Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: remove request from saved responses #38

Merged
merged 2 commits into from
Apr 25, 2024
Merged

fix: remove request from saved responses #38

merged 2 commits into from
Apr 25, 2024

Conversation

nealrichardson
Copy link
Owner

NEWS summary:

request is now removed when saving httr2_response objects. In earlier versions of httr2, requests were not included in responses, but in httr2 1.0.0, they were added in order to improve error messages. If you recorded any responses with httr2 >= 1.0 and httptest2 prior to this version, you may have leaked auth secrets: this would happen if your requests included auth information (as in an Authentication header), and the response was saved in a .R file, not simplified to .json or other response-body-only formats. Please inspect your recorded responses and invalidate any tokens that were exposed.

cc @jmaspons

@codecov-commenter
Copy link

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 99.50%. Comparing base (cff21ee) to head (2b8159d).

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main      #38   +/-   ##
=======================================
  Coverage   99.50%   99.50%           
=======================================
  Files          14       14           
  Lines         400      401    +1     
=======================================
+ Hits          398      399    +1     
  Misses          2        2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@nealrichardson nealrichardson mentioned this pull request Apr 25, 2024
Merged
@nealrichardson nealrichardson merged commit 96b61db into main Apr 25, 2024
19 checks passed
@nealrichardson nealrichardson deleted the purge-request branch April 25, 2024 14:48
@jmaspons
Copy link
Contributor

Should update vignette too

httptest2/vignettes/redacting.Rmd

Line 19 in 96b61db

By default, the `capture_requests()` context evaluates the `redact_cookies()` function on a response object before writing it to disk. `redact_cookies()` redacts the `Set-Cookie` response header, which may contain auth credentials. Many APIs don't return anything in the HTTP response that leaks auth secrets, and while you send secrets in your request, the `httr2_request` object isn't saved in the mocks, only the `httr2_response`.

@nealrichardson
Copy link
Owner Author

Well, it's true now, right? The request isn't saved in the mocks (anymore).

@jmaspons
Copy link
Contributor

Yes, you are right

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nealrichardson @codecov-commenter @jmaspons