From e1f72576fb186bc980a8e65742b7946f8feec4ea Mon Sep 17 00:00:00 2001
From: KyeongSoo Kim <gaganso71@korea.ac.kr>
Date: Wed, 22 Nov 2023 07:49:48 +0900
Subject: [PATCH] MM-52655 Allow plugin requests to include Authorization
 headers from external systems (#24391)

* remove the authorization header if the request is from an authenticated MM user

* fix lint

Co-authored-by: Michael Kochell <6913320+mickmister@users.noreply.github.com>

---------

Co-authored-by: Michael Kochell <6913320+mickmister@users.noreply.github.com>
Co-authored-by: Mattermost Build <build@mattermost.com>
---
 server/channels/app/plugin_requests.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/channels/app/plugin_requests.go b/server/channels/app/plugin_requests.go
index 2bb1750f20..2a61ca8738 100644
--- a/server/channels/app/plugin_requests.go
+++ b/server/channels/app/plugin_requests.go
@@ -208,6 +208,8 @@ func (ch *Channels) servePluginRequest(w http.ResponseWriter, r *http.Request, h
 		if (session != nil && session.Id != "") && err == nil && csrfCheckPassed {
 			r.Header.Set("Mattermost-User-Id", session.UserId)
 			context.SessionId = session.Id
+
+			r.Header.Del(model.HeaderAuth)
 		}
 	}
 
@@ -218,7 +220,6 @@ func (ch *Channels) servePluginRequest(w http.ResponseWriter, r *http.Request, h
 			r.AddCookie(c)
 		}
 	}
-	r.Header.Del(model.HeaderAuth)
 	r.Header.Del("Referer")
 
 	params := mux.Vars(r)