feat: Warn on insecure tool invocation with authentication

anubhav756 · anubhav756 · commit 384b746a7bf8 · 2025-05-06T17:40:02.000+05:30
This change introduces a warning that is displayed immediately before a tool invocation if:
1. The invocation includes an authentication header.
2. The connection is being made over non-secure HTTP.

&gt; [!IMPORTANT]
The purpose of this warning is to alert the user to the security risk of sending credentials over an unencrypted channel and to encourage the use of HTTPS.
diff --git a/packages/toolbox-core/src/toolbox_core/tool.py b/packages/toolbox-core/src/toolbox_core/tool.py
@@ -13,6 +13,7 @@
 # limitations under the License.
 
 
+from warnings import warn
 import types
 from inspect import Signature
 from typing import Any, Callable, Coroutine, Mapping, Optional, Sequence, Union
@@ -217,18 +218,27 @@ async def __call__(self, *args: Any, **kwargs: Any) -> str:
             payload[param] = await resolve_value(value)
 
         # create headers for auth services
-        headers = {}
+        auth_headers = {}
         for auth_service, token_getter in self.__auth_service_token_getters.items():
-            headers[self.__get_auth_header(auth_service)] = await resolve_value(
+            auth_headers[self.__get_auth_header(auth_service)] = await resolve_value(
                 token_getter
             )
         for client_header_name, client_header_val in self.__client_headers.items():
-            headers[client_header_name] = await resolve_value(client_header_val)
+            auth_headers[client_header_name] = await resolve_value(client_header_val)
+
+        # ID tokens contain sensitive user information (claims). Transmitting
+        # these over HTTP exposes the data to interception and unauthorized
+        # access. Always use HTTPS to ensure secure communication and protect
+        # user privacy.
+        if auth_headers and not self.__url.startswith("https://"):
+            warn(
+                "Sending ID token over HTTP. User data may be exposed. Use HTTPS for secure communication."
+            )
 
         async with self.__session.post(
             self.__url,
             json=payload,
-            headers=headers,
+            headers=auth_headers,
         ) as resp:
             body = await resp.json()
             if resp.status < 200 or resp.status >= 300:
