@@ -17,6 +17,7 @@ import type {
1717} from './types/api-handler' ;
1818import { fetchf } from '.' ;
1919import { mergeConfigs } from './config-handler' ;
20+ import { isAbsoluteUrl } from './utils' ;
2021
2122/**
2223 * Creates an instance of API Handler.
@@ -99,22 +100,25 @@ function createApiFetcher<
99100 FinalParams < ResponseData , UrlParams , UrlPathParams >
100101 >
101102 > {
102- // Use global per-endpoint settings
103- const endpointConfig =
104- endpoints [ endpointName ] ||
103+ // Use global and per-endpoint settings
104+ const endpointConfig = endpoints [ endpointName ] ;
105+ const _endpointConfig =
106+ endpointConfig ||
105107 ( { url : String ( endpointName ) } as RequestConfigUrlRequired ) ;
106- const url = endpointConfig . url ;
108+ const url = _endpointConfig . url ;
107109
108110 // Block Protocol-relative URLs as they could lead to SSRF (Server-Side Request Forgery)
109111 if ( url . startsWith ( '//' ) ) {
110112 throw new Error ( 'Protocol-relative URLs are not allowed.' ) ;
111113 }
112114
113115 // Prevent potential Server-Side Request Forgery attack and leakage of credentials when same instance is used for external requests
114- const isAbsoluteUrl = url . includes ( '://' ) ;
115- const mergedConfig = isAbsoluteUrl
116- ? mergeConfigs ( endpointConfig , requestConfig )
117- : mergeConfigs ( mergeConfigs ( config , endpointConfig ) , requestConfig ) ;
116+ const mergedConfig = isAbsoluteUrl ( url )
117+ ? // Merge endpoints configs for absolute URLs only if urls match
118+ endpointConfig ?. url === url
119+ ? mergeConfigs ( _endpointConfig , requestConfig )
120+ : requestConfig
121+ : mergeConfigs ( mergeConfigs ( config , _endpointConfig ) , requestConfig ) ;
118122
119123 // We prevent potential Server-Side Request Forgery attack and leakage of credentials as the same instance is not used for external requests
120124 // Retrigger fetch to ensure completely new instance of handler being triggered for external URLs
0 commit comments