fix: validate API key is not empty in HTTPRequest node (#29950)

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
2025-12-21 10:04:07 +01:00 · 2025-12-21 10:04:07 +01:00 · 6cf71366ba
parent 32605181bd
commit 6cf71366ba
3 changed files with 150 additions and 19 deletions
--- a/api/core/workflow/nodes/http_request/executor.py
+++ b/api/core/workflow/nodes/http_request/executor.py
@ -86,6 +86,11 @@ class Executor:
            node_data.authorization.config.api_key = variable_pool.convert_template(
                node_data.authorization.config.api_key
            ).text
+            # Validate that API key is not empty after template conversion
+            if not node_data.authorization.config.api_key or not node_data.authorization.config.api_key.strip():
+                raise AuthorizationConfigError(
+                    "API key is required for authorization but was empty. Please provide a valid API key."
+                )

        self.url = node_data.url
        self.method = node_data.method
--- a/api/tests/integration_tests/workflow/nodes/test_http.py
+++ b/api/tests/integration_tests/workflow/nodes/test_http.py
@ -6,6 +6,7 @@ import pytest

 from core.app.entities.app_invoke_entities import InvokeFrom
 from core.workflow.entities import GraphInitParams
+from core.workflow.enums import WorkflowNodeExecutionStatus
 from core.workflow.graph import Graph
 from core.workflow.nodes.http_request.node import HttpRequestNode
 from core.workflow.nodes.node_factory import DifyNodeFactory
@ -169,13 +170,14 @@ def test_custom_authorization_header(setup_http_mock):


@pytest.mark.parametrize("setup_http_mock", [["none"]], indirect=True)
-def test_custom_auth_with_empty_api_key_does_not_set_header(setup_http_mock):
-    """Test: In custom authentication mode, when the api_key is empty, no header should be set."""
+def test_custom_auth_with_empty_api_key_raises_error(setup_http_mock):
+    """Test: In custom authentication mode, when the api_key is empty, AuthorizationConfigError should be raised."""
    from core.workflow.nodes.http_request.entities import (
        HttpRequestNodeAuthorization,
        HttpRequestNodeData,
        HttpRequestNodeTimeout,
    )
+    from core.workflow.nodes.http_request.exc import AuthorizationConfigError
    from core.workflow.nodes.http_request.executor import Executor
    from core.workflow.runtime import VariablePool
    from core.workflow.system_variable import SystemVariable
@ -208,16 +210,13 @@ def test_custom_auth_with_empty_api_key_does_not_set_header(setup_http_mock):
        ssl_verify=True,
    )

-    # Create executor
-    executor = Executor(
-        node_data=node_data, timeout=HttpRequestNodeTimeout(connect=10, read=30, write=10), variable_pool=variable_pool
-    )
-
-    # Get assembled headers
-    headers = executor._assembling_headers()
-
-    # When api_key is empty, the custom header should NOT be set
-    assert "X-Custom-Auth" not in headers
+    # Create executor should raise AuthorizationConfigError
+    with pytest.raises(AuthorizationConfigError, match="API key is required"):
+        Executor(
+            node_data=node_data,
+            timeout=HttpRequestNodeTimeout(connect=10, read=30, write=10),
+            variable_pool=variable_pool,
+        )


@pytest.mark.parametrize("setup_http_mock", [["none"]], indirect=True)
@ -305,9 +304,10 @@ def test_basic_authorization_with_custom_header_ignored(setup_http_mock):
@pytest.mark.parametrize("setup_http_mock", [["none"]], indirect=True)
 def test_custom_authorization_with_empty_api_key(setup_http_mock):
    """
-    Test that custom authorization doesn't set header when api_key is empty.
-    This test verifies the fix for issue #23554.
+    Test that custom authorization raises error when api_key is empty.
+    This test verifies the fix for issue #21830.
    """
+
    node = init_http_node(
        config={
            "id": "1",
@ -333,11 +333,10 @@ def test_custom_authorization_with_empty_api_key(setup_http_mock):
    )

    result = node._run()
-    assert result.process_data is not None
-    data = result.process_data.get("request", "")
-
-    # Custom header should NOT be set when api_key is empty
-    assert "X-Custom-Auth:" not in data
+    # Should fail with AuthorizationConfigError
+    assert result.status == WorkflowNodeExecutionStatus.FAILED
+    assert "API key is required" in result.error
+    assert result.error_type == "AuthorizationConfigError"


@pytest.mark.parametrize("setup_http_mock", [["none"]], indirect=True)
--- a/api/tests/unit_tests/core/workflow/nodes/http_request/test_http_request_executor.py
+++ b/api/tests/unit_tests/core/workflow/nodes/http_request/test_http_request_executor.py
@ -1,3 +1,5 @@
+import pytest
+
 from core.workflow.nodes.http_request import (
    BodyData,
    HttpRequestNodeAuthorization,
@ -5,6 +7,7 @@ from core.workflow.nodes.http_request import (
    HttpRequestNodeData,
 )
 from core.workflow.nodes.http_request.entities import HttpRequestNodeTimeout
+from core.workflow.nodes.http_request.exc import AuthorizationConfigError
 from core.workflow.nodes.http_request.executor import Executor
 from core.workflow.runtime import VariablePool
 from core.workflow.system_variable import SystemVariable
@ -348,3 +351,127 @@ def test_init_params():
    executor = create_executor("key1:value1\n\nkey2:value2\n\n")
    executor._init_params()
    assert executor.params == [("key1", "value1"), ("key2", "value2")]
+
+
+def test_empty_api_key_raises_error_bearer():
+    """Test that empty API key raises AuthorizationConfigError for bearer auth."""
+    variable_pool = VariablePool(system_variables=SystemVariable.empty())
+    node_data = HttpRequestNodeData(
+        title="test",
+        method="get",
+        url="http://example.com",
+        headers="",
+        params="",
+        authorization=HttpRequestNodeAuthorization(
+            type="api-key",
+            config={"type": "bearer", "api_key": ""},
+        ),
+    )
+    timeout = HttpRequestNodeTimeout(connect=10, read=30, write=30)
+
+    with pytest.raises(AuthorizationConfigError, match="API key is required"):
+        Executor(
+            node_data=node_data,
+            timeout=timeout,
+            variable_pool=variable_pool,
+        )
+
+
+def test_empty_api_key_raises_error_basic():
+    """Test that empty API key raises AuthorizationConfigError for basic auth."""
+    variable_pool = VariablePool(system_variables=SystemVariable.empty())
+    node_data = HttpRequestNodeData(
+        title="test",
+        method="get",
+        url="http://example.com",
+        headers="",
+        params="",
+        authorization=HttpRequestNodeAuthorization(
+            type="api-key",
+            config={"type": "basic", "api_key": ""},
+        ),
+    )
+    timeout = HttpRequestNodeTimeout(connect=10, read=30, write=30)
+
+    with pytest.raises(AuthorizationConfigError, match="API key is required"):
+        Executor(
+            node_data=node_data,
+            timeout=timeout,
+            variable_pool=variable_pool,
+        )
+
+
+def test_empty_api_key_raises_error_custom():
+    """Test that empty API key raises AuthorizationConfigError for custom auth."""
+    variable_pool = VariablePool(system_variables=SystemVariable.empty())
+    node_data = HttpRequestNodeData(
+        title="test",
+        method="get",
+        url="http://example.com",
+        headers="",
+        params="",
+        authorization=HttpRequestNodeAuthorization(
+            type="api-key",
+            config={"type": "custom", "api_key": "", "header": "X-Custom-Auth"},
+        ),
+    )
+    timeout = HttpRequestNodeTimeout(connect=10, read=30, write=30)
+
+    with pytest.raises(AuthorizationConfigError, match="API key is required"):
+        Executor(
+            node_data=node_data,
+            timeout=timeout,
+            variable_pool=variable_pool,
+        )
+
+
+def test_whitespace_only_api_key_raises_error():
+    """Test that whitespace-only API key raises AuthorizationConfigError."""
+    variable_pool = VariablePool(system_variables=SystemVariable.empty())
+    node_data = HttpRequestNodeData(
+        title="test",
+        method="get",
+        url="http://example.com",
+        headers="",
+        params="",
+        authorization=HttpRequestNodeAuthorization(
+            type="api-key",
+            config={"type": "bearer", "api_key": "   "},
+        ),
+    )
+    timeout = HttpRequestNodeTimeout(connect=10, read=30, write=30)
+
+    with pytest.raises(AuthorizationConfigError, match="API key is required"):
+        Executor(
+            node_data=node_data,
+            timeout=timeout,
+            variable_pool=variable_pool,
+        )
+
+
+def test_valid_api_key_works():
+    """Test that valid API key works correctly for bearer auth."""
+    variable_pool = VariablePool(system_variables=SystemVariable.empty())
+    node_data = HttpRequestNodeData(
+        title="test",
+        method="get",
+        url="http://example.com",
+        headers="",
+        params="",
+        authorization=HttpRequestNodeAuthorization(
+            type="api-key",
+            config={"type": "bearer", "api_key": "valid-api-key-123"},
+        ),
+    )
+    timeout = HttpRequestNodeTimeout(connect=10, read=30, write=30)
+
+    executor = Executor(
+        node_data=node_data,
+        timeout=timeout,
+        variable_pool=variable_pool,
+    )
+
+    # Should not raise an error
+    headers = executor._assembling_headers()
+    assert "Authorization" in headers
+    assert headers["Authorization"] == "Bearer valid-api-key-123"