fix: auth bug when value is a secret environment (#4210)

Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
2024-07-27 20:54:16 +05:30
parent 5f96cda5e2
commit c88ea5c8b2
3 changed files with 54 additions and 13 deletions
--- a/packages/hoppscotch-common/package.json
+++ b/packages/hoppscotch-common/package.json
@@ -35,10 +35,10 @@
    "@codemirror/view": "6.25.1",
    "@hoppscotch/codemirror-lang-graphql": "workspace:^",
    "@hoppscotch/data": "workspace:^",
+    "@hoppscotch/httpsnippet": "3.0.6",
    "@hoppscotch/js-sandbox": "workspace:^",
    "@hoppscotch/ui": "0.2.0",
    "@hoppscotch/vue-toasted": "0.1.0",
-    "@hoppscotch/httpsnippet": "3.0.6",
    "@lezer/highlight": "1.2.0",
    "@unhead/vue": "1.8.8",
    "@urql/core": "4.2.0",
@@ -124,6 +124,7 @@
    "@types/nprogress": "0.2.3",
    "@types/paho-mqtt": "1.0.10",
    "@types/postman-collection": "3.5.10",
+    "@types/qs": "6.9.12",
    "@types/splitpanes": "2.2.6",
    "@types/uuid": "9.0.7",
    "@types/yargs-parser": "21.0.3",
--- a/packages/hoppscotch-common/src/helpers/utils/EffectiveURL.ts
+++ b/packages/hoppscotch-common/src/helpers/utils/EffectiveURL.ts
@@ -42,6 +42,9 @@ export interface EffectiveHoppRESTRequest extends HoppRESTRequest {
 * Get headers that can be generated by authorization config of the request
 * @param req Request to check
 * @param envVars Currently active environment variables
+ * @param auth Authorization config to check
+ * @param parse Whether to parse the template strings
+ * @param showKeyIfSecret Whether to show the key if the value is a secret
 * @returns The list of headers
 */
 export const getComputedAuthHeaders = (
@@ -53,7 +56,8 @@ export const getComputedAuthHeaders = (
        headers: HoppRESTHeaders
      },
  auth?: HoppRESTRequest["auth"],
-  parse = true
+  parse = true,
+  showKeyIfSecret = false
 ) => {
  const request = auth ? { auth: auth ?? { authActive: false } } : req
  // If Authorization header is also being user-defined, that takes priority
@@ -69,10 +73,20 @@ export const getComputedAuthHeaders = (
  // TODO: Support a better b64 implementation than btoa ?
  if (request.auth.authType === "basic") {
    const username = parse
-      ? parseTemplateString(request.auth.username, envVars, false, true)
+      ? parseTemplateString(
+          request.auth.username,
+          envVars,
+          false,
+          showKeyIfSecret
+        )
      : request.auth.username
    const password = parse
-      ? parseTemplateString(request.auth.password, envVars, false, true)
+      ? parseTemplateString(
+          request.auth.password,
+          envVars,
+          false,
+          showKeyIfSecret
+        )
      : request.auth.password

    headers.push({
@@ -93,7 +107,9 @@ export const getComputedAuthHeaders = (
      active: true,
      key: "Authorization",
      value: `Bearer ${
-        parse ? parseTemplateString(token, envVars, false, true) : token
+        parse
+          ? parseTemplateString(token, envVars, false, showKeyIfSecret)
+          : token
      }`,
    })
  } else if (request.auth.authType === "api-key") {
@@ -101,9 +117,14 @@ export const getComputedAuthHeaders = (
    if (addTo === "HEADERS" && key) {
      headers.push({
        active: true,
-        key: parseTemplateString(key, envVars, false, true),
+        key: parseTemplateString(key, envVars, false, showKeyIfSecret),
        value: parse
-          ? parseTemplateString(request.auth.value ?? "", envVars, false, true)
+          ? parseTemplateString(
+              request.auth.value ?? "",
+              envVars,
+              false,
+              showKeyIfSecret
+            )
          : request.auth.value ?? "",
      })
    }
@@ -157,6 +178,8 @@ export type ComputedHeader = {
 * For e.g, Authorization headers maybe added if an Auth Mode is defined on REST
 * @param req The request to check
 * @param envVars The environment variables active
+ * @param parse Whether to parse the template strings
+ * @param showKeyIfSecret Whether to show the key if the value is a secret
 * @returns The headers that are generated along with the source of that header
 */
 export const getComputedHeaders = (
@@ -167,10 +190,17 @@ export const getComputedHeaders = (
        headers: HoppRESTHeaders
      },
  envVars: Environment["variables"],
-  parse = true
+  parse = true,
+  showKeyIfSecret = false
 ): ComputedHeader[] => {
  return [
-    ...getComputedAuthHeaders(envVars, req, undefined, parse).map((header) => ({
+    ...getComputedAuthHeaders(
+      envVars,
+      req,
+      undefined,
+      parse,
+      showKeyIfSecret
+    ).map((header) => ({
      source: "auth" as const,
      header,
    })),
@@ -246,11 +276,13 @@ export const resolvesEnvsInBody = (
  if (!body.contentType) return body

  if (body.contentType === "multipart/form-data") {
-    if (!body.body)
+    if (!body.body) {
      return {
-        contentType: "",
-        body: [],
+        contentType: null,
+        body: null,
      }
+    }
+
    return {
      contentType: "multipart/form-data",
      body: body.body.map(
@@ -373,7 +405,12 @@ export function getEffectiveRESTRequest(
  showKeyIfSecret = false
 ): EffectiveHoppRESTRequest {
  const effectiveFinalHeaders = pipe(
-    getComputedHeaders(request, environment.variables).map((h) => h.header),
+    getComputedHeaders(
+      request,
+      environment.variables,
+      true,
+      showKeyIfSecret
+    ).map((h) => h.header),
    A.concat(request.headers),
    A.filter((x) => x.active && x.key !== ""),
    A.map((x) => ({
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -671,6 +671,9 @@ importers:
      '@types/postman-collection':
        specifier: 3.5.10
        version: 3.5.10
+      '@types/qs':
+        specifier: 6.9.12
+        version: 6.9.12
      '@types/splitpanes':
        specifier: 2.2.6
        version: 2.2.6(typescript@5.3.2)