From ebd51fc2bdd49eb284c068a28ba84dd15dcd4a7d Mon Sep 17 00:00:00 2001
From: Disha Prakash <dishaprakash@google.com>
Date: Mon, 18 Aug 2025 11:29:53 +0000
Subject: [PATCH] chore: Add warning for insecure connection

---
 core/client.go      |  5 +++++
 core/client_test.go | 24 ++++++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/core/client.go b/core/client.go
index 752778e..985efdd 100644
--- a/core/client.go
+++ b/core/client.go
@@ -17,6 +17,7 @@ package core
 import (
 	"context"
 	"fmt"
+	"log"
 	"net/http"
 	"strings"
 
@@ -150,6 +151,10 @@ func (tc *ToolboxClient) newToolboxTool(
 		finalConfig.AuthTokenSources,
 	)
 
+	if (len(remainingAuthnParams) > 0 || len(remainingAuthzTokens) > 0 || len(tc.clientHeaderSources) > 0) && !strings.HasPrefix(tc.baseURL, "https://") {
+		log.Println("WARNING: Sending ID token over HTTP. User data may be exposed. Use HTTPS for secure communication.")
+	}
+
 	// Construct the final tool object.
 	tt := &ToolboxTool{
 		name:                name,
diff --git a/core/client_test.go b/core/client_test.go
index 4362226..f291dc1 100644
--- a/core/client_test.go
+++ b/core/client_test.go
@@ -17,9 +17,11 @@
 package core
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
+	"log"
 	"net/http"
 	"net/http/httptest"
 	"strings"
@@ -558,6 +560,28 @@ func TestLoadToolAndLoadToolset_ErrorPaths(t *testing.T) {
 	}))
 	defer server.Close()
 
+	// Buffer to capture logs
+	var buf bytes.Buffer
+
+	originalOutput := log.Writer()
+	log.SetOutput(&buf)
+	defer log.SetOutput(originalOutput)
+
+	t.Run("logs warning for HTTP with headers", func(t *testing.T) {
+		buf.Reset()
+
+		client, _ := NewToolboxClient(server.URL,
+			WithHTTPClient(server.Client()),
+		)
+
+		_, _ = client.LoadTool("toolA", context.Background())
+
+		expectedLog := "WARNING: Sending ID token over HTTP"
+		if !strings.Contains(buf.String(), expectedLog) {
+			t.Errorf("expected log message '%s' not found in output: '%s'", expectedLog, buf.String())
+		}
+	})
+
 	t.Run("LoadTool fails when a default option is invalid", func(t *testing.T) {
 		// Setup client with duplicate default options
 		client, _ := NewToolboxClient(server.URL,