Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes authentication inheritance so that the closest parent folder’s enabled auth configuration is applied (instead of accidentally preferring higher-level/root folders), and aligns OAuth2 token resolution with the same ancestor ordering.
Changes:
- Update folder-auth selection to use
requestGroupsin leaf-to-root order (closest-first) rather than reversing before searching. - Prevent accidental mutation of
requestGroupswhen building inherited headers. - Document the leaf-to-root ordering contract of
withAncestors()and add clarifying comments at key call sites.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| packages/insomnia/src/network/network.ts | Fixes closest-folder auth inheritance logic and avoids mutating requestGroups when inheriting headers. |
| packages/insomnia/src/main/network/o-auth-2/get-token.ts | Ensures OAuth2 token parent selection uses closest folder auth based on leaf-to-root ordering. |
| packages/insomnia/src/insomnia-data/node-src/database/database-nedb.ts | Documents that withAncestors() returns results in leaf-to-root order. |
| packages/insomnia/src/common/render.ts | Adds clarification that requestGroups are leaf-to-root when derived from render ancestors. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
✅ Circular References ReportGenerated at: 2026-06-02T10:04:42.126Z Summary
Click to view all circular references in PR (10)Click to view all circular references in base branch (10)Analysis✅ No Change: This PR does not introduce or remove any circular references. This report was generated automatically by comparing against the |
yaoweiprc
changed the title
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Initial plan * test: add auth inheritance regression coverage --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
|
|
ZxBing0066
previously approved these changes
Jun 2, 2026
ZxBing0066
approved these changes
Jun 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Close INS-2671
Problem
When a request inherited OAuth2 authentication from a parent folder, Insomnia would incorrectly reuse a cached token belonging to a sibling folder's credentials instead of the folder actually providing the auth.
This manifested when multiple sibling folders each had distinct OAuth2 configurations and requests inside them used inherited auth — all requests would end up sharing the token that was fetched first.
Root Cause
Two separate bugs, both caused by incorrect array traversal direction:
1. Wrong ancestor in
getExistingAccessTokenAndRefreshIfExpired(get-token.ts)db.withAncestorsreturns ancestors in leaf-to-root order (i.e.[closestFolder, ..., rootFolder]). The token cache lookup used.reverse().find()on this array, which reversed the order to root-to-leaf and therefore found the farthest ancestor with auth instead of the nearest one. This caused the wrongclosestAuthIdto be used as the token cache key.2. In-place mutation in
getOrInheritHeaders(network.ts)getOrInheritHeaderscalledrequestGroups.reverse()directly, which mutates the original array in-place. WhengetOrInheritHeadersandgetOrInheritAuthenticationwere called sequentially (as in render.ts), the second call received an already-reversed array. This masked the bug ingetOrInheritAuthenticationby accident, but was itself incorrect and fragile.Fix
.reverse()from the ancestor traversal. Since the input is already leaf-to-root, a plain.find()now correctly returns the nearest ancestor with auth.getOrInheritAuthentication: Removed.reverse()to match the corrected leaf-to-root contract. Added a comment documenting the expected input order.getOrInheritHeaders: ChangedrequestGroups.reverse()to[...requestGroups].reverse()to avoid mutating the caller's array.Related PRs