fix: OAuth2 Basic Auth header encoding for special characters

[sanjaikumar-bruno]

BRU-2240
Fixes: #6194

Removed URI encoding of client ID and secret before Base64 encoding. The credentials are now Base64-encoded directly as clientId:clientSecret.

[coderabbitai]

Walkthrough

Two OAuth2 utility modules are updated to remove URL-encoding of client credentials before Base64 encoding in Basic Authentication headers. The clientId and clientSecret are now directly Base64 encoded across multiple OAuth2 authorization flows (authorizationCode, clientCredentials, passwordCredentials, refreshToken, and password grant paths).

Changes

Cohort / File(s)	Summary
OAuth2 Basic Auth Header Construction packages/bruno-electron/src/utils/oauth2.js, packages/bruno-requests/src/auth/oauth2-helper.ts	Removes encodeURIComponent() wrapper from clientId and clientSecret during Basic Authentication header formation. Credentials are now directly concatenated and Base64 encoded in authorization flows: authorizationCode, clientCredentials, passwordCredentials, refreshToken (Electron), and client_credentials, password (requests helper).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Verify consistency of the encoding change across all four OAuth2 flow methods in the Electron module
• Confirm both token fetch paths in the requests helper apply the same logic
• Validate that removing URL-encoding aligns with OAuth2 spec for Basic Authentication (RFC 6749)

Poem

🔐 No more double-wrapping credentials tight,
Base64 speaks direct—clean and right,
OAuth2 flows now skip the encode dance,
ClientId and Secret get their rightful chance! 🎭

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: removing URL-encoding from OAuth2 Basic Auth header credential construction.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dd72ee5 and 08399c5.

📒 Files selected for processing (2)

• packages/bruno-electron/src/utils/oauth2.js (4 hunks)
• packages/bruno-requests/src/auth/oauth2-helper.ts (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Playwright E2E Tests
• GitHub Check: Unit Tests
• GitHub Check: CLI Tests
• GitHub Check: SSL Tests - Windows
• GitHub Check: SSL Tests - macOS
• GitHub Check: SSL Tests - Linux

🔇 Additional comments (4)

packages/bruno-requests/src/auth/oauth2-helper.ts (2)

148-148: Encoding fix correctly implements RFC 2617 Basic Authentication.

Removing encodeURIComponent before Base64 encoding is the correct implementation. Per RFC 2617, Basic Authentication credentials should be formatted as base64(clientId:clientSecret) without URL encoding.

---

148-148: Add validation for clientSecret when using basic_auth_header credentials placement.

The code uses a non-null assertion (clientSecret!) without validating that clientSecret is defined. Since OAuth2Config declares clientSecret as optional, this could cause a runtime error. Add an explicit check before constructing the Authorization header, or verify that all callers guarantee clientSecret is defined when credentialsPlacement is 'basic_auth_header'.

packages/bruno-electron/src/utils/oauth2.js (2)

453-455: Good validation pattern for clientSecret.

This flow correctly validates that clientSecret exists and is not empty before constructing the Basic Auth header. The encoding fix is correct per RFC 2617.

---

600-602: Proper validation and correct encoding.

Like the client credentials flow, this correctly validates clientSecret before use. The encoding fix aligns with RFC 2617 Basic Authentication standards.

[bijin-bruno]

Unit tests to be added in the PR #6186 related to current changes
cc - @abhishek-bruno