From e739de158d7b1a19ded89f31534a45134eba6eb1 Mon Sep 17 00:00:00 2001 From: jnsdls Date: Sat, 10 May 2025 02:54:20 +0000 Subject: [PATCH] Only set secret key or client ID when not using auth token (#6994) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR modifies the header setting logic in `getClientFetch` to ensure that secret keys and client IDs are only set when not using an auth token. This prevents potential conflicts between different authentication methods by making the header setting logic mutually exclusive. --- ## PR-Codex overview This PR modifies the logic in the `fetch.ts` file to ensure that the `x-secret-key` and `x-client-id` headers are only set when not using the authentication token, enhancing security and clarity in header management. ### Detailed summary - Added an `else` clause to only set `x-secret-key` if not using the auth token. - Rearranged the condition for setting `x-client-id` to follow the new logic. > ✨ Ask PR-Codex anything about this PR by commenting with `/codex {your question}` --- packages/thirdweb/src/utils/fetch.ts | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/packages/thirdweb/src/utils/fetch.ts b/packages/thirdweb/src/utils/fetch.ts index 60c55126d6d..20d51f10537 100644 --- a/packages/thirdweb/src/utils/fetch.ts +++ b/packages/thirdweb/src/utils/fetch.ts @@ -70,14 +70,15 @@ export function getClientFetch(client: ThirdwebClient, ecosystem?: Ecosystem) { if (client.teamId) { headers.set("x-team-id", client.teamId); } - } - - if (secretKey) { - headers.set("x-secret-key", secretKey); - } + } else { + // only set secret key or client id if we are NOT using the auth token! + if (secretKey) { + headers.set("x-secret-key", secretKey); + } - if (clientId) { - headers.set("x-client-id", clientId); + if (clientId) { + headers.set("x-client-id", clientId); + } } if (ecosystem) {