requires BOTH `pipelining > 1` config AND `blocking: false` option. Neither config alone enables pipelining.
+
+- **IPv6 tests**: DNS tests with "(6)" suffix are skipped if IPv6 is not available for localhost. Skip logic uses `{ skip: !ipv6Available }` option in `test()` call. The `hasIPv6LocalhostSync()` function checks `/etc/hosts` for `::1` entry.
+
+## Type System Constraints
+
+- **JavaScript files**: Use single quotes per `@stylistic/comma-dangle` config
diff --git a/lib/web/fetch/index.js b/lib/web/fetch/index.js
@@ -1649,7 +1649,13 @@ async function httpNetworkOrCacheFetch (
     if (request.body != null) {
       // 1. If request’s body’s source is null, then return a network error.
       if (request.body.source == null) {
-        return makeNetworkError('expected non-null body source')
+        // Note: In Node.js, this code path should not be reached because
+        // isTraversableNavigable() returns false for non-navigable contexts.
+        // However, we handle it gracefully by returning the response instead of
+        // a network error, as we won't actually retry the request.
+        // This aligns with the Fetch spec discussion in whatwg/fetch#1132,
+        // which allows implementations flexibility when credentials can't be obtained.
+        return response
       }
 
       // 2. Set request’s body to the body of the result of safely extracting
diff --git a/lib/web/fetch/util.js b/lib/web/fetch/util.js
@@ -1447,8 +1447,10 @@ function includesCredentials (url) {
  * @param {object|string} navigable
  */
 function isTraversableNavigable (navigable) {
-  // TODO
-  return true
+  // Returns true only if we have an actual traversable navigable object
+  // that can prompt the user for credentials. In Node.js, this will always
+  // be false since there's no Window object or navigable.
+  return navigable != null && navigable !== 'client' && navigable !== 'no-traversable'
 }
 
 class EnvironmentSettingsObjectBase {
diff --git a/test/fetch/401-statuscode-no-infinite-loop.js b/test/fetch/401-statuscode-no-infinite-loop.js
@@ -20,3 +20,47 @@ test('Receiving a 401 status code should not cause infinite retry loop', async (
   const response = await fetch(`http://localhost:${server.address().port}`)
   assert.strictEqual(response.status, 401)
 })
+
+test('Receiving a 401 status code should not fail for stream-backed request bodies', async (t) => {
+  const server = createServer({ joinDuplicateHeaders: true }, (req, res) => {
+    res.statusCode = 401
+    res.end('Unauthorized')
+  }).listen(0)
+
+  t.after(closeServerAsPromise(server))
+  await once(server, 'listening')
+
+  const response = await fetch(`http://localhost:${server.address().port}`, {
+    method: 'PUT',
+    duplex: 'half',
+    body: new ReadableStream({
+      start (controller) {
+        controller.enqueue(Buffer.from('hello world'))
+        controller.close()
+      }
+    })
+  })
+
+  assert.strictEqual(response.status, 401)
+})
+
+test('Receiving a 401 status code should work for POST with JSON body', async (t) => {
+  const server = createServer({ joinDuplicateHeaders: true }, (req, res) => {
+    res.statusCode = 401
+    res.setHeader('Content-Type', 'application/json')
+    res.end(JSON.stringify({ error: 'unauthorized' }))
+  }).listen(0)
+
+  t.after(closeServerAsPromise(server))
+  await once(server, 'listening')
+
+  const response = await fetch(`http://localhost:${server.address().port}`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ data: 'test' })
+  })
+
+  assert.strictEqual(response.status, 401)
+  const body = await response.json()
+  assert.deepStrictEqual(body, { error: 'unauthorized' })
+})
