ensure trust boundaries are retrieved if x-allowed-locations exists

bshaffer · bshaffer · commit 9cf4b9d4fc6b · 2026-05-21T16:16:30.000-07:00
diff --git a/src/TrustBoundaryTrait.php b/src/TrustBoundaryTrait.php
@@ -37,11 +37,15 @@ private function getTrustBoundary(
             return null;
         }
 
+        if (array_key_exists('x-allowed-locations', $headers)) {
+            // If the headers are already set, do not set them
+            return null;
+        }
+
         // Return cached value if it exists
         if ($cached = $this->getCachedValue($this->getCacheKey() . ':trustboundary')) {
             return $cached;
         }
-
         if (!array_key_exists('authorization', $headers)) {
             // If we don't have an authorization token we can't look up the trust boundary
             return null;
diff --git a/tests/TrustBoundaryTraitTest.php b/tests/TrustBoundaryTraitTest.php
@@ -144,6 +144,19 @@ public function testSkipLookupOutsideDefaultUniverseDomain()
         $this->assertNull($result1);
     }
 
+    public function testSkipLookupIfXAllowedLocationsAreAlreadySet()
+    {
+        // First call, should fetch and cache
+        $result1 = $this->impl->getTrustBoundary(
+            'universe.domain',
+            fn () => throw new \Exception('Should not be called'),
+            'default',
+            ['authorization' => ['xyz'], ['x-allowed-locations' => 'abc']]
+        );
+
+        $this->assertNull($result1);
+    }
+
     public function testLookupIsFailOpen()
     {
         $mock = new MockHandler([
