Skip to content

feat: always add API key to endpoint requests#57

Merged
calthejuggler merged 5 commits intomainfrom
feature/send-API-key-at-all-times
Apr 14, 2026
Merged

feat: always add API key to endpoint requests#57
calthejuggler merged 5 commits intomainfrom
feature/send-API-key-at-all-times

Conversation

@calthejuggler
Copy link
Copy Markdown
Contributor

@calthejuggler calthejuggler commented Apr 9, 2026
edited by coderabbitai Bot
Loading

This PR deprecates the auth flag in the ClientRequestOptions type, and updates the context GET request to always send the auth headers with it.

Summary by CodeRabbit

  • Refactor

    • Requests now send API and client metadata headers by default; the legacy auth flag is deprecated and only disables those headers. GET helper was streamlined and a deprecated wrapper retained for compatibility.

  • Tests

    • Tests expanded to verify metadata headers for GET and other requests, cover auth flag deprecation behaviour and related warnings.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 9, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b7cadfd9-8f5e-4f53-814b-6314383e13f2

📥 Commits

Reviewing files that changed from the base of the PR and between 202d198 and a9cd82c.

📒 Files selected for processing (2)
  • src/__tests__/client.test.js
  • src/client.ts
🚧 Files skipped from review as they are similar to previous changes (2)
  • src/tests/client.test.js
  • src/client.ts

Walkthrough

The PR changes client request authentication to include API/auth headers by default unless auth is explicitly set to false (the auth option is marked deprecated). Client.request() now warns when auth: true is passed. getUnauthed() was renamed to get() and a deprecated getUnauthed() wrapper forwards to get(). getContext() now calls get(). post() and put() no longer force auth: true. Tests were updated to expect metadata headers by default, remove redundant auth: true, and add tests covering the deprecated auth: true warning, get() behaviour, and getUnauthed() forwarding.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐇 I hop through headers, tidy and spry,

Defaults now sparkle in the API sky,
get() takes the lead, old names bow away,
A warning nibbles when the past wants to stay,
Tiny paws applaud the tidy relay.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the main change: deprecating the auth flag and ensuring API keys are always sent with endpoint requests by default.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/send-API-key-at-all-times

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
src/client.ts (1)

89-97: ⚠️ Potential issue | 🟠 Major

getContext() still permits unauthenticated requests via forwarded options.

Because options is spread directly, callers can pass auth: false and bypass headers for context GET. If the intended contract is always-auth for getContext(), ignore or strip auth here.

🔧 Suggested hardening for `getContext()` 
 getContext(options?: Partial<ClientRequestOptions>) {
+  const { auth: _auth, method: _method, path: _path, query: _query, ...rest } = options ?? {};
   return this.get({
-    ...options,
+    ...rest,
     path: "/context",
     query: {
       application: this._opts.application.name,
       environment: this._opts.environment,
     },
   });
 }
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@src/client.ts` around lines 89 - 97, getContext currently forwards
caller-supplied options which allows bypassing authentication by passing auth:
false; update getContext (in src/client.ts) so it always enforces authentication
by overriding/stripping any auth flag from the merged options (e.g., explicitly
set auth: true or delete auth before calling this.get), ensuring the request to
path "/context" uses the client's intended auth headers regardless of the passed
Partial<ClientRequestOptions>.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/client.ts`:
- Around line 24-25: Update the docstring for ClientRequestOptions.auth to
reflect runtime behavior by changing the wording from "The API key is now always
sent. This option will be removed in a future version." to something like "The
API key is sent by default; this option can be used to suppress it." Also ensure
the comment mentions it's deprecated if still intended, and keep the runtime
behavior in code (see ClientRequestOptions.auth and the header-suppression
branch around the auth check at line where auth: false is handled) consistent
with the new wording so users aren't misled.

---

Outside diff comments:
In `@src/client.ts`:
- Around line 89-97: getContext currently forwards caller-supplied options which
allows bypassing authentication by passing auth: false; update getContext (in
src/client.ts) so it always enforces authentication by overriding/stripping any
auth flag from the merged options (e.g., explicitly set auth: true or delete
auth before calling this.get), ensuring the request to path "/context" uses the
client's intended auth headers regardless of the passed
Partial<ClientRequestOptions>.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e6f50be8-96f9-464b-a9a2-e64654edc8f8

📥 Commits

Reviewing files that changed from the base of the PR and between ec59bfe and 62db72a.

📒 Files selected for processing (2)
  • src/__tests__/client.test.js
  • src/client.ts

Comment thread src/client.ts Outdated
@calthejuggler calthejuggler force-pushed the feature/send-API-key-at-all-times branch from 62db72a to cabcd9c Compare April 13, 2026 13:31
@calthejuggler calthejuggler requested a review from joalves April 13, 2026 15:26
@calthejuggler calthejuggler merged commit ddf6ae7 into main Apr 14, 2026
2 checks passed
@calthejuggler calthejuggler deleted the feature/send-API-key-at-all-times branch April 14, 2026 08:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@mario-silva mario-silva mario-silva approved these changes

@marcio-absmartly marcio-absmartly Awaiting requested review from marcio-absmartly marcio-absmartly is a code owner

@joalves joalves Awaiting requested review from joalves

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@calthejuggler @mario-silva