search

Kong / insomnia

The open-source, cross-platform API client for GraphQL, REST, WebSockets, SSE and gRPC. With Cloud, Local and Git storage.
https://insomnia.rest
Apache License 2.0
34.33k stars 1.93k forks source link

Per-request Authorization setting does not override Authorization added by default headers plugin #3459

Open rocketraman opened 3 years ago

rocketraman commented 3 years ago

Describe the bug I use the Default Headers plugin to workaround https://github.com/Kong/insomnia/issues/1116.

This allows me to set authorization headers at a folder level.

However, a per-request Authorization setting should clearly override the default header set at the folder level, however it does not -- the per-request Authorization settings are completely ignored.

To Reproduce Steps to reproduce the behavior:

  1. Install default headers plugin
  2. Create a folder and set a default header: 
    {
"DEFAULT_HEADERS": {
"Authorization": "Bearer {{ _.token }}"
}
}
  3. Create a request inside that folder, and add a Bearer authorization with a different token.
  4. Make a request -- the default header auth token is sent, not the request auth token.

Expected behavior I want the "default headers" to be just that: defaults. In other words, they are used only when they are not already explicitly set at a per-request level.

Desktop (please complete the following information):

Additional context We really really need a proper solution to re-using authorization settings.

filfreire commented 2 years ago

Hi @rocketraman, thank you for reporting this!

I'm able to reproduce this as of 2022.3.0.

Screen Shot 2022-05-10 at 10 16 27 Screen Shot 2022-05-10 at 10 16 34

I think this could be slightly different and easier "fix" than what is related with #1116 and #3694. For instance, as of now if folks define both Authorization and on Headers also define an Authorization header, the Authorization header takes precedence over both the Authorization and the DEFAULT_HEADERS set with our Default headers plugin.

Screen Shot 2022-05-10 at 10 18 56

It could be just a matter of fixing on the plugin the order by which each overrides each other: 1) DEFAULT_HEADERS (via plugin) 2) Authorization setup 3) Authorization header setup on Headers

adamhp commented 1 year ago

Would very much like to see this implemented.

A quick work-around for others: use directory specific environments. I have a 'Pre-Authentication' and 'Post-Authentication' directory.

Pre-Auth has no DEFAULT_HEADERS, but Post-Authentication uses the Response token from my Login call.