diff --git a/github/client.go b/github/client.go
index 718935a..41ecea8 100644
--- a/github/client.go
+++ b/github/client.go
@@ -152,7 +152,7 @@ type clientConfig struct {
 
 // AllowInsecureHTTP permits sending credentials over plaintext HTTP connections.
 // In production, this option is gated by the REVIEW_BOT_ALLOW_INSECURE=1
-// environment variable. Without the env var set, the option is silently ignored
+// environment variable. Without the env var set, the option is ignored
 // and a warning is logged.
 //
 // For tests, use AllowInsecureHTTPForTest (defined in export_test.go) which bypasses the env gate.
@@ -267,9 +267,8 @@ func redactURL(rawURL string) string {
 	if err != nil {
 		return "<unparseable URL>"
 	}
-	if u.User != nil {
-		u.User = nil
-	}
+	u.User = nil
+
 	if u.RawQuery != "" {
 		u.RawQuery = "<redacted>"
 	}
@@ -281,6 +280,9 @@ func redactURL(rawURL string) string {
 // It respects the Retry-After header when present, supporting both integer
 // seconds and HTTP-date formats (capped at maxRetryAfter).
 func (c *Client) doRequest(ctx context.Context, method, reqURL string, accept string) ([]byte, error) {
+	// NOTE: This parses reqURL a second time (http.NewRequestWithContext parses it
+	// again internally). Acceptable cost: URL parsing is cheap and threading the
+	// parsed *url.URL through would complicate the interface for negligible gain.
 	if !c.allowInsecureHTTP {
 		parsed, err := url.Parse(reqURL)
 		if err != nil {