Skip to content

Fix WSSecurityCert header placement when no SOAP headers exist#1489

Open
rubenaguadoc wants to merge 1 commit into
vpulim:masterfrom
DPS-ES:fix/1487-security-header-envelope
Open

Fix WSSecurityCert header placement when no SOAP headers exist#1489
rubenaguadoc wants to merge 1 commit into
vpulim:masterfrom
DPS-ES:fix/1487-security-header-envelope

Conversation

@rubenaguadoc
Copy link
Copy Markdown

@rubenaguadoc rubenaguadoc commented May 7, 2026
edited by coderabbitai Bot
Loading

Fixes #1487

When using WSSecurityCert without additional SOAP headers, the generated security header could be placed outside the SOAP Envelope, resulting in invalid XML structure.

This change ensures the security header is always inserted inside the SOAP Envelope, regardless of whether other SOAP headers are present.

Includes a test covering the scenario where no additional SOAP headers exist.

Summary by CodeRabbit

  • Bug Fixes

    • Enhanced SOAP security header generation with improved fallback handling to support edge cases.

  • Tests

    • Added test coverage verifying correct security header insertion in SOAP requests.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 7, 2026
edited
Loading

Review Change Stack

📝 Walkthrough

Walkthrough

The pull request fixes a bug where WSSecurityCert security headers were placed outside the SOAP envelope when no other headers existed. The fix modifies the header creation logic to fall back to postProcess when toXML() returns falsy, and adds an integration test to verify correct header placement.

Changes

Security Header Fallback and Validation

Layer / File(s) Summary
Core Logic Fix
src/client.ts		 Header content composition now uses this.security.toXML() || this.security.postProcess to ensure fallback when toXML() returns falsy.
Test Validation
test/security/WSSecurityCert.js		 New test captures generated SOAP request XML and asserts that <soap:Header> and <wsse:Security> are correctly placed within the envelope with no trailing content.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A header that wandered beyond its bounds,
Now finds its way home through fallback grounds,
When toXML falters, postProcess calls,
Security sits safe inside the envelope walls. 🐰✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main fix: addressing header placement for WSSecurityCert when no SOAP headers exist, which is the core issue in #1487.
Linked Issues check ✅ Passed The PR implements the suggested fix from #1487 by modifying client.ts to check for security.postProcess as a fallback when toXML() is falsy, ensuring Header creation when needed.
Out of Scope Changes check ✅ Passed All changes are directly related to fixing #1487: the client.ts modification handles the fallback logic, and the test validates the fix for the no-headers scenario.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

  • Generate code and open pull requests
  • Plan features and break down work
  • Investigate incidents and troubleshoot customer tickets together
  • Automate recurring tasks and respond to alerts with triggers
  • Summarize progress and report instantly

Built for teams:

  • Shared memory across your entire org—no repeating context
  • Per-thread sandboxes to safely plan and execute work
  • Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@rubenaguadoc rubenaguadoc mentioned this pull request May 7, 2026
Open
coderabbitai[bot]
coderabbitai Bot reviewed May 7, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
test/security/WSSecurityCert.js (2)

362-365: 💤 Low value

Redundant duplicate assertion — endsWith check on line 362 is superseded by the index arithmetic on lines 364-365

Both assertions verify that nothing follows </soap:Envelope>. One is sufficient.

🧹 Proposed cleanup 
-    assert.ok(requestXml.endsWith('</soap:Envelope>'), 'XML must end with </soap:Envelope>');
-
     const envelopeCloseIdx = requestXml.indexOf('</soap:Envelope>');
     assert.strictEqual(envelopeCloseIdx + '</soap:Envelope>'.length, requestXml.length, 'No content should appear after </soap:Envelope>');
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/security/WSSecurityCert.js` around lines 362 - 365, Remove the redundant
endsWith assertion and keep the precise index-based check: delete the
assert.ok(requestXml.endsWith('</soap:Envelope>'), ...) line and rely on the
envelopeCloseIdx calculation with assert.strictEqual(envelopeCloseIdx +
'</soap:Envelope>'.length, requestXml.length, ...) to ensure nothing follows the
closing tag; this targets the assertions around the requestXml variable and the
envelopeCloseIdx logic in the test.

349-351: ⚡ Quick win

Test relies on synchronous 'request' event emission — correct but fragile

client.MyOperation({}, function () {}) triggers _invoke, which calls this.emit('request', xml, eid) synchronously (before the async HTTP call). requestXml is therefore set when line 351 executes. This is correct today, but any future refactor that defers the emit (e.g. into a microtask) would silently break the assertion rather than produce a helpful failure. Consider wrapping the entire invocation in a promise resolved by the 'request' event handler for robustness:

🛡️ Suggested approach 
-    let requestXml;
-    client.on('request', function (xml) {
-      requestXml = xml;
-    });
-
-    client.MyOperation({}, function () {});
-
-    assert.ok(requestXml, 'request XML should have been captured');
+    const requestXml = await new Promise((resolve) => {
+      client.once('request', resolve);
+      client.MyOperation({}, function () {});
+    });
+
+    assert.ok(requestXml, 'request XML should have been captured');
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/security/WSSecurityCert.js` around lines 349 - 351, The test assumes
client.MyOperation triggers a synchronous 'request' event via _invoke's
this.emit('request', xml, eid), which is fragile; change the test to await the
'request' event instead of relying on synchronous emission by wrapping the
client.MyOperation call in a Promise that resolves in the client's 'request'
event handler (capturing requestXml there) and then assert requestXml after that
Promise resolves so the test remains robust if emission becomes asynchronous.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/security/WSSecurityCert.js`:
- Around line 362-365: Remove the redundant endsWith assertion and keep the
precise index-based check: delete the
assert.ok(requestXml.endsWith('</soap:Envelope>'), ...) line and rely on the
envelopeCloseIdx calculation with assert.strictEqual(envelopeCloseIdx +
'</soap:Envelope>'.length, requestXml.length, ...) to ensure nothing follows the
closing tag; this targets the assertions around the requestXml variable and the
envelopeCloseIdx logic in the test.
- Around line 349-351: The test assumes client.MyOperation triggers a
synchronous 'request' event via _invoke's this.emit('request', xml, eid), which
is fragile; change the test to await the 'request' event instead of relying on
synchronous emission by wrapping the client.MyOperation call in a Promise that
resolves in the client's 'request' event handler (capturing requestXml there)
and then assert requestXml after that Promise resolves so the test remains
robust if emission becomes asynchronous.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 5d202997-ab47-43e1-9bce-26e8023c7ad7

📥 Commits

Reviewing files that changed from the base of the PR and between 67febcc and d839d4f.

📒 Files selected for processing (2)
  • src/client.ts
  • test/security/WSSecurityCert.js

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

WSSecurityCert: Security header placed outside Envelope when no other SOAP headers exist

1 participant

@rubenaguadoc