| 153 | entries = find_entries_for_url(url, _load_config()) |
| 154 | |
| 155 | def _make_req(auth_headers: dict[str, str]) -> urllib.request.Request: |
| 156 | merged = {} |
| 157 | if extra_headers: |
| 158 | # Strip Authorization from extra_headers to prevent bypass |
| 159 | merged.update({k: v for k, v in extra_headers.items() if k.lower() != "authorization"}) |
| 160 | # Auth headers applied last — cannot be overridden by extra_headers |
| 161 | merged.update(auth_headers) |
| 162 | return urllib.request.Request(url, headers=merged) |
| 163 | |
| 164 | # Try each matching entry |
| 165 | for entry in entries: |