From b2e742832a4937d7242fbb886b5e8b10953c21cf Mon Sep 17 00:00:00 2001
From: Anton Bronnikov <anton@northernforest.nl>
Date: Sun, 22 Jun 2025 12:28:48 +0200
Subject: [PATCH] fix: don't overwrite authorization header

closes https://github.com/bradleyfalzon/ghinstallation/issues/159
---
 transport.go | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/transport.go b/transport.go
index 7794dd9..1b1f0d3 100644
--- a/transport.go
+++ b/transport.go
@@ -126,19 +126,22 @@ func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
 		}()
 	}
 
-	token, err := t.Token(req.Context())
-	if err != nil {
-		return nil, err
-	}
-
 	creq := cloneRequest(req) // per RoundTripper contract
-	creq.Header.Set("Authorization", "token "+token)
 
+	if creq.Header.Get("Authorization") == "" { // We only add an "Authorization" header to avoid overwriting the expected behavior.
+		token, err := t.Token(req.Context())
+		if err != nil {
+			return nil, err
+		}
+		creq.Header.Set("Authorization", "token "+token)
+	}
 	if creq.Header.Get("Accept") == "" { // We only add an "Accept" header to avoid overwriting the expected behavior.
 		creq.Header.Add("Accept", acceptHeader)
 	}
+
 	reqBodyClosed = true // req.Body is assumed to be closed by the tr RoundTripper.
 	resp, err := t.tr.RoundTrip(creq)
+
 	return resp, err
 }