feat: Warn on insecure tool invocation with authentication

anubhav756 · anubhav756 · commit 0f45b691a405 · 2025-05-13T15:30:16.000+05:30
This change introduces a warning that is displayed immediately before a tool invocation if:
1. The invocation includes an authentication header.
2. The connection is being made over non-secure HTTP.

&gt; [!IMPORTANT]
The purpose of this warning is to alert the user to the security risk of sending credentials over an unencrypted channel and to encourage the use of HTTPS.
diff --git a/packages/toolbox-core/src/toolbox_core/tool.py b/packages/toolbox-core/src/toolbox_core/tool.py
@@ -16,6 +16,7 @@
 from inspect import Signature
 from types import MappingProxyType
 from typing import Any, Callable, Coroutine, Mapping, Optional, Sequence, Union
+from warnings import warn
 
 from aiohttp import ClientSession
 
@@ -245,18 +246,27 @@ async def __call__(self, *args: Any, **kwargs: Any) -> str:
             payload[param] = await resolve_value(value)
 
         # create headers for auth services
-        headers = {}
+        auth_headers = {}
         for auth_service, token_getter in self.__auth_service_token_getters.items():
-            headers[self.__get_auth_header(auth_service)] = await resolve_value(
+            auth_headers[self.__get_auth_header(auth_service)] = await resolve_value(
                 token_getter
             )
         for client_header_name, client_header_val in self.__client_headers.items():
-            headers[client_header_name] = await resolve_value(client_header_val)
+            auth_headers[client_header_name] = await resolve_value(client_header_val)
+
+        # ID tokens contain sensitive user information (claims). Transmitting
+        # these over HTTP exposes the data to interception and unauthorized
+        # access. Always use HTTPS to ensure secure communication and protect
+        # user privacy.
+        if auth_headers and not self.__url.startswith("https://"):
+            warn(
+                "Sending ID token over HTTP. User data may be exposed. Use HTTPS for secure communication."
+            )
 
         async with self.__session.post(
             self.__url,
             json=payload,
-            headers=headers,
+            headers=auth_headers,
         ) as resp:
             body = await resp.json()
             if resp.status < 200 or resp.status >= 300:
