The maxAge option in Express's res.cookie() expects a duration in milliseconds, not an absolute timestamp. The previous code was adding `Date.now()` to the validity period, causing cookies to expire decades in the future instead of the intended 1 day / 7 days.
This was particularly problematic on macOS due to stricter cookie handling by Safari/WebKit.
Addresses #5818
Co-authored-by: njg7194 <njg7194@users.noreply.github.com>
- Cache and reuse a single `FaradayCage` WASM instance to avoid repeated allocations.
- Dispose `InspectionService` watchers via `effectScope` to prevent accumulation on tab switch.
- Use `Set` for environment variable key lookups in validation.
- Dispose Monaco editor models on component unmount.
The desktop shell was reading from `instance/hoppscotch-unified.store` while the webapp writes to `store/hoppscotch-unified.store`. This caused the app to lose track of the last connected instance on restart.
Closes FE-1121
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
Fixes collections with JSON comments failing in the CLI with `SerializationException` while working fine in the app, where comments are stripped before sending requests, but the CLI was sending them as-is, breaking APIs like AWS Cognito that expect valid JSON.
Adds `overflow-auto` to `HttpResponse` component to create a scroll container
that enables console entries to scroll when content exceeds viewport.
Removes unnecessary `overflow-y-auto` from `ConsolePanel` component since scrolling
is now handled at the `HttpResponse` level.
Fixes the console tab scrolling issue by following the same component-level
approach as PR #5695 (Settings/Profile scroll fix).
- Remove unused i18n keys (organizations, no_orgs, expand, collapse, status badges).
- Consolidate inactive org tooltips into single key.
- Simplify `multi_account_notice` text for clarity.
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
Co-authored-by: Nahid Hasan <52489202+nahidhasan94@users.noreply.github.com>
Extends the organization platform definition to support switching between multiple organizations and displaying custom branding (logo and name) in the application header. Adds shared utilities for file uploads and avatar generation, including deterministic colour support.
These changes enable the Cloud for Organizations tier to offer:
- Multi-organization switching via sidebar UI.
- Custom logo uploads for organization branding.
- Seamless navigation between different organization instances.
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
This fixes the stale vendored display version.
`VENDORED_INSTANCE_CONFIG` currently stores old instance version
`25.9.0` and while other components do override this correctly, it'd be
better to keep this consistent per release.
Closes FE-1102
Refined network retry logic to distinguish between transient infrastructure
failures and intentional test errors, preventing incorrect test skips in
JUnit validation scenarios.
1. Network Error Detection (utils.ts)
- Renamed `hasNetworkError` → `hasLowLevelNetworkError` for clarity
- Removed REQUEST_ERROR from retry patterns (too generic, matches intentional bad URLs)
- Now only retries on unambiguous TCP/DNS errors: ECONNRESET, EAI_AGAIN,
ENOTFOUND, ETIMEDOUT, ECONNREFUSED
- Preserved TEST_SCRIPT_ERROR detection when concurrent with REQUEST_ERROR
(the actual CI failure mode from undefined response objects)
- Added comprehensive JSDoc explaining when to use vs plain runCLI
2. JUnit XML Validation (test.spec.ts, 4 locations)
- Removed REQUEST_ERROR and TEST_SCRIPT_ERROR from XML retry patterns
- Only retry when low-level errors corrupt XML structure
- Prevents skipping tests with intentional errors in collections
(test-junit-report-export-coll.json has intentional invalid-url and
script reference errors for validation)
3. Test Corrections
- Fixed: "Fails to display console logs..." test now uses plain runCLI
(test expects errors from legacy sandbox, shouldn't use retry)
- Added: Environment version tests (v0, v1, v2) now use runCLIWithNetworkRetry
(use echo.hoppscotch.io, expect success, benefit from retry)
- Removed: Obsolete SKIP_EXTERNAL_TESTS env var check (retry logic handles this)
Fixes agent interceptor registration broken by dependency update
---------
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
This updates Hoppscotch Desktop (Shell) dependencies to align with
`v2025.11.0` security patch and other dependency chain.
---------
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
Add comprehensive test coverage for unsupported Postman APIs and ensure
consistent error messages across pre-request and post-request contexts.
Test improvements:
- Expand coverage from 13 to 25 unsupported APIs (50 tests total)
- Add missing APIs: collectionVariables.set/unset/has/clear/toObject,
vault.set/unset, iterationData.set/unset/has/toJSON
- Fix assertions to match actual error format with prefix
- Add pre-request context test for pm.execution.location
Implementation fixes:
- Add missing pm.iterationData.toJSON() in pre-request.js
- Sync post-request.js collectionVariables error messages to match
pre-request.js ("use environment or request variables instead")
This fixes desktop app auth failures where users encounter
"Session expired" errors when creating environments or
saving requests despite being logged in.
The issue occurred because token verify/validation works on web
(cookie-based auth) but fails on desktop (bearer token auth). The
desktop implementation had flaky response parsing in
`verifyAuthTokens()`.
Includes some future proofing work around cookie parsing
in `setAuthCookies()`, for Set-Cookie headers contain commas
or are concatenated with newlines (see #5394).
The runtime schema uses .catch() fallbacks for all fields (`key`, `value`, `active`, `description`), making them effectively optional at runtime. Updated type definitions to use Partial<> to match actual runtime behavior and prevent type errors in usage.
This allows valid usage patterns like:
``
hopp.request.setHeaders([{ key: "X-Custom", value: "foo" }])
```
Without requiring all fields (`active`, `description`) to be explicitly provided.
- Update active state styles for better visibility in the mock server.
- BE updates catered to improving content type handling in the mock server.
- Introduced a `disableMockServerInPersonalWorkspace` platform-level feature flag.
- Remove inactive keyboard shorthand nudges from the Mock server dashboard context menu.
---
Co-authored-by: mirarifhasan <arif.ishan05@gmail.com>
Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
* fix(mock-server): handle null collection case in dashboard display
* feat(mock-server): add private access hint for non-public mock servers
* fix(mock-server): update private access hint for clarity
* refactor(mock-server): remove console logs from mock server creation and update
- Fix null/undefined environment variable handling across namespaces
- Fix pm.request console.log output to display properly
- Add pm.request.id and pm.request.name type definitions
- Fix assertion error messages to show actual values
- Strip `export {};` from collection exports and legacy sandbox editor display
Added support for overriding the default session cookie name using the `INFRA.SESSION_COOKIE_NAME` config or the `SESSION_COOKIE_NAME` environment variable. This helps compatibility with proxies or load balancers that cannot handle cookie names containing dots.
---
Co-authored-by: mirarifhasan <arif.ishan05@gmail.com>
Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
Add per-domain toggle to disable automatic HTTP redirect following in
the Native and Agent interceptors. When disabled, requests return the
redirect response (status code, headers, body) without following the
Location header.
Previously HTTP redirects were always followed (on browser, can't do
much about that, see
https://fetch.spec.whatwg.org/#atomic-http-redirect-handling) without
option to inspect the redirect response itself. This prevented
developers from accessing redirect metadata needed when testing OAuth
flows (PKCE where intermediate responses contain authorization tokens),
authentication endpoints that return codes in Location headers with 302
status, and debugging API redirect chains. But on the desktop app,
redirects were just never followed, creating the opposite effect.
The browser's fetch API applies atomic HTTP redirect handling per spec,
making it impossible to intercept redirects and inspect their responses.
The Native and Agent interceptors use curl and native HTTP clients
respectively, both supporting redirect control, making this feature
viable for these specific interceptors. (Proxyscotch tbd).
