fix: propagate user headers between internal api requests (#1049)

Assem-Uber · web-flow · commit db384227ecde · 2025-10-23T14:39:16.000+02:00
* propagate user headers from server renders

* fix tests

* dynamically import headers

* log propagated header keys

* add test cases

* import headers inline
diff --git a/src/utils/request/__tests__/request.node.ts b/src/utils/request/__tests__/request.node.ts
@@ -1,7 +1,14 @@
+import { headers } from 'next/headers';
+
 import getConfigValue from '@/utils/config/get-config-value';
 
 import request from '../request';
 jest.mock('@/utils/config/get-config-value');
+jest.mock('next/headers', () => ({
+  headers: jest.fn().mockReturnValue({
+    entries: jest.fn().mockReturnValue([]),
+  }),
+}));
 
 describe('request on node env', () => {
   afterEach(() => {
@@ -24,7 +31,41 @@ describe('request on node env', () => {
     await request(url, options);
     expect(fetch).toHaveBeenCalledWith(`http://127.0.0.1:${port}` + url, {
       cache: 'no-cache',
+      headers: {},
       ...options,
     });
   });
+  it('should merge user headers with call headers, with call headers taking precedence', async () => {
+    const url = '/api/data';
+    const mockHeaders = jest.fn().mockReturnValue({
+      entries: jest.fn().mockReturnValue([
+        ['x-user-id', 'user123'],
+        ['authorization', 'Bearer user-token'],
+      ]),
+    });
+    (headers as jest.MockedFunction<typeof headers>).mockReturnValue(
+      mockHeaders() as any
+    );
+
+    const options = {
+      method: 'POST',
+      headers: {
+        'content-type': 'application/json',
+        authorization: 'Bearer override-token',
+      },
+    };
+
+    const port = await getConfigValue('CADENCE_WEB_PORT');
+    await request(url, options);
+
+    expect(fetch).toHaveBeenCalledWith(`http://127.0.0.1:${port}` + url, {
+      cache: 'no-cache',
+      headers: {
+        'x-user-id': 'user123',
+        authorization: 'Bearer override-token', // Call header overrides user header
+        'content-type': 'application/json',
+      },
+      method: 'POST',
+    });
+  });
 });
diff --git a/src/utils/request/__tests__/request.test.ts b/src/utils/request/__tests__/request.test.ts
@@ -1,6 +1,17 @@
+import { headers } from 'next/headers';
+
 import request from '../request';
 import { RequestError } from '../request-error';
 
+jest.mock('next/headers', () => ({
+  headers: jest.fn().mockReturnValue({
+    entries: jest.fn().mockReturnValue([
+      ['x-user-id', 'user123'],
+      ['authorization', 'Bearer user-token'],
+    ]),
+  }),
+}));
+
 describe('request on browser env', () => {
   afterEach(() => {
     const mockedFetch = global.fetch as jest.MockedFunction<
@@ -21,14 +32,42 @@ describe('request on browser env', () => {
     const url = 'http://example.com';
     const options = { method: 'GET' };
     await request(url, options);
-    expect(fetch).toHaveBeenCalledWith(url, { cache: 'no-cache', ...options });
+    expect(fetch).toHaveBeenCalledWith(url, {
+      cache: 'no-cache',
+      headers: {},
+      ...options,
+    });
   });
 
   it('should call fetch with relative URL on client and no-cache option', async () => {
     const url = '/api/data';
     const options = { method: 'POST' };
     await request(url, options);
-    expect(fetch).toHaveBeenCalledWith(url, { cache: 'no-cache', ...options });
+    expect(fetch).toHaveBeenCalledWith(url, {
+      cache: 'no-cache',
+      headers: {},
+      ...options,
+    });
+  });
+
+  it('should not call headers() or use user headers in client environment', async () => {
+    const url = '/api/data';
+    const options = {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+    };
+
+    await request(url, options);
+
+    // Verify headers() was never called in browser environment
+    expect(headers).not.toHaveBeenCalled();
+
+    // Verify only the provided headers are used, not user headers
+    expect(fetch).toHaveBeenCalledWith(url, {
+      cache: 'no-cache',
+      headers: { 'content-type': 'application/json' },
+      method: 'POST',
+    });
   });
 
   it('should return error if request.ok is false', async () => {
diff --git a/src/utils/request/request.ts b/src/utils/request/request.ts
@@ -7,28 +7,35 @@ export default async function request(
   options?: RequestInit
 ): Promise<Response> {
   let absoluteUrl = url;
+  let userHeaders = {};
   const isRelativeUrl = url.startsWith('/');
   const isOnServer = typeof window === 'undefined';
   if (isOnServer && isRelativeUrl) {
     const port = await getConfigValue('CADENCE_WEB_PORT');
     absoluteUrl = `http://127.0.0.1:${port}${url}`;
+    // propagate user headers from browser to server API calls
+    userHeaders = Object.fromEntries(
+      await (await import('next/headers')).headers().entries()
+    );
   }
-
-  return fetch(absoluteUrl, { cache: 'no-cache', ...(options || {}) }).then(
-    async (res) => {
-      if (!res.ok) {
-        const error = await res.json();
-        throw new RequestError(
-          error.message,
-          url,
-          res.status,
-          error.validationErrors,
-          {
-            cause: error.cause,
-          }
-        );
-      }
-      return res;
+  const requestHeaders = { ...userHeaders, ...(options?.headers || {}) };
+  return fetch(absoluteUrl, {
+    cache: 'no-cache',
+    ...(options || {}),
+    headers: requestHeaders,
+  }).then(async (res) => {
+    if (!res.ok) {
+      const error = await res.json();
+      throw new RequestError(
+        error.message,
+        url,
+        res.status,
+        error.validationErrors,
+        {
+          cause: error.cause,
+        }
+      );
     }
-  );
+    return res;
+  });
 }
