Skip to content

fix: don't send authorization headers with download links#158

Open
mguida22 wants to merge 3 commits into
mainfrom
guida/prevent-sending-auth-to-download-links
Open

fix: don't send authorization headers with download links#158
mguida22 wants to merge 3 commits into
mainfrom
guida/prevent-sending-auth-to-download-links

Conversation

@mguida22

@mguida22 mguida22 commented Jun 25, 2026

Copy link
Copy Markdown
Member

Changelog

Fix: authorization headers are no longer sent on requests to download links.

Docs

None

Description

Our download links use signed object store URLs. They don't need and shouldn't be sent auth headers that we use to communicate with the regular Foxglove API. This prevents sending headers by using a regular request for our download requests instead of our existing __session.

As part of this change I noticed it's possible for streaming responses to not properly close on error. This ensures we always close the response in a finally block.

In addition to tests here, I've tested that downloads still work properly via a local test script against our real backend.

claude[bot]

This comment was marked as outdated.

claude[bot]

This comment was marked as outdated.

@claude claude Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One open risk before release: smoke-test the signed-URL paths — /v1/data/stream, /v1/data/upload, and the attachment redirect target — against a real backend. The whole change rests on those links needing no Authorization; if any still expects the Foxglove token, downloads/uploads will start 401ing once auth is stripped. Not verifiable from the diff.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant