Incorrect warning about using sensitive credentials with HTTP when HTTPS is used

[anna-oake]

A code like this would produce a warning saying Using sensitive credentials in HTTP mode is not secure. Use HTTPS:

resty.New().
    SetBaseURL("https://example.com").
    SetAuthToken("example")

This behaviour is incorrect, because the base URL clearly starts with the secure https protocol scheme.

The behaviour was introduced in the commit 3b97332 with this piece of code:

resty/middleware.go

Lines 318 to 322 in 3b97332

	if !c.IsDisableWarn() && credentialsAdded {
	if strings.HasPrefix(r.URL, "http") {
	r.log.Warnf("Using sensitive credentials in HTTP mode is not secure. Use HTTPS")
	}
	}

Any URL string starting with https:// would indeed technically have an http prefix, so the warning is logged regardless.

This could be fixed by either changing the statement to something inversed like:

if !strings.HasPrefix(r.URL, "https")

Or, if done properly, by checking the parsed protocol scheme. Something along the lines of:

if r.RawRequest.URL.Scheme == "http"

Thank you!

[anna-oake]

Just realised the warning is actually produced when a request is made, not when Resty is instantiated.

This doesn't change the issue though.