Skip to content

Add authentication header support to GET, PUT, PATCH, DELETE API tools#193

Merged
executeautomation merged 7 commits into
mainfrom
copilot/fix-api-authentication-issue
Dec 11, 2025
Merged

Add authentication header support to GET, PUT, PATCH, DELETE API tools#193
executeautomation merged 7 commits into
mainfrom
copilot/fix-api-authentication-issue

Conversation

Copilot AI commented Dec 11, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Only POST requests supported authentication headers, causing 403 errors when making authenticated PUT/PATCH/DELETE/GET requests.

Changes

  • Tool schemas (src/tools.ts): Added optional token and headers parameters to GET, PUT, PATCH, DELETE tools
  • Implementation (src/tools/api/requests.ts):
    • Added parseJsonSafely() helper to handle JSON parsing with fallback
    • Updated all HTTP methods to accept and forward authentication headers
    • Headers merge with defaults (Content-Type: application/json), custom headers override
  • Tests (src/__tests__/tools/api/requests.test.ts): Added coverage for Bearer tokens, Basic auth, and custom headers across all methods

Usage

Bearer token:

{
  url: "https://api.example.com/resource/1",
  value: '{"name": "updated"}',
  token: "your-bearer-token"
}

Basic auth or custom headers:

{
  url: "https://restful-booker.herokuapp.com/booking/4",
  value: '{"firstname": "Jane", "lastname": "Smith", ...}',
  headers: {
    "Authorization": "Basic YWRtaW46cGFzc3dvcmQxMjM="
  }
}

Both parameters are optional; existing code without authentication continues to work unchanged.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • restful-booker.herokuapp.com
    • Triggering command: /usr/local/bin/node node /tmp/test-real-api.mjs (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>API Authentication is not working while performing API testing using MCP Server.</issue_title>
<issue_description>Steps to Reproduce -
1- Provide prompt to perform Update API Call (More details are in this link - https://restful-booker.herokuapp.com/apidoc/index.html#api-Booking-UpdateBooking )
2 - Provide Authorization details as header as given in above link - using key as "Authorization" and it's values "Basic YWRtaW46cGFzc3dvcmQxMjM="
3- Send the Prompt in Copilot or Claude or any other AI Assistant.

Issue - In Postman Authentication is successful and it is giving response but when we are using MCP Server it is not able to Authenticate API call. , I have tried same with other website API calls also.

Adding Claude response -

The PUT request returned a 403 Forbidden status, which indicates that the request lacks proper authorization. The curl command you provided includes an Authorization header with Basic authentication (Authorization: Basic YWRtaW46cGFzc3dvcmQxMjM=), but the Playwright EA PUT function doesn't currently support custom headers including authorization.
The playwright_put function I used only accepts URL and body data, but doesn't have parameters for custom headers like the Authorization header that's needed for this API endpoint.

Please let me know if you need any other information.

Image

==================================

and @executeautomation and other contributors, Thank you for all your efforts in creating this MCP Server.

</issue_description>

<agent_instructions>Can you analyse the full code and see why the API tool of Playwright is not handling authentication, I feel like its either not built as we had very basic implementations earlier, check and do the test before creating PR</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@executeautomation That seems to be a legit issue, I will work on it and have it fixed, thanks for reporting @Wish-Infinite @roja-erukulla

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 3 commits December 11, 2025 07:24
@executeautomation
Add authentication support to GET, PUT, PATCH, DELETE API requests
96c1542 
Co-authored-by: executeautomation <10337030+executeautomation@users.noreply.github.com>
@executeautomation
Add robust JSON parsing with fallback for PUT and PATCH requests
9d6f6cc 
Co-authored-by: executeautomation <10337030+executeautomation@users.noreply.github.com>
@executeautomation
Refactor JSON parsing to use shared helper function for better mainta…
4afe115 
…inability

Co-authored-by: executeautomation <10337030+executeautomation@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix API authentication issue with MCP Server Add authentication header support to GET, PUT, PATCH, DELETE API tools Dec 11, 2025
@kartmcad
feat: Add comprehensive authentication and improve API request code q…
cbd366c 
…uality

This commit enhances the API authentication feature with better code quality,
type safety, comprehensive testing, and complete documentation.

## Code Quality Improvements

### DRY Principle
- Extract duplicate header building logic into `buildHeaders()` helper
- Reduces code duplication across 5 request methods
- Centralizes authentication logic for easier maintenance

### Type Safety
- Add `BaseRequestArgs` interface for GET/DELETE requests
- Add `RequestWithBodyArgs` interface for POST/PUT/PATCH requests
- Replace `any` types with proper TypeScript interfaces

### Validation & Error Handling
- Add `validateHeaders()` to ensure all header values are strings
- Add console warnings when both token and Authorization header provided
- Improve `parseJsonSafely()` with warning logs for debugging
- Better error messages for invalid header values

## Testing Enhancements

Added 8 new edge case tests:
- Invalid header value validation (non-string values)
- Token and Authorization header conflict warnings (GET, POST)
- JSON parse failure handling with fallback
- Empty headers object handling
- Header validation for PUT, PATCH, DELETE methods

**Test Results:**
- ✅ All 150 tests passing (142 existing + 8 new)
- ✅ Coverage increased: 88.37% for requests.ts (up from ~81%)
- ✅ Zero TypeScript errors
- ✅ Build successful

## Documentation Updates

### Supported Tools Documentation
Updated `docs/docs/playwright-api/Supported-Tools.mdx`:
- Added `token` and `headers` parameters to GET, PUT, PATCH, DELETE
- Previously only POST had these documented
- Consistent documentation across all API methods

### Usage Examples
Enhanced `docs/docs/playwright-api/Examples.md` with:
- Bearer token authentication examples
- Basic authentication examples
- API key authentication examples
- Custom header examples
- Token + headers combination examples

### CHANGELOG
Added comprehensive entry documenting:
- All new features (token, headers, validation)
- Code quality improvements
- Type safety additions
- Test coverage improvements
- Backward compatibility notes

## Technical Details

- **Backward Compatible**: Existing API calls work unchanged
- **Custom Headers Override**: Authorization header in `headers` overrides `token`
- **Warning System**: Console warnings help developers debug conflicts
- **Header Validation**: Prevents runtime errors from invalid types
- **Improved Coverage**: API requests.ts now at 88.37% coverage

## Files Changed
- `src/tools/api/requests.ts`: Refactored with helpers and types (+104 lines)
- `src/__tests__/tools/api/requests.test.ts`: Added edge case tests (+156 lines)
- `docs/docs/playwright-api/Supported-Tools.mdx`: Updated docs (+16 lines)
- `docs/docs/playwright-api/Examples.md`: Added auth examples (+89 lines)
- `CHANGELOG.md`: Comprehensive changelog entry (+32 lines)

Total: +397 insertions, -29 deletions across 5 files
@kartmcad
chore: Bump version to 1.0.11 and update release notes
1bb9e53 
- Update package.json to version 1.0.11
- Update hardcoded version strings in src/index.ts and src/http-server.ts
- Update CHANGELOG.md: Change [Unreleased] to [1.0.11] - 2024-12-11
- Add comprehensive v1.0.11 release notes to docs/docs/release.mdx
  - Document Bearer token authentication for all API methods
  - Document custom headers support
  - Highlight code quality improvements (DRY, Type Safety)
  - Detail testing enhancements (150 tests, 88.37% coverage)
  - Include usage examples and backward compatibility notes

All tests passing (150/150) ✅
Build successful ✅
@executeautomation executeautomation marked this pull request as ready for review December 11, 2025 08:30
@executeautomation executeautomation merged commit 8999fa9 into main Dec 11, 2025
6 checks passed
Copilot AI mentioned this pull request Dec 11, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@executeautomation executeautomation Awaiting requested review from executeautomation

Assignees

@executeautomation executeautomation

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

API Authentication is not working while performing API testing using MCP Server.

3 participants

@executeautomation @kartmcad