Merge pull request #28 from script-development/security/stream-request-honors-credentials

Goosterhof · web-flow · commit 0e4de8765fc1 · 2026-04-13T13:47:03.000+02:00
security(http): streamRequest honors withCredentials option
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/http/package.json b/packages/http/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@script-development/fs-http",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Framework-agnostic HTTP service factory with middleware architecture",
   "homepage": "https://packages.script.nl/packages/http",
   "license": "MIT",
diff --git a/packages/http/src/http.ts b/packages/http/src/http.ts
@@ -139,10 +139,16 @@ export const createHttpService = (baseURL: string, options?: HttpServiceOptions)
 
     const base = apiUrl.toString().replace(/\/+$/, "");
 
+    // Honor the service's withCredentials config. Previously hardcoded to
+    // "include", which silently overrode consumer opt-outs. Note: smartCredentials
+    // is a no-op here because streamRequest only accepts relative endpoints
+    // (base + endpoint is string concatenation), so requests are always same-host.
+    const includeCredentials: boolean = options?.withCredentials ?? true;
+
     return fetch(base + endpoint, {
       signal,
       method: "POST",
-      credentials: "include",
+      credentials: includeCredentials ? "include" : "same-origin",
       headers,
       body: JSON.stringify(data),
     });
diff --git a/packages/http/tests/http.spec.ts b/packages/http/tests/http.spec.ts
@@ -670,6 +670,38 @@ describe("createHttpService", () => {
         }),
       );
     });
+
+    it("honors withCredentials: false by sending same-origin credentials mode", async () => {
+      // Arrange
+      const service = createHttpService(BASE_URL, { withCredentials: false });
+      const mockFetch = vi.fn(() => Promise.resolve(new Response("ok")));
+      vi.stubGlobal("fetch", mockFetch);
+
+      // Act
+      await service.streamRequest("/stream", {});
+
+      // Assert
+      expect(mockFetch).toHaveBeenCalledWith(
+        expect.any(String),
+        expect.objectContaining({ credentials: "same-origin" }),
+      );
+    });
+
+    it("honors explicit withCredentials: true by sending include credentials mode", async () => {
+      // Arrange
+      const service = createHttpService(BASE_URL, { withCredentials: true });
+      const mockFetch = vi.fn(() => Promise.resolve(new Response("ok")));
+      vi.stubGlobal("fetch", mockFetch);
+
+      // Act
+      await service.streamRequest("/stream", {});
+
+      // Assert
+      expect(mockFetch).toHaveBeenCalledWith(
+        expect.any(String),
+        expect.objectContaining({ credentials: "include" }),
+      );
+    });
   });
 });
 

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@script-development/fs-http",`
`3`		`- "version": "0.1.0",`
	`3`	`+ "version": "0.1.1",`
`4`	`4`	`"description": "Framework-agnostic HTTP service factory with middleware architecture",`
`5`	`5`	`"homepage": "https://packages.script.nl/packages/http",`
`6`	`6`	`"license": "MIT",`