When axios receives a 4XX/5XX response it throws an error, causing
execution to jump to the catch block. saveCookies() was only called
in the try block (2XX path), so error-status cookies were silently
dropped in collection runs.
Fix applied to both affected code paths:
- packages/bruno-cli/src/runner/run-single-request.js (CLI runner)
- packages/bruno-electron/src/ipc/network/index.js (app collection runner)
Manual single-request execution was already correct — saveCookies() is
called after the try/catch there, so both status paths were covered.
Fixes#7475
When a request redirected from HTTP to HTTPS (or vice versa), the
original httpAgent/httpsAgent leaked into the redirect config. The
httpsAgent — which carries custom CA certificates and TLS options — was
never created for the redirect URL, causing UNABLE_TO_VERIFY_LEAF_SIGNATURE.
Changes:
- setupProxyAgents (electron) now deletes stale agents at the top of
every call so they are always recreated for the current URL
- setupProxyAgents extracted to bruno-cli/proxy-util.js (mirrors the
electron version) and called on every redirect in the CLI path
- Removed the else-branch in bruno-requests/http-https-agents.ts that
only created one agent based on initial protocol
- Added HTTP→HTTPS redirect test server and request to the
custom-ca-certs SSL test suite
- Replaced the static file name display with a SingleLineEditor for better readability and consistency.
- Removed unnecessary padding in StyledWrapper for a cleaner layout.
- Enhanced value interpolation logic to handle arrays in interpolate-vars.js for improved data processing.
* feat: add OAuth 1.0 authentication support
Add full OAuth 1.0 (RFC 5849) authentication with support for
HMAC-SHA1/256/512, RSA-SHA1/256/512, and PLAINTEXT signature methods.
Includes UI components, bru/yml serialization, Postman import, code
generation, CLI support, and comprehensive playwright and unit tests.
* test: replace real-looking PEM literals with fake markers in oauth1 tests
Avoid tripping secret scanners by using obviously fake BEGIN/END markers
and non-sensitive base64 content in serialization and round-trip tests.
* fix: remove invalid OAuth1 placeholder header from code generator
OAuth1 requires runtime-computed nonce, timestamp, and signature that
cannot be pre-computed for a static code snippet. Return an empty array
instead of emitting an Authorization header with literal <signature>,
<timestamp>, <nonce> placeholders.
* fix: remove unreachable oauth1 case from WSAuth component
The oauth1 switch branch was dead code since it was not in
supportedAuthModes and the useEffect would reset it to 'none'
before it could render.
* fix: remove unused collectionPath param and use path.basename for filename extraction
* refactor: rename OAuth1 fields for clarity
- tokenSecret → accessTokenSecret
- signatureMethod → signatureEncoding
- addParamsTo value 'queryparams' → 'query'
* refactor: rename addParamsTo to placement in OAuth1 auth
* fix: add missing oauth1: null in buildOAuth2Config and upgrade @opencollection/types to 0.9.0
* test: add oauth1 import tests and fix missing oauth1: null in auth assertions
* ci: add auth playwright tests workflow for Linux, macOS, and Windows
* refactor: rename signatureEncoding to signatureMethod and fix timeline race condition
- Rename OAuth1 signatureEncoding to signatureMethod across all packages
- Fix timeline showing "No Headers/Body found" when request-sent IPC event
arrives after response by retroactively updating the timeline entry
- Store requestUid in timeline entries for precise matching
- Correct timeline entry timestamp on retroactive update for proper sort order
* ci: add OAuth1 CLI tests and reorganize auth actions under oauth1/
- Add CLI tests that run full BRU and YML collections via bru run
- Add start-test-server actions for Linux, macOS, and Windows
- Move auth e2e and setup actions under auth/oauth1/ directory
- Fix Windows Playwright failures caused by unescaped backslashes in collectionPath template variable
* ci: reorder auth tests to run E2E tests before CLI tests
* ci: start test server after E2E tests to fix port 8081 conflict
* fix: preserve user-defined boundary in multipart/mixed Content-Type header
When users specify a boundary parameter in their Content-Type header for
multipart/mixed requests with TEXT body mode, Bruno now preserves the
user-defined boundary instead of generating a new one.
Fixes: https://github.com/usebruno/bruno/issues/7523
* updated the test to use local server and changed the request method to GET
* fix: handle quoted boundary values in Content-Type header extraction
---------
Co-authored-by: Chirag Chandrashekhar <cchirag85@gmail.com>
* fix: enable SSL session caching for faster consecutive requests (#6929)
* fix: enable SSL session caching for faster consecutive requests
Previously, Bruno created a new HTTPS agent for every request, which meant
SSL/TLS sessions couldn't be reused. This caused the full TLS handshake
(~450ms) to run on every request, even to the same endpoint.
Changes:
- Add agent caching based on TLS configuration (certs, proxy, SSL options)
- Reuse cached agents for requests with matching configuration
- SSL sessions are now cached and reused, significantly reducing
response time for consecutive requests to the same host
The fix maintains backward compatibility:
- Timeline logging moved to setup phase (before agent creation)
- Proxy and SSL validation behavior unchanged
- Added clearAgentCache() for testing and configuration changes
Fixes#5574
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address review feedback for SSL session caching
- Add passphrase to cache key to prevent incorrect agent reuse
- Add MAX_AGENT_CACHE_SIZE (100) with LRU-style eviction
- Use consistent node: prefix for crypto import
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: lohit <lohit@usebruno.com>
* feat(bruno-requests): add timeline agent for TLS event logging
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(bruno-requests): add agent cache for SSL session reuse
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* test(bruno-requests): add tests for agent cache
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(bruno-requests): integrate agent cache into http-https-agents
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor(bruno-electron): use shared agent cache from bruno-requests
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(bruno-cli): use agent cache for SSL session reuse
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(bruno-requests): add HTTP agent timeline support
Add createTimelineHttpAgentClass for logging HTTP connection events
including proxy usage, DNS lookups, and connection establishment.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor(bruno-requests): extract shared agent caching logic
Add getOrCreateAgentInternal helper to reduce code duplication
between getOrCreateAgent and getOrCreateHttpAgent functions.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(bruno-requests): use HTTP agent cache for connection reuse
Export getOrCreateHttpAgent and use it in http-https-agents for
HTTP requests to enable connection pooling.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(bruno-cli): improve HTTP agent handling and error logging
- Use { keepAlive: true } instead of tlsOptions for HTTP agents
- Add warning log for system proxy configuration errors
- Fix brace style consistency
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(bruno-electron): improve HTTP agent handling
- Use { keepAlive: true } instead of tlsOptions for HTTP agents
- Fix brace style consistency
- Add missing newline at EOF
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(bruno-requests): address code review findings for agent caching
- Fix Buffer hashing bug: properly handle Buffer values in hashValue()
- Add CA array support: new hashCaValue() handles string[] | Buffer[]
- Fix timeline race condition: capture timeline reference in closure
at createConnection start to isolate concurrent requests
- Fix SSL verify message: check socket.authorized for accurate status
- Fix HTTP/HTTPS agent logic: only set httpsAgent for HTTPS requests
- Add tests for concurrent requests timeline isolation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(bruno-requests): log when reusing cached agent
- HTTPS agents: "Reusing cached agent (SSL session reuse enabled)"
- HTTP agents: "Reusing cached agent (connection reuse enabled)"
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(preferences): add cache.httpHttpsAgents.enabled preference
* feat(agent-cache): add disableCache option to getOrCreateAgent
* feat(proxy-util): respect httpHttpsAgents cache preference
* refactor(agent-cache): use named props for getOrCreateAgent and getOrCreateHttpAgent
* feat(ipc): add renderer:clear-http-https-agent-cache handler
* feat(redux): add cache.httpHttpsAgents preferences to initial state
* feat(ui): add Cache tab to Preferences
* feat(cli): add --disable-http-https-agents-cache flag
* refactor(cache): replace window.ipcRenderer calls with redux actions
Add getCacheStats, purgeCache, and clearHttpHttpsAgentCache thunks to
the app slice. Update the Cache preferences component to dispatch these
actions instead of calling window.ipcRenderer directly.
Also move handleSave and handleSaveRef above useFormik to fix declaration
order — onSubmit closes over handleSaveRef, so the ref must be initialized
before useFormik is called.
* fix: tests
* fix(cache): thread disableCache and hostname through all agent-creation paths
- Forward disableHttpHttpsAgentsCache through getHttpHttpsAgents → createAgents
so OAuth2 token requests and bru.sendRequest honour the CLI flag
- Add hostname to agent cache keys (getAgentCacheKey, getHttpAgentCacheKey)
for per-host TLS session reuse; extract hostname at every call site in
run-single-request.js, proxy-util.js, and http-https-agents.ts
- Add extractHostname helper in http-https-agents.ts to safely parse hostnames
- Add test coverage for cert, key, pfx, passphrase, and hostname cache-key
differentiation in agent-cache.spec.ts
* refactor(cache): rename getOrCreateAgent to getOrCreateHttpsAgent
* refactor: simplify UI labels, optimize agent timeline wrapping, silence proxy errors
* fix: tests
* fix(proxy): fix proxy agent construction and CA cert handling
Three fixes:
1. Proxy agents (HttpsProxyAgent, HttpProxyAgent, SocksProxyAgent) expect
(proxyUri, options) constructor signature, but the agent cache was packing
proxyUri into options as a single argument. Fixed the non-timeline code
path in getOrCreateAgentInternal.
2. HTTP requests through an HTTPS proxy need TLS options (ca certs) to
validate the proxy's certificate. All getOrCreateHttpAgent call sites
now pass TLS options when the proxy protocol is HTTPS.
3. Setting the `ca` option on any Node.js TLS connection replaces the
default OpenSSL trust store entirely. CAs only in the OpenSSL default
trust store (e.g. /etc/ssl/cert.pem) but not in tls.rootCertificates
were lost. Fixed by converting `ca` to a secureContext via addCACert(),
which appends custom CAs on top of the OpenSSL defaults instead of
replacing them.
Also simplified PatchedHttpsProxyAgent to selectively forward only the
relevant TLS options (cert, key, pfx, passphrase, rejectUnauthorized,
secureContext) to the target TLS upgrade instead of blindly merging all
constructor options.
* fix(tls): load client certs into secureContext to prevent silent drop
Add Cache tab to Preferences UI
* fix(proxy): align proxy auth check to use auth.disabled field consistently
* refactor(cache): rename CLI flag to --cache-ssl-session and disable caching by default
- Rename --disable-http-https-agents-cache to --cache-ssl-session (opt-in)
- Rename disableHttpHttpsAgentsCache to cacheSslSession across CLI and bruno-requests
- Default caching to disabled in both bruno-electron and bruno-cli
- Add cacheSslSession to buildCertsAndProxyConfig for bru.sendRequest
- Update Preferences UI labels to "Cache SSL Session"
* refactor(cache): rename httpHttpsAgents to sslSession across preferences and UI
* refactor(cache): remove unused getCacheStats and purgeCache IPC actions
---------
Co-authored-by: karthik <47263234+kxbnb@users.noreply.github.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* feat(): support multipart mixed
fix: support vars interpolation on mixed multi-part
Update packages/bruno-electron/src/ipc/network/interpolate-vars.js
Co-authored-by: Timon <39559178+Its-treason@users.noreply.github.com>
refactor: use startsWith
feat: best effort for other multipart/* contentypes
* feat: enhance variable interpolation for multipart requests
- Updated `interpolateVars` function to support interpolation in multipart/form-data and multipart/mixed requests.
- Added handling for empty multipart arrays and parts with missing or undefined values.
- Improved type checks for content types to ensure proper interpolation behavior.
Includes new tests to validate the interpolation functionality for multipart requests.
* fix: normalize error handling in sendRequest and improve test reliability
---------
Co-authored-by: Alfonso Presa <alfonso-presa@users.noreply.github.com>
* fix: oauth2 credential management improvements
Add bru.resetOauth2Credential() API for programmatic credential invalidation
from scripts, fix credential clearing to match on credentialsId, expose
oauth2 credential variables in test runtime, and add input validation
with deduplication to prevent redundant IPC messages. Remove unused
collectionGetOauth2CredentialsByUrlAndCredentialsId reducer.
* fix: handle invalid URLs in oauth2 callback redirect handler
Wrap new URL() calls in try-catch within onWindowRedirect to prevent
uncaught TypeError when redirect or callback URLs are invalid.
* Update packages/bruno-app/src/utils/codemirror/autocomplete.js
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
---------
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* fix: Enhance error handling for script execution by introducing isScriptError flag in test results
Enhance error reporting in script execution by adding isScriptError flag to error responses
fix: Mark pre-request script errors as failures in runner summary
* Mark test script errors as failed in runner
and CLI
* Unify handling of post-response and pre-request script errors in both CLI and Electron
* feat: Enhance error handling in script execution by preserving partial results for pre-request and post-response scripts across CLI and Electron. This ensures that tests passing before an error are still reported.
* Preserving stopExecution in test script error handler
---------
Co-authored-by: Pragadesh-45 <temporaryg7904@gmail.com>
* feat: add certs and proxy config to bru.sendRequest API
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: handle URL string argument in bru.sendRequest
When bru.sendRequest is called with a plain URL string instead of a
config object, the function now normalizes it to { url: string } before
processing. This fixes the case where spreading a string created an
invalid config object.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: add variable interpolation to bru.sendRequest certs and proxy config
Interpolate environment variables in clientCertificates and proxy
configuration for bru.sendRequest API, enabling use of variables like
{{CERT_PATH}} or {{PROXY_HOST}} in certificate paths and proxy settings.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: use interpolateObject for certs and proxy config interpolation
- Add interpolateObject to electron's interpolate-string.js using
buildCombinedVars pattern (matches CLI implementation)
- Simplify cert-utils.js by using interpolateObject instead of
manual field-by-field interpolation
- Add interpolation for clientCertificates and proxy config in CLI's
run-single-request.js for bru.sendRequest
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: add all variable types to sendRequest interpolation options
- Add globalEnvVars, collectionVariables, folderVariables, requestVariables
to sendRequestInterpolationOptions for complete variable support
- Use cached system proxy instead of redundant getSystemProxy() call
- Remove duplicate getOptions() call
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: skip CA cert loading when TLS verification is disabled
Only load CA certificates when shouldVerifyTls is true, since they
are not used for validation when TLS verification is disabled.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
- bruno-cli: fetch system proxy once before request loop and store in options
- bruno-electron: initialize system proxy cache at app startup
- Add refresh button in preferences to manually update cached system proxy
- Replace per-request getSystemProxy() calls with cached values
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* Partial Revert "remove: presets and response var (#6195)"
This reverts commit 786a3414b8 while keeping code related to presets deleted
* revert: remove global environment variables assignment
* Import WSDL to bruno collection
* feat(wsdl-import): remove unused code and minor refactor
---------
Co-authored-by: Bijin Bruno <bijin@usebruno.com>
* fix: improve file upload handling in prepare-request to use streaming
* feat: add unit tests
---------
Co-authored-by: Bijin Bruno <bijin@usebruno.com>
* feat: add support for `file` body mode in `bruno-cli` Fixes#4336
* fix: Correct await/async on file reading.
* fix: update test and fix lint errors
---------
Co-authored-by: William Floyd <william.floyd@modopayments.com>
Co-authored-by: Bijin Bruno <bijin@usebruno.com>
