Skip to content

Feat/handling authorization header leaks to third party servers on redirect#8380

Open
Gopi-bruno wants to merge 6 commits into
usebruno:mainfrom
Gopi-bruno:feat/handling-authorization-header-leaks-to-third-party-servers-on-redirect
Open

Feat/handling authorization header leaks to third party servers on redirect#8380
Gopi-bruno wants to merge 6 commits into
usebruno:mainfrom
Gopi-bruno:feat/handling-authorization-header-leaks-to-third-party-servers-on-redirect

Conversation

@Gopi-bruno

@Gopi-bruno Gopi-bruno commented Jun 26, 2026

Copy link
Copy Markdown

Description

This PR introduces the forwardAuthorizationHeader setting to prevent sensitive authentication headers (Authorization and Proxy-Authorization) from leaking to third-party/cross-origin servers during redirects.

Key Changes:

  1. Redirect Security Logic (CLI & Electron):
    • Intercepted redirects in the Axios network layers (bruno-cli and bruno-electron).
    • If a request redirects to a different origin (cross-origin redirect) and forwardAuthorizationHeader is set to false, the sensitive Authorization and Proxy-Authorization headers are stripped before following the redirect.
  2. UI Settings Toggle:
    • Added a Forward Auth Headers on Redirect toggle under the request settings pane.
    • Newly created requests default this setting to false (secure by default).
    • Existing requests default to true (backward-compatible) to preserve current workflows unless explicitly updated by the user.
  3. Schema & Typings Updates:
    • Updated bruno-schema, bruno-schema-types, and bruno-lang (bruToJson.js) to support the new request property.
    • Added ambient module augmentations in bruno-converters to support this setting on GraphQL and HTTP requests without modifying external dependency manifests.
  4. Testing:
    • Added unit test suites for bruno-cli (packages/bruno-cli/tests/utils/axios-instance.spec.js) and bruno-electron (packages/bruno-electron/tests/network/axios-instance.spec.js) covering same-origin vs. cross-origin redirects with varying settings.
    • Added Playwright integration/E2E tests (tests/request/settings/redirect-auth-strip.spec.ts) using local redirect test routes.

Contribution Checklist:

  • I've used AI significantly to create this pull request
  • The pull request only addresses one issue or adds one feature.
  • The pull request does not introduce any breaking changes
  • I have added screenshots or gifs to help explain the change if applicable.
  • I have read the contribution guidelines.
  • Create an issue and link to the pull request.

Note: Keeping the PR small and focused helps make it easier to review and merge. If you have multiple changes you want to make, please consider submitting them as separate pull requests.

Publishing to New Package Managers

Please see here for more information.

Credits

Special thanks to @abhishek-bruno for the initial implementation and research of the cross-origin header stripping logic in #7578. This PR builds upon that implementation by adding the requested settings configuration for backward compatibility.

Summary by CodeRabbit

Summary by CodeRabbit

  • New Features

    • Added a new HTTP request setting to control whether Authorization/Proxy-Authorization headers are forwarded during redirects.
    • Updated the request settings UI to expose this toggle.
  • Bug Fixes

    • Redirect behavior now strips authorization headers on cross-origin redirects when the setting is disabled, while preserving them for same-origin and relative redirects.
  • Tests

    • Added/updated unit and end-to-end coverage to validate redirect authorization stripping/forwarding behavior.

@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7ed89a18-cabb-4fb5-86a8-3b1180f7a828

📥 Commits

Reviewing files that changed from the base of the PR and between e919f87 and 55856c7.

📒 Files selected for processing (9)
  • packages/bruno-app/src/providers/ReduxStore/slices/collections/actions.js
  • packages/bruno-app/src/providers/ReduxStore/slices/collections/index.js
  • packages/bruno-app/src/utils/common/constants.js
  • packages/bruno-converters/src/opencollection/items/graphql.ts
  • packages/bruno-converters/src/opencollection/items/http.ts
  • packages/bruno-converters/tests/insomnia/insomnia-collection-v5.spec.js
  • packages/bruno-converters/tests/insomnia/insomnia-collection.spec.js
  • packages/bruno-converters/tests/postman/postman-to-bruno/postman-to-bruno.spec.js
  • tests/request/settings/redirect-auth-strip.spec.ts
✅ Files skipped from review due to trivial changes (1)
  • packages/bruno-converters/tests/insomnia/insomnia-collection.spec.js
🚧 Files skipped from review as they are similar to previous changes (4)
  • packages/bruno-app/src/providers/ReduxStore/slices/collections/actions.js
  • packages/bruno-converters/src/opencollection/items/graphql.ts
  • packages/bruno-converters/src/opencollection/items/http.ts
  • tests/request/settings/redirect-auth-strip.spec.ts

Walkthrough

This PR adds a forwardAuthorizationHeader request setting and wires it through UI, request creation, redirect handling, converters, file-format parsing, and tests. Cross-origin redirects can now strip or preserve auth headers based on that setting.

Changes

forwardAuthorizationHeader feature

Layer / File(s) Summary
Schema and types
packages/bruno-schema-types/src/collection/item.ts, packages/bruno-schema/src/collections/index.js
Adds optional forwardAuthorizationHeader field to HttpItemSettings and the collection item schema.
Request settings UI toggle
packages/bruno-app/src/components/RequestPane/Settings/index.js
Adds the default, toggle handler, and ToggleSelector for forwardAuthorizationHeader in the request settings panel.
Default settings on request creation
packages/bruno-app/src/components/Sidebar/NewRequest/index.js, packages/bruno-app/src/providers/ReduxStore/slices/collections/actions.js, packages/bruno-app/src/providers/ReduxStore/slices/collections/index.js, packages/bruno-app/src/utils/common/constants.js
Adds shared default HTTP item settings and uses them for cURL import, new HTTP request creation, and ephemeral request creation.
CLI redirect header stripping
packages/bruno-cli/src/runner/run-single-request.js, packages/bruno-cli/src/utils/axios-instance.js, packages/bruno-cli/tests/utils/axios-instance.spec.js
Passes forwardAuthorizationHeader into Axios redirect handling and adds tests for cross-origin, same-origin, and relative redirects.
Electron redirect header stripping
packages/bruno-electron/src/ipc/network/axios-instance.js, packages/bruno-electron/src/ipc/network/index.js, packages/bruno-electron/tests/network/axios-instance.spec.js
Adds the same redirect-origin check and header stripping logic in Electron, with redirect tests.
Importer and converter settings mapping
packages/bruno-converters/src/insomnia/insomnia-to-bruno.js, packages/bruno-converters/src/openapi/openapi-to-bruno.js, packages/bruno-converters/src/openapi/swagger2-to-bruno.js, packages/bruno-converters/src/postman/postman-to-bruno.js, packages/bruno-converters/tests/insomnia/*, packages/bruno-converters/tests/postman/*
Adds forwardAuthorizationHeader: false to imported request settings and updates converter expectations.
OpenCollection and file format mapping
packages/bruno-converters/src/opencollection/items/{http,graphql}.ts, packages/bruno-filestore/src/formats/yml/items/{parse,stringify}{Http,GraphQL}Request.ts, packages/bruno-lang/v2/src/bruToJson.js
Maps forwardAuthorizationHeader through OpenCollection, YML, and bru-to-JSON request settings.
End-to-end redirect test fixtures and spec
packages/bruno-tests/src/redirect/index.js, tests/request/settings/collection/*.bru, tests/request/settings/redirect-auth-strip.spec.ts
Adds the cross-origin redirect endpoint, request fixtures, and the UI-driven redirect assertions.

Sequence Diagram(s)

sequenceDiagram
  participant RequestPane
  participant AxiosConfig
  participant RedirectTarget
  participant OriginCheck

  RequestPane->>AxiosConfig: request.settings.forwardAuthorizationHeader
  AxiosConfig->>RedirectTarget: send request with redirect handling
  RedirectTarget-->>AxiosConfig: 3xx Location header
  AxiosConfig->>OriginCheck: compare original URL vs redirect URL
  OriginCheck-->>AxiosConfig: same-origin / cross-origin
  AxiosConfig->>AxiosConfig: strip or preserve Authorization headers
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

  • usebruno/bruno#6679: Both PRs modify the redirect-handling request execution path in the CLI/Electron Axios setup.

Suggested labels

size/XXL

Suggested reviewers

  • helloanoop
  • lohit-bruno
  • naman-bruno
  • bijin-bruno
  • sid-bruno

A header once followed wherever it led,
Now pauses at borders, considers instead—
Same origin, carry on; cross origin, stay neat,
With redirects in motion, secrets miss the street.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main change: preventing authorization header leakage on cross-origin redirects.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
packages/bruno-converters/src/opencollection/items/http.ts (1)

105-114: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Same false-default inconsistency as in graphql.ts — affects both conversion directions here.

fromOpenCollectionHttpItem (line 111) and toOpenCollectionHttpItem (line 228) both default a missing/non-boolean forwardAuthorizationHeader to false. Meanwhile parseHttpRequest.ts / stringifyHttpRequest.ts in bruno-filestore default the same field to true for the identical "field absent" case. Since these two packages both implement conversion to/from the same HttpRequestSettings.forwardAuthorizationHeader contract, this is a real cross-package contract break: importing/exporting a legacy collection (no explicit setting) through bruno-converters silently changes auth-forwarding behavior on redirects, while doing the same round-trip through bruno-filestore preserves it. Recommend unifying on true as the "missing value" default everywhere, since the secure-by-default false is already applied explicitly at request-creation time (cURL import, Redux newEphemeralHttpRequest, etc.) rather than needing to be re-derived here.

🔧 Suggested fix
-      forwardAuthorizationHeader: typeof ocRequest.settings.forwardAuthorizationHeader === 'boolean' ? ocRequest.settings.forwardAuthorizationHeader : false
+      forwardAuthorizationHeader: typeof ocRequest.settings.forwardAuthorizationHeader === 'boolean' ? ocRequest.settings.forwardAuthorizationHeader : true
-    forwardAuthorizationHeader: typeof brunoSettings?.forwardAuthorizationHeader === 'boolean' ? brunoSettings.forwardAuthorizationHeader : false
+    forwardAuthorizationHeader: typeof brunoSettings?.forwardAuthorizationHeader === 'boolean' ? brunoSettings.forwardAuthorizationHeader : true

Also applies to: 227-229

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/bruno-converters/src/opencollection/items/http.ts` around lines 105
- 114, `fromOpenCollectionHttpItem` and `toOpenCollectionHttpItem` in the HTTP
converter are defaulting a missing `forwardAuthorizationHeader` to false, which
conflicts with the shared `HttpRequestSettings` behavior used elsewhere. Update
both conversion paths to treat an absent or non-boolean
`forwardAuthorizationHeader` as true, matching `parseHttpRequest.ts` and
`stringifyHttpRequest.ts` so round-trips preserve legacy behavior; keep the
explicit boolean check in the `settings` mapping and align the default with the
`forwardAuthorizationHeader` contract.
🧹 Nitpick comments (4)
packages/bruno-app/src/providers/ReduxStore/slices/collections/actions.js (1)

1403-1406: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Minor duplication of default item settings shape.

The { encodeUrl: true, forwardAuthorizationHeader: false } literal also appears in newEphemeralHttpRequest in packages/bruno-app/src/providers/ReduxStore/slices/collections/index.js (lines 966-969). Consider extracting a shared DEFAULT_HTTP_ITEM_SETTINGS constant if a third setting is ever added, to avoid drift between the two defaults.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/bruno-app/src/providers/ReduxStore/slices/collections/actions.js`
around lines 1403 - 1406, The HTTP item settings default shape is duplicated
between actions.js and the newEphemeralHttpRequest flow, which can drift over
time. Extract the shared default object into a common DEFAULT_HTTP_ITEM_SETTINGS
constant (or equivalent shared symbol used by both create/update paths) and have
both the settings initializer in actions.js and newEphemeralHttpRequest in
collections/index.js reference it instead of inlining the literal.
packages/bruno-converters/src/postman/postman-to-bruno.js (1)

508-511: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Consider adding/asserting converter test coverage for the new default.

This and the sibling Insomnia/OpenAPI/Swagger2 converters all now hardcode forwardAuthorizationHeader: false for every imported request — a security-relevant behavior change. Worth confirming existing converter test suites assert this default so a future refactor doesn't silently regress it.

As per coding guidelines, "Add tests for any new functionality or meaningful changes. If code is added, removed, or significantly modified, corresponding tests should be updated or created."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/bruno-converters/src/postman/postman-to-bruno.js` around lines 508 -
511, The new hardcoded forwardAuthorizationHeader default in the Postman
converter needs test coverage so this security-relevant behavior is locked in.
Update the relevant converter test suite around postmanToBruno (and, if
applicable, the sibling converter test suites) to assert imported requests
always set forwardAuthorizationHeader to false, so future refactors cannot
silently change the default.

Source: Coding guidelines

tests/request/settings/redirect-auth-strip.spec.ts (2)

8-9: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Extract repeated sidebar locator into a variable.

The #sidebar-collection-namegetByText('settings-test') locator is rebuilt identically in both tests. As per path instructions, "Use locator variables for locators."

Also applies to: 34-35

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/request/settings/redirect-auth-strip.spec.ts` around lines 8 - 9, The
repeated sidebar locator built with `#sidebar-collection-name` and
getByText('settings-test') should be extracted into a shared locator variable.
Update the affected tests in redirect-auth-strip.spec.ts to define a reusable
locator once and reuse it for both the visibility assertion and the click,
following the existing locator-variable pattern used elsewhere in the test file.

Source: Path instructions


4-28: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Wrap test phases in test.step for readable reports.

Neither test breaks its Arrange/Act/Assert/Cleanup phases into test.step calls. As per path instructions, "Promote the use of test.step as much as possible so the generated reports are easier to read."

♻️ Example refactor for the first test
   test('should strip Authorization and Proxy-Authorization on cross-origin redirects when setting is OFF', async ({
     pageWithUserData: page
   }) => {
-    // Open collection
-    await expect(page.locator('`#sidebar-collection-name`').getByText('settings-test')).toBeVisible();
-    await page.locator('`#sidebar-collection-name`').getByText('settings-test').click();
-
-    // Open request
-    await page.getByRole('complementary').getByText('cross-origin-redirect-auth-strip').click();
-
-    // Send request
-    await page.getByTestId('send-arrow-icon').click();
-
-    // Verify status code
-    await expect(page.getByTestId('response-status-code')).toContainText('200', { timeout: 15000 });
-
-    // Verify headers are stripped
-    const responseTexts = await page.getByTestId('response-preview-container').locator('.CodeMirror-scroll').allInnerTexts();
-    const fullText = responseTexts.join('\n');
-    expect(fullText).not.toContain('"authorization":');
-    expect(fullText).not.toContain('"proxy-authorization":');
-
-    // Close tab
-    await page.locator('.close-icon-container').click({ force: true });
+    const collectionItem = page.locator('`#sidebar-collection-name`').getByText('settings-test');
+
+    await test.step('Open collection and request', async () => {
+      await expect(collectionItem).toBeVisible();
+      await collectionItem.click();
+      await page.getByRole('complementary').getByText('cross-origin-redirect-auth-strip').click();
+    });
+
+    await test.step('Send request', async () => {
+      await page.getByTestId('send-arrow-icon').click();
+      await expect(page.getByTestId('response-status-code')).toContainText('200', { timeout: 15000 });
+    });
+
+    await test.step('Verify headers are stripped', async () => {
+      const responseTexts = await page.getByTestId('response-preview-container').locator('.CodeMirror-scroll').allInnerTexts();
+      const fullText = responseTexts.join('\n');
+      expect(fullText).not.toContain('"authorization":');
+      expect(fullText).not.toContain('"proxy-authorization":');
+    });
+
+    await test.step('Cleanup', async () => {
+      await page.locator('.close-icon-container').click({ force: true });
+    });
   });

Also applies to: 30-54

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/request/settings/redirect-auth-strip.spec.ts` around lines 4 - 28, The
test in redirect-auth-strip.spec.ts should be refactored to wrap its
Arrange/Act/Assert/Cleanup phases in test.step blocks for clearer Playwright
reports. Update the cross-origin-redirect-auth-strip flow by grouping the
existing page interactions and assertions inside named steps within the current
test('should strip Authorization and Proxy-Authorization on cross-origin
redirects when setting is OFF') so the sequence is easier to follow. Apply the
same pattern to the other affected test in this file as well, keeping the
existing locators and assertions intact while moving them into test.step calls.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/bruno-converters/src/opencollection/items/graphql.ts`:
- Around line 187-188: The GraphQL request setting default is inconsistent
across converters: `forwardAuthorizationHeader` is currently defaulted to
`false` in the OpenCollection mapping, which conflicts with the filestore
GraphQL parsing/stringifying and the HTTP item conversion paths. Update the
`graphql.ts` conversion logic (and any matching
`toOpenCollectionHttpItem`/`fromOpenCollectionHttpItem` behavior if needed) so
legacy or missing `GraphQLRequestSettings.forwardAuthorizationHeader` values
default to `true`, while keeping `false` only for explicitly created new
requests handled by `NewRequest`/`actions.js`/`collections/index.js`.

---

Outside diff comments:
In `@packages/bruno-converters/src/opencollection/items/http.ts`:
- Around line 105-114: `fromOpenCollectionHttpItem` and
`toOpenCollectionHttpItem` in the HTTP converter are defaulting a missing
`forwardAuthorizationHeader` to false, which conflicts with the shared
`HttpRequestSettings` behavior used elsewhere. Update both conversion paths to
treat an absent or non-boolean `forwardAuthorizationHeader` as true, matching
`parseHttpRequest.ts` and `stringifyHttpRequest.ts` so round-trips preserve
legacy behavior; keep the explicit boolean check in the `settings` mapping and
align the default with the `forwardAuthorizationHeader` contract.

---

Nitpick comments:
In `@packages/bruno-app/src/providers/ReduxStore/slices/collections/actions.js`:
- Around line 1403-1406: The HTTP item settings default shape is duplicated
between actions.js and the newEphemeralHttpRequest flow, which can drift over
time. Extract the shared default object into a common DEFAULT_HTTP_ITEM_SETTINGS
constant (or equivalent shared symbol used by both create/update paths) and have
both the settings initializer in actions.js and newEphemeralHttpRequest in
collections/index.js reference it instead of inlining the literal.

In `@packages/bruno-converters/src/postman/postman-to-bruno.js`:
- Around line 508-511: The new hardcoded forwardAuthorizationHeader default in
the Postman converter needs test coverage so this security-relevant behavior is
locked in. Update the relevant converter test suite around postmanToBruno (and,
if applicable, the sibling converter test suites) to assert imported requests
always set forwardAuthorizationHeader to false, so future refactors cannot
silently change the default.

In `@tests/request/settings/redirect-auth-strip.spec.ts`:
- Around line 8-9: The repeated sidebar locator built with
`#sidebar-collection-name` and getByText('settings-test') should be extracted into
a shared locator variable. Update the affected tests in
redirect-auth-strip.spec.ts to define a reusable locator once and reuse it for
both the visibility assertion and the click, following the existing
locator-variable pattern used elsewhere in the test file.
- Around line 4-28: The test in redirect-auth-strip.spec.ts should be refactored
to wrap its Arrange/Act/Assert/Cleanup phases in test.step blocks for clearer
Playwright reports. Update the cross-origin-redirect-auth-strip flow by grouping
the existing page interactions and assertions inside named steps within the
current test('should strip Authorization and Proxy-Authorization on cross-origin
redirects when setting is OFF') so the sequence is easier to follow. Apply the
same pattern to the other affected test in this file as well, keeping the
existing locators and assertions intact while moving them into test.step calls.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a6d54005-65fa-4142-a010-101e0bf42957

📥 Commits

Reviewing files that changed from the base of the PR and between d6e17e1 and e919f87.

📒 Files selected for processing (27)
  • packages/bruno-app/src/components/RequestPane/Settings/index.js
  • packages/bruno-app/src/components/Sidebar/NewRequest/index.js
  • packages/bruno-app/src/providers/ReduxStore/slices/collections/actions.js
  • packages/bruno-app/src/providers/ReduxStore/slices/collections/index.js
  • packages/bruno-cli/src/runner/run-single-request.js
  • packages/bruno-cli/src/utils/axios-instance.js
  • packages/bruno-cli/tests/utils/axios-instance.spec.js
  • packages/bruno-converters/src/insomnia/insomnia-to-bruno.js
  • packages/bruno-converters/src/openapi/openapi-to-bruno.js
  • packages/bruno-converters/src/openapi/swagger2-to-bruno.js
  • packages/bruno-converters/src/opencollection/items/graphql.ts
  • packages/bruno-converters/src/opencollection/items/http.ts
  • packages/bruno-converters/src/postman/postman-to-bruno.js
  • packages/bruno-electron/src/ipc/network/axios-instance.js
  • packages/bruno-electron/src/ipc/network/index.js
  • packages/bruno-electron/tests/network/axios-instance.spec.js
  • packages/bruno-filestore/src/formats/yml/items/parseGraphQLRequest.ts
  • packages/bruno-filestore/src/formats/yml/items/parseHttpRequest.ts
  • packages/bruno-filestore/src/formats/yml/items/stringifyGraphQLRequest.ts
  • packages/bruno-filestore/src/formats/yml/items/stringifyHttpRequest.ts
  • packages/bruno-lang/v2/src/bruToJson.js
  • packages/bruno-schema-types/src/collection/item.ts
  • packages/bruno-schema/src/collections/index.js
  • packages/bruno-tests/src/redirect/index.js
  • tests/request/settings/collection/cross-origin-redirect-auth-forward.bru
  • tests/request/settings/collection/cross-origin-redirect-auth-strip.bru
  • tests/request/settings/redirect-auth-strip.spec.ts

Comment thread packages/bruno-converters/src/opencollection/items/graphql.ts Outdated
content: null
}
},
settings: cloneDeep(DEFAULT_HTTP_ITEM_SETTINGS),

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need cloneDeep here? DEFAULT_HTTP_ITEM_SETTINGS is lain flat object with only primitive values.

maxRedirects: 5,
timeout: 'inherit'
timeout: 'inherit',
forwardAuthorizationHeader: true

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we please change the name to something like forwardAuthorizationOnRedirect or shouldForwardAuthorizationHeader?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Earlier it was named forwardAuthorizationOnRedirect but after discussing with Bijin and Anoop, forwardAuthorizationHeader was finalised yesterday.

});
});

describe('axios-instance: cross-origin redirects authorization stripping', () => {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we please add one test for redirect chains to verify stripping happens correctly throughout multiple redirects.

// Redirected call should strip auth headers but keep custom headers
expect(calls[1].headers['Authorization']).toBeUndefined();
expect(calls[1].headers['Proxy-Authorization']).toBeUndefined();
expect(calls[1].headers['Custom-Header']).toBe('keep-me');

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also add expect(calls[1].url).toBe('https://other-domain.com/target');
This ensures the second request was made to the redirected URL, not just with modified headers.
We can also add the same assertions to other tests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants