search

Kong / insomnia

The open-source, cross-platform API client for GraphQL, REST, WebSockets, SSE and gRPC. With Cloud, Local and Git storage.
https://insomnia.rest
Apache License 2.0
34.51k stars 1.95k forks source link

Rendering purpose is not set during oauth2 token refresh for plugins #4778

Open dansailer opened 2 years ago

dansailer commented 2 years ago

Expected Behavior

The plugin receives the rendering purpose even during oauth2 token refresh and is able to render secrets accordingly

{"type":"oauth2","grantType":"client_credentials","accessTokenUrl":"https://example.edu","clientId":"","credentialsInBody":"true","clientSecret":"{% keepass 'keepassxc', '', '', 'https://example.edu', 'password' %}"}

is rendered to

{"type":"oauth2","grantType":"client_credentials","accessTokenUrl":"https://example.edu","clientId":"","credentialsInBody":"true","clientSecret":"mypass"}

Actual Behavior

The client secret in oauth2 token refresh when using a plugin is rendered wrong, as it is rendered without the RenderPurpose set to send. A security aware plugin that only wants to render an actual secret when going over the wire, can therefore not be used for client secret.

{"type":"oauth2","grantType":"client_credentials","accessTokenUrl":"https://example.edu","clientId":"","credentialsInBody":"true","clientSecret":"{% keepass 'keepassxc', '', '', 'https://example.edu', 'password' %}"}

is rendered to

{"type":"oauth2","grantType":"client_credentials","accessTokenUrl":"https://example.edu","clientId":"","credentialsInBody":"true","clientSecret":"KeepassXC - password of https://example.edu"}

Reproduction Steps

Is there an existing issue for this?

Additional Information

Possible quickfix solution is to add optional parameter for RenderPurpose to use-nunjucks.ts and o-auth-2-auth.tsx

https://github.com/dansailer/insomnia/pull/1/files

Insomnia Version

2022.3.0

What operating system are you using?

macOS

Operating System Version

Windows 10 and macOS 12.3.1

Installation method

homebrew (MacOS), Installer exe (Windows)

Last Known Working Insomnia version

No response

filfreire commented 2 years ago

Hi @dansailer thanks for reporting this, and thank you for providing possible solution!

We'll try to investigate this a bit deeper when possible, but indeed this weird behavior should also happen with any other plugins that would try to tap into the send render purpose.

I'd encourage you to move your suggested pull request into Insomnia's pull requests and the team can follow-up with you there to try to get a fix completed and merged 👍

dansailer commented 2 years ago

It would be great if someone could have a look at https://github.com/Kong/insomnia/pull/4779