Skip to content

Add support for additional backend headers#42

Open
aboullaite wants to merge 2 commits into
mainfrom
add-additional-headers-support
Open

Add support for additional backend headers#42
aboullaite wants to merge 2 commits into
mainfrom
add-additional-headers-support

Conversation

@aboullaite

@aboullaite aboullaite commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Introduce SAVE_TO_SPOTIFY_HEADERS env var for host processes to inject additional headers into backend API requests
  • Headers are passed as a JSON object of header name/value pairs and validated to only accept the X-STS-* prefix (any casing; keys are canonicalized)
  • Entries with invalid HTTP header names or values are dropped at parse time, so a malformed entry can never break requests
  • Headers are applied in a shared transport scoped to the backend host, covering all backend requests (including the update check) while never leaking to other hosts (OAuth token endpoint, signed upload URLs)

Test plan

  • go build ./... and go vet ./... pass
  • go test ./... — all existing and new tests pass
  • Headers are forwarded to the backend when set, absent when unset, and never sent to non-backend hosts (tested)
  • Non-X-STS-* headers are rejected; lowercase x-sts-* keys are accepted and canonicalized (tested)
  • Invalid JSON, invalid header names (e.g. spaces), and invalid values (e.g. control characters) are handled gracefully (tested)

Mohammed Aboullaite added 2 commits June 30, 2026 09:51
Allow host processes to pass extra headers to backend API requests
through the SAVE_TO_SPOTIFY_HEADERS environment variable. The value
is a JSON array of "Key:Value" strings. Only headers prefixed with
X-STS- are accepted; all others are silently dropped.

Headers are parsed once at startup and applied to every backend
request via doAPIRequest.
@aboullaite aboullaite force-pushed the add-additional-headers-support branch from 125096d to 35c96f8 Compare July 2, 2026 08:49
Comment thread config/config.go

var entries map[string]string
if err := json.Unmarshal([]byte(raw), &entries); err != nil {
return nil

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this would happen when the SAVE_TO_SPOTIFY_HEADERS var is set but contains invalid json, would be good to log when that happens

Comment thread config/config.go
for _, k := range keys {
key := textproto.CanonicalMIMEHeaderKey(strings.TrimSpace(k))
val := strings.TrimSpace(in[k])
if val == "" || !strings.HasPrefix(key, additionalHeaderPrefix) {

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The X-STS-* prefix check is critical, without it a value like {"Authorization": "Bearer ..."} in SAVE_TO_SPOTIFY_HEADERS would silently overwrite the CLI's own auth header, since the transport runs after doAPIRequest sets Authorization.

jonaslindmark
jonaslindmark approved these changes Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants