feat: derive host from hostname for plain object targets and bracket IPv6 literals

src/_utils.ts

@@ -80,6 +80,16 @@ export function setupOutgoing(
     }
   }
 
+  // Derive `host` from `hostname` (+ port) when the target was provided as a
+  // plain object without `host`. IPv6 literals must be bracketed in URI host
+  // syntax (RFC 3986 3.2.2), otherwise the `changeOrigin` branch below would
+  // produce a malformed `Host` header like `undefined:<port>`.
+  if (outgoing.host === undefined && typeof outgoing.hostname === "string") {
+    const isIPv6Literal = outgoing.hostname.includes(":") && !outgoing.hostname.startsWith("[");
+    const bracketedHost = isIPv6Literal ? `[${outgoing.hostname}]` : outgoing.hostname;
+    outgoing.host = outgoing.port ? `${bracketedHost}:${outgoing.port}` : bracketedHost;
+  }
+
   outgoing.method = options.method || req.method;
   outgoing.headers = { ...req.headers };
 

test/_utils.test.ts

@@ -507,6 +507,90 @@ describe("lib/http-proxy/common.js", () => {
         );
         expect(outgoing.headers!.host).to.eql("mycouch.com:6984");
       });
+
+      it("should derive host from hostname when target is a plain object without host", () => {
+        const outgoing = createOutgoing();
+        common.setupOutgoing(
+          outgoing,
+          {
+            target: {
+              protocol: "http:",
+              hostname: "example.com",
+              port: 8080,
+            },
+            changeOrigin: true,
+          },
+          stubIncomingMessage({ url: "/" }),
+        );
+        expect(outgoing.headers!.host).to.eql("example.com:8080");
+      });
+
+      it("should bracket IPv6 hostname when target is a plain object without host (RFC 3986 §3.2.2)", () => {
+        const outgoing = createOutgoing();
+        common.setupOutgoing(
+          outgoing,
+          {
+            target: {
+              protocol: "http:",
+              hostname: "::1",
+              port: 8080,
+            },
+            changeOrigin: true,
+          },
+          stubIncomingMessage({ url: "/" }),
+        );
+        expect(outgoing.headers!.host).to.eql("[::1]:8080");
+      });
+
+      it("should not double-bracket an already-bracketed IPv6 hostname", () => {
+        const outgoing = createOutgoing();
+        common.setupOutgoing(
+          outgoing,
+          {
+            target: {
+              protocol: "http:",
+              hostname: "[::1]",
+              port: 8080,
+            },
+            changeOrigin: true,
+          },
+          stubIncomingMessage({ url: "/" }),
+        );
+        expect(outgoing.headers!.host).to.eql("[::1]:8080");
+      });
+
+      it("should derive host from hostname using the default port when port is omitted", () => {
+        const outgoing = createOutgoing();
+        common.setupOutgoing(
+          outgoing,
+          {
+            target: {
+              protocol: "http:",
+              hostname: "example.com",
+            },
+            changeOrigin: true,
+          },
+          stubIncomingMessage({ url: "/" }),
+        );
+        expect(outgoing.host).to.eql("example.com:80");
+      });
+
+      it("should not override the incoming host header when changeOrigin is false", () => {
+        const outgoing = createOutgoing();
+        common.setupOutgoing(
+          outgoing,
+          {
+            target: {
+              protocol: "http:",
+              hostname: "example.com",
+              port: 8080,
+            },
+          },
+          stubIncomingMessage({ url: "/", headers: { host: "client.example" } }),
+        );
+        expect(outgoing.headers!.host).to.eql("client.example");
+        expect(outgoing.host).to.eql("example.com:8080");
+      });
     });
 
     it("should pass through https client parameters", () => {