Let's do something with "Failed to convert header keys to lower case due to field name conflict"

[dir01]

Context

I use sendgrid library to send emails. What I want to test is whether email is sent under certain conditions and whether Authorization header contains token that was provided in app configuration. Sendgrid library slightly misses casing of User-Agent header. Again, nothing criminal. Resulting headers are

    {
        "Accept": "application/json",
        "Content-Type": "application/json",
        "User-agent": "sendgrid/7.0.0;nodejs",
        "Authorization": "Bearer SG.fake-api-key",
        "User-Agent": "axios/0.19.2",
        "Content-Length": 188
    }

But my tests now fail with Error: Failed to convert header keys to lower case due to field name conflict: user-agent. Clearly, in this case functionally everything will continue to work on sendgrid's side, the only problem is that now I can't test what I want to test.

I understand why you would hesitate to change this behaviour: would I be an author of a library, I would like to know that I messed up in casing of one of my header, since that could lead to a bug that would be hard to detect and time-consuming to debug.
But as an end-application developer I think I provided a convincing example of a situation in which this behaviour is undesirable.
I believe that approach taken in #1741 (replace exception with a warning) would achieve both goals: it would be possible to go on with your testing while being informed that there is a problem with one of your headers.

Alternatives

The options currently present are:

• to ask third-party library authors to fix wrong header (the only rationale being is that it makes hard to test their libraries with nock)
• to include a hack in the actual code trying to work around this problem (changes to the code made just for the sake of fixing tests is a code smell)
• to include a hack in the testing code (which is slightly better, but still messy)
• to fix this in the nock (this seems like a most logical solution)

Has the feature been requested before?

I understand that the issue has been raised a number of times, the most recent being #1741, but it seems that there is no understanding as to why this is important, so I am trying to make my case.

If the feature request is accepted, would you be willing to submit a PR?

Yes

[mastermatt]

The utility fn headersFieldNamesToLowerCase is used in two places.

First, it's used to prepare reqheaders on Interceptors. I think this should continue to throw an error as it's verifying input to Nock only, and allowing duplicates here would cause undefined behavior.

Second, it's used on the request options. And not allowing duplicate headers breaks parity with Nodes undocumented, but defined behavior. "Headers are added in object insertion order, the last one wins out."
I think this should be considered a bug and Nock should match this behavior.

Maybe headersFieldNamesToLowerCase gets a second arg that flags to error on duplicate?

PR's welcome. We're currently basing off the beta branch with plans to cut a major in the next week. 🤞

[paulmelnikow]

Doesn't Node do something complicated like concatenate those headers? (discussion in #1741) Has that behavior changed in recent versions of Node?

[mastermatt]

So that's where things get weird (things have not changed in Node).

That complicated header logic happens on the IncomingMessage level here before the headers are sent across the wire. (Also on response headers)
However, on the ClientRequest level you can pass an object of headers and they get added in object insertion order here.
One thing to note is that setting multiple headers on ClientRequest instance is deprecated, but it is still the norm when creating a new instance directly or with http.request/get.

So since Nock doesn't have the layers of complexity that Node has, the question is: what does Node parity look like?
Or put another way, if we allow duplicate headers on requests, what is the intuitive way Nock users expect those to be matched?

Using @dir01 example from above:

nock("http://example.com")
  .get("/"
  .matchHeader("User-agent", "sendgrid/7.0.0;nodejs")
  .reply()

http.get("http://example.com", { 
    headers: {
        "Accept": "application/json",
        "Content-Type": "application/json",
        "User-agent": "sendgrid/7.0.0;nodejs",
        "Authorization": "Bearer SG.fake-api-key",
        "User-Agent": "axios/0.19.2",
        "Content-Length": 188
    }
})

What should happen? The request has sendgrid as one of the user agent headers, but it would only send axios over the wire if Nock wasn't in the mix, so should Nock match it?

My suggestion above, of just not throwing the error for dups in request options, would cause Nock to not match, but the request itself would not error.
My mind went this direction because I personally use Nock to test server interactions, not Node internals or client behavior.

I see three options:

1. Leave it as is. It avoids this ambiguity, but causes issues with clients that take advantage of legacy Node looseness.
2. Remove the error for request options, but still match the headers that would go over the wire. The example above would not match.
3. Remove the error for request options, and do header matching on all headers added to the req. The example above would match.

I don't like the third option because I think it directly contradicts the description of this repo.

HTTP server mocking and expectations library for Node.js

But I'm also biased based on my personal usage.

As for the first two options.. 🤷‍♂ flip a coin. I think either direction will cause frustration for some number of users.

[paulmelnikow]

@dir01 are you trying to make assertions about the user-agent header, or is your testing unrelated to that header?

@mastermatt I'm less concerned about handling the case where a user is trying to test one of these ambiguous headers, and more about these headers clogging up the works for unrelated kinds of testing.

As a variation on 2, we could also drop keys that cause a conflict, which would also prevent us from matching what might be the wrong value. We could add a flag to let users opt in to that behavior. By default they would get an error, but if they set the flag, these ambiguous headers would just get dropped.

[mastermatt]

option 2 implicitly drops the duplicate headers because as the header object is looped through any previous value would be overwritten.

[mastermatt]

Looks like #1845 was also related.

[dir01]

In my opinion,

Remove the error for request options, but still match the headers that would go over the wire. The example above would not match.

is the way to go.

To the best of my understanding, it most closely matches the way node would act in real life

> require('axios').get('https://httpbin.org/headers', {headers: {'User-agent': 'sendgrid/7.0.0;nodejs'}}).then(resp=>console.log(resp.data))
Promise { <pending> }
> {
  headers: {
    Accept: 'application/json, text/plain, */*',
    Host: 'httpbin.org',
    'User-Agent': 'axios/0.19.2',
    'X-Amzn-Trace-Id': 'Root=1-5e8c14dc-0abe86fddc351f09f52f09ba'
  }
}

So if nock would do the same, it could potentially help users catch a bug in their code. The only problem I see with this is potential frustration of a user trying to match a request with ambiguous headers and banging their head on the wall trying to understand why it doesn't match. This is a reason I think headersFieldNamesToLowerCase should produce a warning when processing request options (while continuing to throw when used to prepare reqheaders on Interceptors)

@paulmelnikow Currently I am trying to make assertions about authorizations header only

Also related: sendgrid/sendgrid-nodejs#1083

[paulmelnikow]

So if nock would do the same, it could potentially help users catch a bug in their code. The only problem I see with this is potential frustration of a user trying to match a request with ambiguous headers and banging their head on the wall trying to understand why it doesn't match. This is a reason I think headersFieldNamesToLowerCase should produce a warning when processing request options (while continuing to throw when used to prepare reqheaders on Interceptors)

I'd be okay with a warning if it's possible to suppress it. In general people don't seem to want to fix these duplicate-header "bugs," which means the warning is likely to hang out indefinitely.

The option could be something like mixedCaseDuplicateHeaders: 'warn' | 'error' | 'keep-last' which defaults to 'warn'.

Alternatively, we could trigger this warning / error only if you try to match against the mixed-case header.

That complicated header logic happens on the IncomingMessage level here before the headers are sent across the wire. (Also on response headers)
However, on the ClientRequest level you can pass an object of headers and they get added in object insertion order here.
One thing to note is that setting multiple headers on ClientRequest instance is deprecated, but it is still the norm when creating a new instance directly or with http.request/get.

When we talk about parity, this is the part that I'm trying to understand.

What are the correct ways to send duplicate headers? How do we make sure those still get concatenated?

If we can keep that behavior I'm all for keeping the last-inserted key (and/or warning, as described above).

[mastermatt]

What are the correct ways to send duplicate headers? How do we make sure those still get concatenated?

https://nodejs.org/api/http.html#http_request_setheader_name_value

Use an array of strings here to send multiple headers with the same name.

Note that this will send a single header by name and use the complicated logic we've replicated to properly concat them.
Sending multiple headers w/ the same name is not currently an option.

It sounds like the three of us on are the same page that it would be best to allow the dup headers in request options, and provide some sort of feedback about the dups and that only the last occurrence will be matched against. I'll do a quick POC to see what it looks like.

[mastermatt]

PR: #1972

[paulmelnikow]

I think the approach in #1972 will generate a lot of warnings that sit around for a long while. How about we include a way to silence the warning and call it a day?

[dir01]

As I see it, warnings are a lesser evil than a complete inability to proceed, so even as-is #1972 is an improvement over the existing state of affairs. With that being said, what mechanism do you have in mind? One that silences all duplicate header-related warnings, or the ones related to a specific header, or the ones related to a specific scope? What kind of API do you have in mind?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. We try to do our best, but nock is maintained by volunteers and there is only so much we can do at a time. Thank you for your contributions.