thibaud-lclr/api-client
1
0
Fork 0
Code Packages Activity Actions
6069 commits 1 branch 0 tags 94 MiB
Commit graph

21 commits

Author SHA1 Message Date
Mir Arif Hasan
e4eee306a7
chore: patch dependency vulnerabilities and harden production image (#6055) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-03-27 19:26:26 +05:30
Mir Arif Hasan
2fcf5b7a5f
chore: security patch for the dependency chain v2026.3.0 (#6013) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-03-24 16:34:36 +05:30
Mir Arif Hasan
4fe0e376bb
chore: security patch for the dependency chain v2026.2.0 (#5887) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-02-19 12:48:50 +05:30
Mir Arif Hasan
4f13549ed2
chore: security patch for the dependency chain v2026.1.0 (#5786) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-01-21 23:25:40 +05:30
James George
27b817f627
feat: migrate ESLint to v9 across packages (#5773) 
Co-authored-by: curiouscorrelation <curiouscorrelation@gmail.com>
 2026-01-20 14:48:55 +05:30
Mir Arif Hasan
442242c8ca
chore: security patch for the quic-go vulnerability (#5710) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
Co-authored-by: Nahid Hasan <52489202+nahidhasan94@users.noreply.github.com>
 2025-12-19 21:00:22 +05:30
Mir Arif Hasan
05927f3d4d
chore: security patch for the dependency chain v2025.12.0 (#5678) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2025-12-12 16:58:35 +05:30
Shreyas
ecf7d2507a
feat(relay): control redirect follow (#5508) 
Add per-domain toggle to disable automatic HTTP redirect following in
 the Native and Agent interceptors. When disabled, requests return the
 redirect response (status code, headers, body) without following the
 Location header.

 Previously HTTP redirects were always followed (on browser, can't do
 much about that, see
 https://fetch.spec.whatwg.org/#atomic-http-redirect-handling) without
 option to inspect the redirect response itself. This prevented
 developers from accessing redirect metadata needed when testing OAuth
 flows (PKCE where intermediate responses contain authorization tokens),
 authentication endpoints that return codes in Location headers with 302
 status, and debugging API redirect chains. But on the desktop app,
 redirects were just never followed, creating the opposite effect.

 The browser's fetch API applies atomic HTTP redirect handling per spec,
 making it impossible to intercept redirects and inspect their responses.
 The Native and Agent interceptors use curl and native HTTP clients
 respectively, both supporting redirect control, making this feature
 viable for these specific interceptors. (Proxyscotch tbd).
 2025-10-27 17:41:58 +05:30
Mir Arif Hasan
53e8b28459
chore: security patch for the dependency chain (#5487) 
v2025.10.0

---------

Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
 2025-10-22 18:48:20 +05:30
Shreyas
6beca5c787
fix(native): bump tauri-plugin-shell to v2.2.1 (#5402) 
Updates `tauri-plugin-shell` from vulnerable version to `v2.2.1` to
 address `CVE-2025-31477` in `open` around scope validation.

 Affects both `hoppscotch-agent` and `hoppscotch-desktop`.

 Closes FE-1022
 2025-09-24 21:48:06 +05:30
Mir Arif Hasan
37060638df
chore: security patch for the dependency chain (#5400) 
Bump non-major dependencies

---------

Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
 2025-09-24 16:22:31 +05:30
Shreyas
3be91a4a51
fix(relay): multiple Set-Cookie headers in resp (#5394) 
Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
 2025-09-23 17:14:29 +05:30
Shreyas
a0fbb7b076
chore(native): bump and align dependencies (#5331) 
- This standardises package versions between desktop, agent, appload, relay
  all the native components to resolve version inconsistencies and prepare
  for unified bumps in the future.

- Account for recent minor dependency bumps as a follow-up to #5329

Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
 2025-08-21 16:24:30 +05:30
Shreyas
137e95e873
fix(relay): expand MIME type support (#5306) 
This fixes file uploads incorrectly showing MIME type as "Other" instead
 of their actual content types by expanding the `MediaType` enum relay
 to include common audio, video, and image formats.

 Basically `MediaType` enum is used for both `ContentType` which would
 map to `ContentType` from `hoppscotch-data` (e.g. `multipart/form-data`)
 but also to `FormValue` in `interop`
 ```rust
 pub enum FormValue {
     ...
     File {
         filename: String,
         content_type: MediaType,
         data: Bytes,
     },
 }
 ```
 although the later should be much more pervasive.

 This is a follow up on #5244

 Closes FE-887
 Closes #3810
 Closes #5223
 Closes #5233

 The issue occurred because the `relay`'s `MediaType` couldn't deserialize
 beyond the basic types (text, JSON, XML, etc.), lacked support for
 other media file types. The TypeScript layer correctly detected MIME
 types (e.g., "audio/x-m4a"), but the deserialization process fell back
 to `MediaType::Other`. Main reason for servers performing strict MIME
 validation to reject uploads.
 2025-08-08 13:51:46 +05:30
Shreyas
899db05ab8
feat(desktop): portable phase-1 foundational: infra & build (#5259) 2025-07-24 15:45:48 +05:30
Shreyas
b1d4ad2bf8
chore(desktop): update typescript bump hash (#5199) 2025-06-26 11:38:18 +05:30
jamesgeorge007
0d4df746cd chore: align TypeScript version across packages 2025-06-25 16:34:08 +05:30
Shreyas
26cb342969
fix(desktop): arrow inserting escape sequences (#5108) 
The unstable flag was causing arrow keys to
display ANSI escape sequences as literal text
instead of performing cursor navigation.

For example the arrow keys in URL input fields
display escape sequences (`^[[C, ^[[D, ^[[A, ^[[B`)
as literal text.

Closes HFE-880
Closes #5102

The unstable feature flag was originally added to
support experimental features that were required
for functionality that is no longer needed
in the current implementation.

See:
- [Tauri Issue #9257] - Keyboard shortcuts broken with unstable flag
- [Tauri Issue #10194] - Arrow keys printing invalid characters
- [Wry Issue #1177] - Related macOS input handling issues
 2025-06-06 14:17:30 +05:30
Shreyas
d213bec3ef
feat(kernel): multi-instance support for store (#5083) 2025-05-21 19:08:55 +05:30
Andrew Bastin
ba64fea681
chore: bump vulnerable dependencies (#4943) 2025-03-27 22:45:29 +05:30
Shreyas
a6147f4ce4
feat: platform independent core and the new desktop app (#4684) 
* feat(desktop): init

* feat(desktop): external app download and setup

* feat(desktop): offload app load to plugin system

* perf(desktop): add rdbms facade and caching layer

* feat: parallelize signing, shared trust, lru cache

* feat: webapp encoder + compressor + hasher server

* feat(desktop): app autoupdate with hashed loader

* feat(kernel): init `hoppscotch-kernel`

* feat(kernel): `io`

* feat(kernel): `network`

* feat(kernel): `network` - native interceptor

* feat(kernel): `network` - interceptor - rest

* feat(kernel): `network` - interceptor - graphql

* feat(kernel): `network` - interceptor - capabilities

* feat(kernel): `network` - interceptor - `FormData`

* feat(kernel): `network` - interceptor - `oauth2.0`

* feat(kernel): `store`

* feat(desktop): dragging, traffic light, plugin workspaces

* feat(kernel|wip): `store`

* feat(kernel): `network` - capabilities - with active

* feat(kernel|wip): `network` - interceptor - `proxy`

* feat(kernel|wip): `network` - relay ext

* feat(kernel): `network` - interceptor - `proxy`

* feat(kernel): `network` - interceptor - decoding

* feat(kernel): `network` - interceptor - Kernel Err

* feat(kernel): `network` - flow transformation

* feat(kernel): `network` - request status

* fix(desktop): repositioning traffic lights on fullscreen exit

* feat(kernel): `network` - interceptor - `agent`

* feat(kernel): `store` - track updates

* feat(kernel): `network` - interceptor - extension

* feat(kernel): `network` - updates as overrides

* feat(interceptor): pre-process request encoding

* fix(ui): mismatched extension button size/position

* feat(kernel): `network` - interceptor - `browser`

* feat(native): common certs componsable

* fix(kernel): interceptor selection store and json parse

* feat(kernel): `network` - consistent multipart encoding

* feat(kernel): `network` - interceptor - `OAuth2.0`

* feat(kernel): `network` - interceptor - cookie support

* feat(agent): registration list, log-sink, relay

* feat(kernel): `network` - interceptor subtitles

* feat(kernel): `store` - persist network settings

* fix(agent): encrypted ser/de certificate requests

* feat(kernel): `kernelInterceptor` spotlight service

* fix(kernel): gql introspection edge-case schema

* ref: conditionals for migrated components

* feat(kernel): `localaccess` capability via relay

* feat(kernel): `network` - explicit types and lint

* feat(kernel): `store` - isolate host and platform

* feat(kernel): `store` - persistence service

* fix(infra): whitelisted origins, non-std engines

* feat(desktop): impl deep-link callbacks

* feat(kernel): `auth`

* feat(kernel): `io` - event listeners

* feat(kernel): platform migration

* fix: dep `vue` import on Win 11

Fixes `error TS2305: Module '"vue"' has no exported member
'VueConstructor'.` arising from `splitpane` dependency.

* fix(webapp-server): platform independent res paths

* feat(desktop): auth and emit via embedded server

* feat(platform): host, csp and bundle compatibility

- Bundle name format for using as host
- Windows UI handler HWND casting and version detection
- CSP headers type handling in URI protocol
- Protocol whitelist in env config

* feat(desktop|wip): login flow with `auth-tokens`

feat(desktop|wip): typesafe auth

* feat(backend): `auth` token flow, gql/websocket

feat(desktop): working auth for gql

feat: gql client with refresh token

* feat(backend): `auth` token flow, authorization bearer

* fix(gen): qualifier clash when invalidating cache

* feat(common): coordinated initialization service

* fix(desktop): appload persistence in data json

* feat(desktop|wip): desktop icons and updater

* fix: typos in readme docs

* fix: docker ignore copying on windows

* fix: update `.lock` file after rebase

* fix: `persistenceService` setup in tests

* fix: remove old console logs

* fix: console error on invalid schema

Show console error if default value is used when loading invalid data from
local storage

* fix(test): `PersistenceService` methods

* fix(test): `PersistenceService` rest tab state

* fix(test): `PersistenceService` gql tab state

* fix(test): `PersistenceService` global env

* fix(test): `PersistenceService` mqtt request

* fix(test): `PersistenceService` sse request

* fix(test): `PersistenceService` socketio request

* fix(test): `PersistenceService` websocket request

* fix(test): `PersistenceService` secret environment

* fix(test): `PersistenceService` selected env

* fix(test): `PersistenceService` collections

* fix(test): `PersistenceService` environments

* fix(test): `PersistenceService` history

* fix(test): `PersistenceService` settings

* fix(test): `PersistenceService` migrations

* fix(test): `InspectionService` request inspector

* feat(desktop): button to clear bundle/key cache

This is useful when there are partial updates to the web app or bundle gen server
which haven't been correctly propagated when the app bundle was downloaded.

If the user were to change the self host instance without updating the
desktop app; which is possible albeit rarely under very certain circumstances,
desktop app will refuse to load the bundle, this is because the desktop app
cannot differentiate between partial updates vs incorrect bundle being hosted
since both will fail verification.

The button lets the user decide what should be the appropriate action,
clear the bundle and trust the hosted app
or make sure the app is built and hosted correctly.

* fix(desktop): enforce one version per instance

This was part of a leftover scaffolding from development.

* fix(desktop): bundle url not stored after download

* fix(desktop): stalling progress on updates

* fix(backend): helper to parse cookie into kv-pairs

* feat(desktop): launch session on working endpoints

* fix(common): preserve `auth` structure and default

* fix: loading native networking with kernel mode

* fix: fallback for unhandled response error

* fix: `urlencoded` content request processing

* feat: `interceptor` - error mapping for `browser`

* fix: backwards compatibility for `digest` auth

* fix: platform check for `initializationService`

* fix: `interceptor` - analytics `strategy` resolution

* fix: `interceptor` - check for `cookies` component

* fix: enable digest auth support for `native`

* test: `interceptor` - kernel interceptor

* fix(relay): `grantType` casing for OAuth2.0

* test(wip): kernel transformers

* fix(relay): auth headers discarding others

* fix(desktop): http version deserialization

* fix(common): `grantType` extractor, auth processor

* fix: `PersistenceService` - parsing edge cases

* fix(infra): post rebase fixup

* fix(web): component structure and lint

* fix(desktop): cohesive splash opener, scroll url section

* fix: explicit auto auth and docs on url auth

* fix(relay): special chars failing proxy auth

* fix: finer cert control setting option

* fix: post-rebase fixup

* feat(appload): ability to vendor pre-built bytes

* fix: avoid copying over `target` dir in containers

* fix: auth key missing in capability set

* fix(desktop): relax `refresh_token` requirement

This is to support Firebase token

* fix(desktop): normalization for Windows WebView

* feat(desktop): instance switcher and vendored app

* fix(desktop): merge artifacts and conflicts

* feat(desktop): instance switcher improvements

* fix: derive instance name from normalized name

* fix: pkg links, lints and UI edge cases

* feat(desktop): restore window state after relaunch

* fix(desktop): distinguish header for cloud/default

* fix: instance switcher in web mode

* fix: close dropdown on new instance modal

* fix: whitelist vendored app origin

* feat(desktop): platform parity - `collections`

* fix: history entries population desync

* fix(desktop): check for history storage status

* fix(desktop): safe parse `globalEnv`

* feat(desktop): platform parity - `environment`

* fix: use settings store for proxy url

* fix: lint, unused imports

* fix: proxy input enabled for other interceptors

* feat: reverse proxy for desktop app server

* fix: duplicate entries after connecting to sh

* fix: specify instance org qualified

* fix: remove debugging logs

* feat(desktop): enable `devtools` in release builds

* fix(desktop): prepend protocol validation edgecase

* feat(desktop): clear cache on removing instance

* fix: better response toast message

* fix: avoid reverse proxy for webapp server

* fix(desktop): ignore subpath in instance name

* feat: switcher ui/ux improvements

* feat: more switcher ui/ux improvements

* feat(server): specify bundle version at build time

* fix(desktop): missing migration as rebase artifact

* fix: minor switcher ui/ux improvement

* fix: rebase artifacts

* fix: consolidated toast on success

* fix: missing i18n strings

* fix(desktop): handle drag and drop fe side

* feat: confirmation modal on instance removal

* chore: minor UI update

* chore: minor UI changes

* fix: gql connection partial refactor

* fix: resolve merge artifacts

* chore: prod lint

* feat(desktop): better desktop app update ux

* fix: broken gql connection.ts

---------

Co-authored-by: nivedin <nivedinp@gmail.com>
Co-authored-by: Andrew Bastin <andrewbastin.k@gmail.com>
 2025-02-28 00:01:25 +05:30