fix: stop :get, :delete parameters from bleeding into subsequent requ…

…ests (#388) * fix: stop :get, :delete parameters from bleeding into subsequent requests * chore: fix up integration fixtures * chore: renamed some vars in the test for output readability
auth0 · Oct 10, 2022 · 1ff315b · 1ff315b
1 parent 867d36e
commit 1ff315b
Show file tree

Hide file tree

Showing 9 changed files with 49 additions and 14 deletions.
diff --git a/lib/auth0/mixins/httpproxy.rb b/lib/auth0/mixins/httpproxy.rb
@@ -73,15 +73,13 @@ def request_with_retry(method, uri, body = {}, extra_headers = {})
 
       def request(method, uri, body = {}, extra_headers = {})
         result = if method == :get
-          # Mutate the headers property to add parameters.
-          add_headers({params: body})
-          # Merge custom headers into existing ones for this req.
-          # This prevents future calls from using them.
-          get_headers = headers.merge extra_headers
-          # Make the call with extra_headers, if provided.
+          @headers ||= {}
+          get_headers = @headers.merge({params: body}).merge(extra_headers)
           call(:get, encode_uri(uri), timeout, get_headers)
         elsif method == :delete
-          call(:delete, encode_uri(uri), timeout, add_headers({params: body}))
+          @headers ||= {}
+          delete_headers = @headers.merge({ params: body })
+          call(:delete, encode_uri(uri), timeout, delete_headers)
         elsif method == :delete_with_body
           call(:delete, encode_uri(uri), timeout, headers, body.to_json)
         elsif method == :post_file

diff --git a/...th0_Api_V2_Clients/_patch_client/should_update_the_client_with_the_correct_attributes.yml b/...th0_Api_V2_Clients/_patch_client/should_update_the_client_with_the_correct_attributes.yml
diff --git a/...cr_cassettes/Auth0_Api_V2_Connections/_update_connection/should_update_the_connection.yml b/...cr_cassettes/Auth0_Api_V2_Connections/_update_connection/should_update_the_connection.yml
diff --git a/...ssettes/Auth0_Api_V2_Rules/_update_rule/should_update_the_disabled_rule_to_be_enabled.yml b/...ssettes/Auth0_Api_V2_Rules/_update_rule/should_update_the_disabled_rule_to_be_enabled.yml
diff --git a/..._cassettes/Auth0_Api_V2_Tenants/_update_tenant_settings/should_revert_the_tenant_name.yml b/..._cassettes/Auth0_Api_V2_Tenants/_update_tenant_settings/should_revert_the_tenant_name.yml
diff --git a/...ants/_update_tenant_settings/should_update_the_tenant_settings_with_a_new_tenant_name.yml b/...ants/_update_tenant_settings/should_update_the_tenant_settings_with_a_new_tenant_name.yml
diff --git a/...cassettes/Auth0_Api_V2_Users/_add_user_roles/should_add_a_Role_to_a_User_successfully.yml b/...cassettes/Auth0_Api_V2_Users/_add_user_roles/should_add_a_Role_to_a_User_successfully.yml
diff --git a/...tures/vcr_cassettes/Auth0_Api_V2_Users/_patch_user/should_patch_the_User_successfully.yml b/...tures/vcr_cassettes/Auth0_Api_V2_Users/_patch_user/should_patch_the_User_successfully.yml
diff --git a/spec/lib/auth0/mixins/httpproxy_spec.rb b/spec/lib/auth0/mixins/httpproxy_spec.rb
@@ -596,4 +596,40 @@
       end
     end
   end
+
+  context 'Normal operation' do
+    let(:httpproxy_instance) {
+      DummyClassForTokens.new(
+        client_id: 'test-client-id',
+        client_secret: 'test-client-secret',
+        domain: 'auth0.com',
+        token: 'access_token',
+        token_expires_at: Time.now.to_i + 86400)
+    }
+
+    # This sets up a test matrix to verify that both :get and :delete calls (the only two HTTP methods in the proxy that mutated headers)
+    # don't bleed query params into subsequent calls to :post :patch and :put.
+    %i(get delete).each do |http_get_delete|
+      %i(post patch put).each do |http_ppp|
+        it "should not bleed :#{http_get_delete} headers/parameters to the subsequent :#{http_ppp} request" do
+          expect(RestClient::Request).to receive(:execute).with(hash_including(
+            method: http_get_delete,
+            url: "https://auth0.com/test-#{http_get_delete}",
+            headers: hash_including(params: { email: '[email protected]' })
+          )).and_return(StubResponse.new('OK', true, 200))
+
+          # email: parameter that is sent in the GET request should not appear
+          # as a parameter in the `headers` hash for the subsequent PATCH request.
+          expect(RestClient::Request).to receive(:execute).with(hash_including(
+            method: http_ppp,
+            url: "https://auth0.com/test-#{http_ppp}",
+            headers: hash_not_including(:params)
+          )).and_return(StubResponse.new('OK', true, 200))
+
+          expect { httpproxy_instance.send(http_get_delete, "/test-#{http_get_delete}", { email: '[email protected]' }) }.not_to raise_error
+          expect { httpproxy_instance.send(http_ppp, "/test-#{http_ppp}") }.not_to raise_error
+        end
+      end
+    end
+  end
 end