Closed kcibul closed 7 years ago
cjllanwarne
commented
7 years ago Sorry if this comment is a dupe (github things?)
Is it worth a it should "not supply a bearer token to an unprotected resource" test to make sure we wouldn't accidentally spam out tokens to non-https endpoints just because we have some available in case we need them?
cjllanwarne
commented
7 years ago In the same way, if we have two tokens for different sources, only the correct token should be sent to each source.
kcibul
commented
7 years ago @cjllanwarne -- thanks for the comments. I think those tests might be more appropriate for centaur because at this level it's just "can we supply a header" but it's up to the caller to decide what and when. In the initial cromwell PR this will only be public URLs and no headers will be sent, but I was just thinking ahead because accessing protected URLs is going to be asked for soon
... also had to fix a deprecation error due to newer cats being pulled in