Authorization Header is removed even if it should not #1016
Assignees
Labels
Milestone
Comments
|
Hi @JoergFiedler, |
|
@churkin … thank you … if I can support you, pls get in touch |
|
@JoergFiedler could you please create example of your use case? Or give me please the link on the page with this use case. |
|
@LavrovArtem sure … it will a few days until I can return to this topic … pls stay tuned … |
|
Hi @JoergFiedler, |
LavrovArtem
added a commit
to LavrovArtem/testcafe-hammerhead
that referenced
this issue
Jan 26, 2017
LavrovArtem
added a commit
to LavrovArtem/testcafe-hammerhead
that referenced
this issue
Jan 27, 2017
|
@LavrovArtem: works like a charm … thank you … |
AndreyBelym
pushed a commit
to AndreyBelym/testcafe-hammerhead
that referenced
this issue
Feb 28, 2019
|
This thread has been automatically locked since it is closed and there has not been any recent activity. Please open a new issue for related bugs or feature requests. We recommend you ask TestCafe API, usage and configuration inquiries on StackOverflow. |
lock
bot
added
the
STATE: Auto-locked
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
After spending some time digging into this topic I think the current implementation of transformation of Authorization headers
header-transforms.jsdoes not cover all real life uses cases, even if it seems to follow specification (https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials).What I observed:
So, this hammerhead lib is used within TestCafe to proxy http requests coming from the page/application under test. In our case we use Authorization header not for HTTP Authentication, but to pass an OAuth2 token to our API backend. The token is added from within the JS application and not automatically by the browser after the user signed in (as it happens for HTTP auth). By intend we do not create XHR requests using
withCredentials = true.What happens now is (which is actual different from default browser behaviour):
When the API backend request is sent from our application under test (by TestCafe), the request is intercepted by hammerhead and because withCredentials=false the Authorization header is removed, which leads to unauthenticated request to our backend and in turn to failing tests. IMHO, this is not correct, as this specific auth header is not like the ones which are automatically send by the browser when accessing sites that required http authentication.
The text was updated successfully, but these errors were encountered: