Status: Closed (View Workflow)
If you specify an x-okapi-token header when making a request to an edge module based on the edge-common framework, that token is used instead of the token obtained from cache or from authenticating with FOLIO.
I believe the problem is with this method: https://github.com/folio-org/edge-common/blob/fae254ca76aef9123d2bcbcb27b59c36e4588434/src/main/java/org/folio/edge/core/utils/OkapiClient.java#L260
Steps to Reproduce:
- Make a call to any edge-* modules, based on edge-common while specifying the x-okapi-token header.
In downstream requests edge module should use token obtained via authenticating with OKAPI or from the edge module's internal cache
The token value provided in the request is used when making downstream requests. This can be seen in the logs...
And another example...
How to fix:
See release notes: https://github.com/folio-org/edge-common/releases/tag/v4.4.0
To make this even more visible this should also be added to the OkapiClient javadoc.
The bug is in the edge-x module when it passes on all HTTP request headers to Okapi. This needs to be fixed there.
In addition we can remove the X-Okapi-Token header in OkapiClient#combineHeadersWithDefaults, however this doesn't stop other headers from being injected which can be an issue because edge modules might be more exposed (more permissive firewall configuration) than Okapi.
EDGCOMMON-47 Fix behavior when tenant header is present in a request
- relates to
EDGRTAC-72 HTTP header injection with X-Okapi-Token