Ensure authorization header is not added to BatchRequests

Author: ramsessanchez

CHANGELOG.md

@@ -11,6 +11,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+- 'Authorization' header should not be added to BatchRequest Json body. [#1483](https://github.com/microsoftgraph/msgraph-sdk-java-core/issues/1483)
+
 ## [3.1.0] - 2024-02-07
 
 ### Changed

src/main/java/com/microsoft/graph/core/content/BatchRequestContent.java

@@ -208,13 +208,16 @@ private void writeBatchRequestStep(BatchRequestStep requestStep, JsonWriter writ
                     writer.value(rawBodyContent);
                 }
             }
-            if(headers.size() != 0 || requestBody != null) {
-                writer.name(CoreConstants.BatchRequest.HEADERS);
-                writer.beginObject();
-                for(int i = 0; i < headers.size(); i++) {
-                    writer.name(headers.name(i)).value(headers.value(i));
-                }
-                writer.endObject();
+            // If 'authorization' header is the only header, do not include headers object
+            if(!(headers.names().size() == 1 && headers.names().contains("authorization")) && (headers.size() != 0 || requestBody != null)) {
+                    writer.name(CoreConstants.BatchRequest.HEADERS);
+                    writer.beginObject();
+                    for (int i = 0; i < headers.size(); i++) {
+                        // If multiple headers exist, do not include 'authorization' header
+                        if(!headers.name(i).equals("authorization"))
+                            writer.name(headers.name(i)).value(headers.value(i));
+                    }
+                    writer.endObject();
             }
             writer.endObject();
     }

src/test/java/com/microsoft/graph/core/content/BatchRequestContentTest.java

@@ -6,9 +6,12 @@
 import com.microsoft.graph.core.models.BatchRequestStep;
 import com.microsoft.graph.core.requests.IBaseClient;
 import com.microsoft.kiota.HttpMethod;
+import com.microsoft.kiota.RequestHeaders;
 import com.microsoft.kiota.RequestInformation;
 import com.microsoft.kiota.authentication.AnonymousAuthenticationProvider;
 
+import com.microsoft.kiota.authentication.AuthenticationProvider;
+import com.microsoft.kiota.http.OkHttpRequestAdapter;
 import com.microsoft.kiota.http.middleware.UrlReplaceHandler;
 import okhttp3.*;
 import org.junit.jupiter.api.Assertions;
@@ -25,6 +28,7 @@
 
 import static com.microsoft.graph.core.CoreConstants.ReplacementConstants.USERS_ENDPOINT_WITH_REPLACE_TOKEN;
 import static org.junit.jupiter.api.Assertions.*;
+import static org.mockito.Mockito.mock;
 
 class BatchRequestContentTest {
     static final String requestUrl = "https://graph.microsoft.com/v1.0"+USERS_ENDPOINT_WITH_REPLACE_TOKEN;
@@ -234,6 +238,61 @@ void BatchRequestContent_GetBatchRequestContentFromStepDoesNotModifyDateTimes()
         assertEquals(expectedJson, requestContentString);
     }
     @Test
+    void BatchRequestContent_DoNotAddAuthorizationHeader() throws Exception {
+        OkHttpRequestAdapter adapter = new OkHttpRequestAdapter(mock(AuthenticationProvider.class));
+
+        String expectedJson = "{\n" +
+            "    \"requests\": [\n" +
+            "        {\n" +
+            "            \"id\": \"1\",\n" +
+            "            \"url\": \"/me\",\n" +
+            "            \"method\": \"GET\",\n" +
+            "            \"headers\": {\n" +
+            "                \"accept\": \"application/json\"\n" +
+            "            }\n" +
+            "        },\n" +
+            "        {\n" +
+            "            \"id\": \"2\",\n" +
+            "            \"url\": \"/me\",\n" +
+            "            \"method\": \"GET\"\n" +
+            "        }\n" +
+            "    ]\n" +
+            "}";
+        //The following string is the same size as a token
+        String longBearerString = "bbcbbbcbccbbabbacbccccbccabbcacacaaabccbccbbbbaabbabcccccbcbcacbbccbcbcaaacaacccacccbabacccabbccbccacccabcbbbbbacaacccabaaacaabcbacbaabcacabcbaaaccaccbbaaaabbbabbcaabbacccccaabbcabbbbbbbaaababaaabbbbcbbbcacbaaccaccabbcbabbabacbcccacbaccacaacaaacbacbaaaacbcbbacbcaaaaabcababbbcaabaaaabaaccbaccaababcbccbbacbaaabcbcbcbaaabcccabcacbbcbbabcccaccbacaaccaaaabcaacaccababbcbcabbccbaaaaaacccbcbccbaaccabbacbaaaacaccabcbbbcaabccccbbabbccaaaccbbbabbabcbcabcbccabbaabaacaaabbacaaccbcabaaaabcaabbabccabbcabcabbbaaaacccbcbcbbaacbbbbbcbbabcbabcbbcbbbaacccaababaccbaabcccccabbcabcababacbcaacbbaabaaacaabbacabcbcabcaabcccccacbaaacccbcabacbcbbbcccaaabacccaabcbcaababaabbacacabcbccacbbcacbbcaaccbbbcccbaaaacbcacabbcaaaacbcaacaccccbbaaabcccaacbabbbcbbccbacabccabaabacbbbbbcbaaaaaccabcbccabcccbcccabababbbbcbbcbbcbcabaabaabccbabcbbbabaaacaaaabcbcabaccaaaaacbaaabcbaccbaccbabacbcabbcbcbbaabbbbccaacccaabacacbabbcacabcbaccbcacbccaabcbbacbacbacbbaaccaaaaccacbcababccccccbbcbacacaaabaaaccbaabaacccbaaabcbcaabaaaaabcabacbabcbbccccbacbaabccaaabcccbbacbbacacaccabbcaacbbbbcbcbbcaabaacbbbcbbcbaaacccbacbaabacacbbabcaaaacaabacbaacaaaabbcacbacbcccacbcabcccacacaaccbbbcaacabcccaaacbabaaccbcbaacacbacaababcabcbccabcabcccaacabacabccaacbbcabbcaacbccaababacccaccabacbbbaabaccbcabcaabbcccacccbcbcabbccabbabaaaccacccbcbacabcaabcaccbbcbaaacbaabbbbcbccbbcccaababababaabacccbbbcabbaaacbcaaabccbbbccabbbcccbcacacaaabbabcacbacaacbbbcbbbbbccabbbabcabbcbacccaaabaaacbaabbacabbabcbcbcacbbaabbabcbcaacbabbcccbabaaccabbacbcaaacabbbbcaacbccbbbbacbcabbbaabcacaaabaabbaaccabbcabcabbacaaaacacabbabccacbbabbbbcabbaaccabcccaabbaaaacaabcbacabbaacaccbbbbaaaaacbcbacbbaaaabbabcaacaaacbbaabcccbbcbaacabbbbcaccaaaabcacbcbaaabbbcabcabcbbbbacbaccaacbccaacbbcaccaaaaacbabbbcbcbacbacbaccaacbcbcbbcaaaabaaabaabccaaaabbcabaaabcbcccbbcbaacacbbacacbabbcbaccabacbabcbcaabbbaabccccccaaccbcbccccbbbbcabaaacbbbaacbbaccaabcbcaacaacaacacaababcccbacbbccccbcacbcbcaacaaaacccccccaccaababaacbaabbcbbbccaacbabbcbcaaabbccacbbaabbbbcbbccbcccbbcacabaaacbacacbcaaabcbccacacccbbaacbacbbcbabbcbbbbcaccbaaccbcbcaabcababcbbbcccbcbaababcacbacbbbacacacabbccabbbaaaaacaccbbccbccbabaababcbbccabcaaacaccacabbaabacacabaccabacbacabbccbabaccbabcccbbcbbbaaabbccabbcbbbacacbbbabbcbbacbcabacaccabbbcbabbcbcacbcbbabbbbcabcbbabbbcaaccbaaaaccbababbbaabcbbbaacabbbbcabcabbcabbacabbccccaabaaaaabbcbabacbacbabcabcccabbbccbbcccaacacaabbcbabcbabaaaababbbacabaacbabbabcbbbcbccbacbcbccbbbccccbacaccbaccaaabbaacbbaaabbbcaccbabbcccbbbbccacbbaaacabbbbaabbabcccabcbcbbccccbacccabbbaaabcacccaabbabaccccbbbcccccaacbbbccbcabbbcccababbbcacccccccabccbbcaabccbbbaaccabbcaabcacabbcbbabcccaccccaaacbbbccaaabcbacabbbacbaccaabcbabababbcbcacaabcaabcbcbbcaaacaacabaaababbbacaccababaccbacacacacacbcccbabcbabcabccbaabcccababcbacbccccccacacbbacccccbaccbacaacbacacbcccccaaaacbaaaaccbacbbcacccbbbaabaaaccaccbcabcccccacaaaabcbabbacbbbcaaababcbacccbabcbaaabbcbaaacaabbcaaccaaccbacbaaaaaaabbaacaaabacbbcaacaacabbcabaccaaacbaccccbcccbcbcaaacbacaacccaccaacabacaaaabbbbbbbcacacbabccacacabbbababbbbcbabaaacaaacbacbcabbccacaacccbbbcbbacaccbbbaaabababbcbaacbcabcabaaccbcaaacbbbaacacccbbcaabcbacabbccbcbbbabbbaabacacaccaabbcbbaccbaaabcabbababaccca";
+        RequestInformation requestInfo = new RequestInformation();
+        requestInfo.urlTemplate = "{+baseurl}/users/{user%2Did}{?%24expand,%24select}";
+        HashMap<String, Object> pathParameters = new HashMap<>();
+        pathParameters.put("baseurl", "https://graph.microsoft.com/v1.0");
+        pathParameters.put("user%2Did", "TokenToReplace");
+        requestInfo.pathParameters = pathParameters;
+        requestInfo.httpMethod = HttpMethod.GET;
+        // Only one header should be present in the headers object of the Json Body
+        requestInfo.headers.add("accept", "application/json");
+        requestInfo.headers.add("authorization", longBearerString);
+        RequestInformation requestInfo2 = new RequestInformation();
+        requestInfo2.urlTemplate = "{+baseurl}/users/{user%2Did}{?%24expand,%24select}";
+        HashMap<String, Object> pathParameters2 = new HashMap<>();
+        pathParameters2.put("baseurl", "https://graph.microsoft.com/v1.0");
+        pathParameters2.put("user%2Did", "TokenToReplace");
+        requestInfo2.pathParameters = pathParameters2;
+        requestInfo2.httpMethod = HttpMethod.GET;
+        // No headers object should be present in the Json body
+        requestInfo2.headers.add("authorization", longBearerString);
+
+        BatchRequestContent batchRequestContent = new BatchRequestContent(client);
+        batchRequestContent.addBatchRequestStep(new BatchRequestStep("1",adapter.convertToNativeRequest(requestInfo)));
+        batchRequestContent.addBatchRequestStep(new BatchRequestStep("2",adapter.convertToNativeRequest(requestInfo2)));
+
+        InputStream stream = batchRequestContent.getBatchRequestContent();
+        String requestContentString = readInputStream(stream);
+        requestContentString = requestContentString.replace("\n", "").replaceAll("\\s", "");
+        expectedJson = expectedJson.replace("\n", "").replaceAll("\\s", "");
+
+        assertNotNull(requestContentString);
+        assertEquals(expectedJson, requestContentString);
+    }
+    @Test
     void BatchRequestContent_AddBatchRequestStepWithHttpRequestMessage() {
         BatchRequestContent batchRequestContent = new BatchRequestContent(client);
         assertTrue(batchRequestContent.getBatchRequestSteps().isEmpty());
@@ -248,6 +307,7 @@ void BatchRequestContent_AddBatchRequestStepWithHttpRequestMessage() {
         Assertions.assertEquals(batchRequestContent.getBatchRequestSteps().get(requestId).getRequest().url().uri().toString(), request.url().uri().toString());
         Assertions.assertEquals(batchRequestContent.getBatchRequestSteps().get(requestId).getRequest().method(), request.method());
     }
+
     @Test
     void BatchRequestContent_AddBatchRequestStepWithHttpRequestMessageToBatchRequestContentWithMaxSteps() {
         BatchRequestContent batchRequestContent = new BatchRequestContent(client);