Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
This fixes the stale vendored display version.
`VENDORED_INSTANCE_CONFIG` currently stores old instance version
`25.9.0` and while other components do override this correctly, it'd be
better to keep this consistent per release.
Closes FE-1102
Refined network retry logic to distinguish between transient infrastructure
failures and intentional test errors, preventing incorrect test skips in
JUnit validation scenarios.
1. Network Error Detection (utils.ts)
- Renamed `hasNetworkError` → `hasLowLevelNetworkError` for clarity
- Removed REQUEST_ERROR from retry patterns (too generic, matches intentional bad URLs)
- Now only retries on unambiguous TCP/DNS errors: ECONNRESET, EAI_AGAIN,
ENOTFOUND, ETIMEDOUT, ECONNREFUSED
- Preserved TEST_SCRIPT_ERROR detection when concurrent with REQUEST_ERROR
(the actual CI failure mode from undefined response objects)
- Added comprehensive JSDoc explaining when to use vs plain runCLI
2. JUnit XML Validation (test.spec.ts, 4 locations)
- Removed REQUEST_ERROR and TEST_SCRIPT_ERROR from XML retry patterns
- Only retry when low-level errors corrupt XML structure
- Prevents skipping tests with intentional errors in collections
(test-junit-report-export-coll.json has intentional invalid-url and
script reference errors for validation)
3. Test Corrections
- Fixed: "Fails to display console logs..." test now uses plain runCLI
(test expects errors from legacy sandbox, shouldn't use retry)
- Added: Environment version tests (v0, v1, v2) now use runCLIWithNetworkRetry
(use echo.hoppscotch.io, expect success, benefit from retry)
- Removed: Obsolete SKIP_EXTERNAL_TESTS env var check (retry logic handles this)
Fixes agent interceptor registration broken by dependency update
---------
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
This updates Hoppscotch Desktop (Shell) dependencies to align with
`v2025.11.0` security patch and other dependency chain.
---------
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
Add comprehensive test coverage for unsupported Postman APIs and ensure
consistent error messages across pre-request and post-request contexts.
Test improvements:
- Expand coverage from 13 to 25 unsupported APIs (50 tests total)
- Add missing APIs: collectionVariables.set/unset/has/clear/toObject,
vault.set/unset, iterationData.set/unset/has/toJSON
- Fix assertions to match actual error format with prefix
- Add pre-request context test for pm.execution.location
Implementation fixes:
- Add missing pm.iterationData.toJSON() in pre-request.js
- Sync post-request.js collectionVariables error messages to match
pre-request.js ("use environment or request variables instead")
This fixes desktop app auth failures where users encounter
"Session expired" errors when creating environments or
saving requests despite being logged in.
The issue occurred because token verify/validation works on web
(cookie-based auth) but fails on desktop (bearer token auth). The
desktop implementation had flaky response parsing in
`verifyAuthTokens()`.
Includes some future proofing work around cookie parsing
in `setAuthCookies()`, for Set-Cookie headers contain commas
or are concatenated with newlines (see #5394).
The runtime schema uses .catch() fallbacks for all fields (`key`, `value`, `active`, `description`), making them effectively optional at runtime. Updated type definitions to use Partial<> to match actual runtime behavior and prevent type errors in usage.
This allows valid usage patterns like:
``
hopp.request.setHeaders([{ key: "X-Custom", value: "foo" }])
```
Without requiring all fields (`active`, `description`) to be explicitly provided.
- Update active state styles for better visibility in the mock server.
- BE updates catered to improving content type handling in the mock server.
- Introduced a `disableMockServerInPersonalWorkspace` platform-level feature flag.
- Remove inactive keyboard shorthand nudges from the Mock server dashboard context menu.
---
Co-authored-by: mirarifhasan <arif.ishan05@gmail.com>
Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
* fix(mock-server): handle null collection case in dashboard display
* feat(mock-server): add private access hint for non-public mock servers
* fix(mock-server): update private access hint for clarity
* refactor(mock-server): remove console logs from mock server creation and update
- Fix null/undefined environment variable handling across namespaces
- Fix pm.request console.log output to display properly
- Add pm.request.id and pm.request.name type definitions
- Fix assertion error messages to show actual values
- Strip `export {};` from collection exports and legacy sandbox editor display
Added support for overriding the default session cookie name using the `INFRA.SESSION_COOKIE_NAME` config or the `SESSION_COOKIE_NAME` environment variable. This helps compatibility with proxies or load balancers that cannot handle cookie names containing dots.
---
Co-authored-by: mirarifhasan <arif.ishan05@gmail.com>
Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
Add per-domain toggle to disable automatic HTTP redirect following in
the Native and Agent interceptors. When disabled, requests return the
redirect response (status code, headers, body) without following the
Location header.
Previously HTTP redirects were always followed (on browser, can't do
much about that, see
https://fetch.spec.whatwg.org/#atomic-http-redirect-handling) without
option to inspect the redirect response itself. This prevented
developers from accessing redirect metadata needed when testing OAuth
flows (PKCE where intermediate responses contain authorization tokens),
authentication endpoints that return codes in Location headers with 302
status, and debugging API redirect chains. But on the desktop app,
redirects were just never followed, creating the opposite effect.
The browser's fetch API applies atomic HTTP redirect handling per spec,
making it impossible to intercept redirects and inspect their responses.
The Native and Agent interceptors use curl and native HTTP clients
respectively, both supporting redirect control, making this feature
viable for these specific interceptors. (Proxyscotch tbd).
Updates `tauri-plugin-shell` from vulnerable version to `v2.2.1` to
address `CVE-2025-31477` in `open` around scope validation.
Affects both `hoppscotch-agent` and `hoppscotch-desktop`.
Closes FE-1022
This resolves window accumulation during instance switching by
implementing proper window lifecycle management using Tauri's
WebviewWindow APIs.
Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
The rebases and updates desktop's `@hoppscotch/plugin-appload`
dependency from branch-based ref to specific commit hash to resolve
Docker build failures.
Branch-based GitHub dependencies require `git` in the build environment.
Our Dockerfile stages didn't install `git`, which caused `pnpm install`
to fail with `spawn git ENOENT`. Using a commit hash allows `pnpm` to
fetch the tarball directly without requiring `git`.
This implements backend path management, backup system, cross-platform utilities, and refactors the `appload` plugin arch to support portable mode deployment.
The changes are mainly establishing foundational infra maintaining current frontend behavior until phase-3+ integration.
- This standardises package versions between desktop, agent, appload, relay
all the native components to resolve version inconsistencies and prepare
for unified bumps in the future.
- Account for recent minor dependency bumps as a follow-up to #5329
Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
This fixes file uploads incorrectly showing MIME type as "Other" instead
of their actual content types by expanding the `MediaType` enum relay
to include common audio, video, and image formats.
Basically `MediaType` enum is used for both `ContentType` which would
map to `ContentType` from `hoppscotch-data` (e.g. `multipart/form-data`)
but also to `FormValue` in `interop`
```rust
pub enum FormValue {
...
File {
filename: String,
content_type: MediaType,
data: Bytes,
},
}
```
although the later should be much more pervasive.
This is a follow up on #5244
Closes FE-887
Closes#3810Closes#5223Closes#5233
The issue occurred because the `relay`'s `MediaType` couldn't deserialize
beyond the basic types (text, JSON, XML, etc.), lacked support for
other media file types. The TypeScript layer correctly detected MIME
types (e.g., "audio/x-m4a"), but the deserialization process fell back
to `MediaType::Other`. Main reason for servers performing strict MIME
validation to reject uploads.
This attempts to resolve app startup failures on Linux systems
where IPv6 is disabled at the kernel level by replacing the dual-stack
port selection logic with network interface discovery.
Closes FE-912
Closes#4962
This adds test coverage for the tab navigation methods added in FE-907
the native tab keyboard shortcuts implementation.
Closes FE-909
The recently implemented desktop tab keyboard shortcuts added new tab
navigation methods to the `TabService` class (`goToNextTab()`,
`goToPreviousTab()`, `goToFirstTab()`, `goToLastTab()`,
`goToTabByIndex()`, and `reopenClosedTab()`). These methods lacked
corresponding test coverage.
