[api] Avoid potentially leaking OAuth token to 3rd parties

This ensures that calling `hub api http://example.com/foo` doesn't
accidentally send the OAuth token for `github.com` to `example.com`.

features/api.feature

@@ -6,6 +6,7 @@ Feature: hub api
     Given the GitHub API server:
       """
       get('/hello/world') {
+        halt 401 unless request.env['HTTP_AUTHORIZATION'] == 'token OTOKEN'
         json :name => "Ed"
       }
       """
@@ -83,7 +84,8 @@ Feature: hub api
   Scenario: GET full URL
     Given the GitHub API server:
       """
-      get('/hello/world') {
+      get('/hello/world', :host_name => 'api.github.com') {
+        halt 401 unless request.env['HTTP_AUTHORIZATION'] == 'token OTOKEN'
         json :name => "Faye"
       }
       """
@@ -93,6 +95,20 @@ Feature: hub api
       {"name":"Faye"}\n
       """
 
+  Scenario: Avoid leaking token to a 3rd party
+    Given the GitHub API server:
+      """
+      get('/hello/world', :host_name => 'example.com') {
+        halt 401 unless request.env['HTTP_AUTHORIZATION'].nil?
+        json :name => "Jet"
+      }
+      """
+    When I successfully run `hub api http://example.com/hello/world`
+    Then the output should contain exactly:
+      """
+      {"name":"Jet"}\n
+      """
+
   Scenario: POST fields
     Given the GitHub API server:
       """

github/client.go

@@ -940,7 +940,9 @@ func (client *Client) simpleApi() (c *simpleClient, err error) {
 
 	c = client.apiClient()
 	c.PrepareRequest = func(req *http.Request) {
-		req.Header.Set("Authorization", "token "+client.Host.AccessToken)
+		if strings.EqualFold(req.URL.Host, normalizeHost(client.Host.Host)) {
+			req.Header.Set("Authorization", "token "+client.Host.AccessToken)
+		}
 	}
 	return
 }