Refresh oauth_nonce only when redirecting to the same hostname

#1574 (comment)

request.js

@@ -628,7 +628,7 @@ Request.prototype.init = function (options) {
 
   if (options.oauth) {
     self.oauth(options.oauth)
-  } else if (self._oauth.params) {
+  } else if (self._oauth.params && self.hasHeader('authorization')) {
     self.oauth(self._oauth.params)
   }
 

tests/test-oauth.js

@@ -620,3 +620,35 @@ tape('refresh oauth_nonce on redirect', function(t) {
       })
   })
 })
+
+tape('no credentials on external redirect', function(t) {
+  var s1 = http.createServer(function (req, res) {
+    res.writeHead(302, {location:'http://127.0.0.1:6768'})
+    res.end()
+  })
+  var s2 = http.createServer(function (req, res) {
+    res.writeHead(200, {'content-type':'text/plain'})
+    res.end()
+  })
+  s1.listen(6767, function () {
+    s2.listen(6768, function () {
+      request.get(
+        { url: 'http://localhost:6767'
+        , oauth:
+          { consumer_key: 'consumer_key'
+          , consumer_secret: 'consumer_secret'
+          , token: 'token'
+          , token_secret: 'token_secret'
+          }
+        }, function (err, res, body) {
+          t.equal(err, null)
+          t.equal(res.request.headers.Authorization, undefined)
+          s1.close(function () {
+            s2.close(function () {
+              t.end()
+            })
+          })
+        })
+    })
+  })
+})