fix(connection): auto-fetch hidden stored headers when saving auth changes#2562
Conversation
…anges Changing the bearer token (or any auth/header field) on an existing hosted server hard-blocked the save with 'Reveal saved headers before changing authentication...' because saving replaces the whole stored header set and the form couldn't see the hidden ones. Instead of blocking, the save flow now fetches the stored headers via the existing reveal-secrets API and merges the edit into them: the saved Authorization header is swapped only when auth was actually edited, and all other hidden headers are preserved. The old error remains only as a fallback when the secrets can't be fetched. Also fixes a latent bug where a bearer-token edit made before manually revealing headers was silently dropped from the secret patch. https://claude.ai/code/session_01DENLb6ErstWpuZThrLDWR9
chelojimenez
temporarily deployed
to
preview-pr-2562
GitHub Actions
Inactive
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
dosubot
Bot
added
size:M
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughThis PR adds selective preservation of stored HTTP headers when users edit server authentication. The Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit f3c4fc7. Configure here.
|
|
||
| const finalFormData = formState.buildFormData( | ||
| revealedHeaders ? { revealedHeaders } : undefined | ||
| ); |
There was a problem hiding this comment.
Deferred build races form reset
Medium Severity
handleSave now awaits fetchServerSecrets before calling buildFormData, but dirty flags and edited auth/header values live in hook state that useServerForm reinitializes whenever the server prop changes. If the live server snapshot updates during that await, authDirty/headersDirty can clear and the post-fetch patch may omit the user’s auth or header change or keep the old Authorization value while still showing success.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit f3c4fc7. Configure here.
There was a problem hiding this comment.
This race can't occur: handleSave captures formState from the render in which Save was clicked, and buildFormData reads only closure-bound useState values from that same render (no refs). If the server prop updates during the await and the init effect resets authDirty/headersDirty, that affects the next render's formState — the in-flight handler keeps building from the values as of the click. The second finding (null headers coerced to an empty merge base) was real and is fixed in 6cce650.
Generated by Claude Code
Internal previewPreview URL: https://mcp-inspector-pr-2562.up.railway.app |
…he response A successful reveal-secrets response with a null headers payload was coerced to an empty merge base, so the replacement patch could wipe stored headers that never came back. Treat it as a failed reveal and surface the retry toast instead. https://claude.ai/code/session_01DENLb6ErstWpuZThrLDWR9
2 participants
Problem
Changing the bearer token (or auth type, or adding a header row) on an existing hosted server hard-blocked the save with:
Saving a header-affecting change replaces the entire stored header set, and in hosted mode the saved headers (including
Authorization) are redacted from the client, so the form refused to build a replacement patch it couldn't make safely. The only way out was finding the "Reveal" button buried in Advanced settings — a dead end when you just want to rotate a token.Fix
Instead of blocking,
ServerDetailModal.handleSavenow fetches the stored headers through the existing/api/web/server/reveal-secretsAPI when needed and passes them tobuildFormData, which merges the edit into them:Authorizationheader is replaced/dropped only when the user actually edited auth (newauthDirtyflag, tracked separately from header-row edits) — adding an unrelated header row no longer risks losing a hidden bearer token.Also fixes a latent bug: a bearer-token edit made before manually revealing headers was silently dropped from the secret patch, because reveal reset the dirty flag the patch depended on.
authDirtysurvives the reveal, so the edit is kept.Testing
use-server-formtests: the auth-change-with-hidden-headers case now expects a merged patch instead of a validation error; added coverage for preserving the hiddenAuthorizationon row-only edits and dropping it when switching to OAuth.vitest run client/src/components/connection— 11 files, 113 tests pass.npm run typecheck:client— clean.Fixes the error Eric reported when changing bearer tokens for an existing server.
https://claude.ai/code/session_01DENLb6ErstWpuZThrLDWR9
Generated by Claude Code
Note
Medium Risk
Changes how stored server secrets are assembled on save and could mis-merge headers if reveal fails or IDs are missing, though the code fails closed on API errors.
Overview
Hosted server saves no longer hard-block when you change bearer auth, auth type, or custom headers while stored HTTP headers are still hidden. Instead of requiring a manual “Reveal” in Advanced settings,
ServerDetailModalloads saved headers viafetchServerSecretswhenneedsStoredHeaderRevealis set, then passes them intobuildFormDataso the replacementsecretPatchkeeps non-auth headers and applies your edit.useServerFormnow tracks auth edits separately (authDirtyvs header-rowheadersDirty). Merged patches only drop or replace the storedAuthorizationheader when auth was actually changed; header-only edits can preserve a hidden bearer token. Validation no longer blocks save for hidden headers; fetch failures still show toasts and abort save.Tests cover merge behavior for auth changes, header-only edits, and switching away from bearer/OAuth.
Reviewed by Cursor Bugbot for commit 6cce650. Bugbot is set up for automated code reviews on this repo. Configure here.