Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Authorization Header is removed even if it should not

See original GitHub issue

After spending some time digging into this topic I think the current implementation of transformation of Authorization headers header-transforms.js does not cover all real life uses cases, even if it seems to follow specification (https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials).

What I observed:

So, this hammerhead lib is used within TestCafe to proxy http requests coming from the page/application under test. In our case we use Authorization header not for HTTP Authentication, but to pass an OAuth2 token to our API backend. The token is added from within the JS application and not automatically by the browser after the user signed in (as it happens for HTTP auth). By intend we do not create XHR requests using withCredentials = true.

What happens now is (which is actual different from default browser behaviour):

When the API backend request is sent from our application under test (by TestCafe), the request is intercepted by hammerhead and because withCredentials=false the Authorization header is removed, which leads to unauthenticated request to our backend and in turn to failing tests. IMHO, this is not correct, as this specific auth header is not like the ones which are automatically send by the browser when accessing sites that required http authentication.