Skip to content

feat: multi-header auth for VTEX-style APIs#21

Merged
lucianfialho merged 3 commits into
mainfrom
feat/20-dual-header-auth
Apr 14, 2026
Merged

feat: multi-header auth for VTEX-style APIs#21
lucianfialho merged 3 commits into
mainfrom
feat/20-dual-header-auth

Conversation

@lucianfialho
Copy link
Copy Markdown
Owner

@lucianfialho lucianfialho commented Apr 13, 2026

Closes #20.

Summary

  • Adds --header "Name: Value" (repeatable, also -H) to auth login and at invoke time
  • New "headers" auth type — stored in profiles, sent on every request
  • $VAR / ${VAR} resolution per header value (so tokens can come from env)
  • --agent-help now emits multi-header --header "X-VTEX-API-AppKey: <value>" --header "X-VTEX-API-AppToken: <value>" when the spec declares 2+ apiKey header schemes
  • --dry-run prints every custom header (both plain and curl output)

Design choice

Went with Option A from the issue (generic --header flags). Rationale: works for VTEX and any future N-header scheme without bespoke flags. Option C (interactive auto-detect from securitySchemes) is deferred — the detection primitive (detectApiKeyHeaders) is in place so a follow-up can add the prompt flow without refactoring.

Usage

# Save once
spec2cli auth login --profile vtex \
  -H "X-VTEX-API-AppKey: $VTEX_KEY" \
  -H "X-VTEX-API-AppToken: $VTEX_TOKEN"

# Or inline (also accepts env interpolation)
spec2cli --spec vtex-catalog.yaml \
  --header "X-VTEX-API-AppKey: $VTEX_KEY" \
  --header "X-VTEX-API-AppToken: $VTEX_TOKEN" \
  catalog getproduct --id 42

Test plan

  • tsc compile — passes
  • vitest run — 95/95 (was 82, +13 new)
    • parseHeaderFlag: valid, whitespace, : in value (URL), missing colon, empty name
    • detectApiKeyHeaders: multi-scheme + empty
    • resolveAuth: flag-based, env-var expansion, precedence over --token, profile load, empty-object fallthrough
    • executeRequest: VTEX-style dual-header sent on the wire
  • Smoke: auth login -H ... -H ...auth status masks each header
  • Smoke: --dry-run against a synthetic VTEX spec emits both headers + curl
  • Smoke: --agent-help on dual-header spec emits correct hint

@lucianfialho lucianfialho mentioned this pull request Apr 13, 2026
Closed
@lucianfialho @claude
feat: support multi-header auth for VTEX-style APIs (#20)
0a07171 
Adds --header flag (repeatable) to auth login and at invoke time, so APIs
requiring multiple simultaneous auth headers (e.g. VTEX's X-VTEX-API-AppKey
+ X-VTEX-API-AppToken) work end-to-end. Persists as a "headers" profile type,
resolves $VAR / ${VAR} per value, and --agent-help now hints multi-header
usage when the spec declares two or more apiKey header schemes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@lucianfialho lucianfialho force-pushed the feat/20-dual-header-auth branch from 16effd7 to 0a07171 Compare April 13, 2026 23:58
lucianfialho and others added 2 commits April 13, 2026 21:14
@lucianfialho @claude
fix: mask all auth header values in verbose output
18b4ac7 
Previously --verbose only masked Authorization. With multi-header auth,
X-VTEX-API-AppKey/Token and any apiKey custom header leaked in plaintext
to stderr — would end up in CI logs. Now masks every header added via the
auth path using the same maskToken() helper used by `auth status`.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@lucianfialho @claude
fix: harden multi-header auth — reject CRLF, warn on empty $VAR
772daba 
- parseHeaderFlag now rejects CR/LF in name/value (RFC 7230 header injection)
  and enforces RFC-valid token chars in header names.
- resolveEnvVar warns to stderr when $VAR resolves to unset or empty —
  silent empty headers produce confusing 401s ("auth wrong" when it's "env unset").
- index.ts parseHeaderArgs now delegates to parseHeaderFlag so CLI-time
  argv parsing shares the same validation as `auth login`.
- .gitignore: ignore .claude/ harness state.

Addresses code-review feedback on PR #21.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@lucianfialho lucianfialho merged commit 8115c56 into main Apr 14, 2026
1 check passed
lucianfialho added a commit that referenced this pull request Apr 14, 2026
@lucianfialho @claude
chore: release v0.6.0
2e65aba 
Highlights since v0.5.0:
- feat: multi-header auth for VTEX-style APIs (#20, PR #21)
  - --header / -H flag, repeatable, works inline and via `auth login` profiles
  - $VAR / ${VAR} expansion per header value with empty-var warning
  - --agent-help now suggests multi-header usage on specs with 2+ apiKey schemes
- fix: mask all auth header values in --verbose output (not just Authorization)
- fix: reject CR/LF in header names/values (RFC 7230 injection guard)
- fix: parse object and array params from JSON strings (#15, PR #19)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support dual-header auth for VTEX APIs (X-VTEX-API-AppKey + X-VTEX-API-AppToken)

1 participant

@lucianfialho