Optional configs for setting custom headers / metadata for REST / gRPC operations

[austin-denoble]

Problem

Currently, the Go SDK does not support specifying custom headers or metadata for control & data plane operations (REST and gRPC). This is a useful feature to aid in debugging or tracking a specific request, and we'd like to enable this functionality in the Go SDK.

Solution

• Update NewClientParams and Client structs to support headers, also allow passing a custom RestClient to the new client. This is primarily for allowing mocking in unit tests, but we have a similar approach in other clients allowing users to customize the HTTP module.
• Add new buildClientOptions function.
• Update NewClient to support appending Headers and RestClient to clientOptions.
• Add error message for empty ApiKey without any Authorization header provided. If the user passes both, avoid applying the Api-Key header in favor of the Authorization header.
• Add new Client.IndexWithAdditionalMetadata constructor.
• Update IndexConnection struct to include additionalMetadata, and update newIndexConnection to accept additionalMetadata as an argument.
• Update IndexConnection.akCtx to handle appending the api-key and any additionalMetadata to requests.
• Update unit tests, add new mocks package and mock_transport to facilitate validating requests made via Client including.

I spent some time trying to figure out how to mock / test IndexConnection but I think it'll be a bit trickier than Client, so somewhat saving for a future PR atm.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update
• Infrastructure change (CI configs, etc)
• Non-code change (docs, etc)
• None of the above: (explain here)

Test Plan

just test to run the test suite locally. Validate tests pass in CI.

[haruska]

Good addition overall. Might want to consider some breaking changes pre-1.0 to clean up some of the options in the constructors.

[haruska]

The newIndexConnection input is getting a bit long. Consider refactoring this into a breaking change where it takes a struct similar to other constructors.

[austin-denoble]

Agreed, will go ahead and take a pass on that now.

[austin-denoble]

See newIndexParameters struct type which newIndexConnection should consume.

[haruska]

Is an API Key now optional with the addition of custom headers? Still seems required here.

If a caller was attempting to use a JWT Bearer token instead of an API Key for auth, would this now work? Seems I'd need to pass in an API Key (which gets added to the headers) and a custom header with the Bearer token. Also guessing that breaks the request (two auth schemes in the same request headers)

[austin-denoble]

Good point, I didn't change anything regarding API key being optional vs. required so I think it still expects it to be populated.

The point about JWT Bearer is intersting, I'd maybe need to defer to @jhamon regarding specifically what we need to support here, but maybe I should look at removing the API key if they've passed a header for auth, for example. 🤔

[aulorbe]

Total nit, but when I read this, I ask myself "what are nil headers?" because nil sounds like a quantity. Maybe rephrase this stmt to be "Expected client headers to be nil".

[aulorbe]

(B/c at least if I'm understanding stuff about Go correctly online, nil isn't really a quantity, it's sorta just a pointer that indicates there's no object or or no value/concrete type, right?)

[aulorbe]

Is this potentially dangerous b/c someone could reveal an API key through this error msg?

[aulorbe]

(I mean, I know it's a mocked API key in the test, but if this function outputs this error msg IRL, that could be a dangerous vulnerability for users, no?)

[austin-denoble]

This is test code and thus not compiled into the actual built package, as far as I understand. Given that and the usage of a fake key in the tests where we're doing this, I feel like this is probably safe. Users would need to be developing the client themselves locally or in CI for it to be an issue I think.

[aulorbe]

Same comment re: the usage of nil here, as w/my previous comment

[aulorbe]

Just lurking :) Giving an approval so I don't block!

[austin-denoble]

I like the additional logging output when running these locally, etc.

[ssmith-pc]

Are there any headers we'd want to prevent them from setting? I'm not sure there, just asking the question.

[austin-denoble]

At the moment I don't think there are, good question though I'm also not sure.

[ssmith-pc]

Nice, I like this

[austin-denoble]

Props to @haruska for the suggestion.

[ssmith-pc]

accidental change?

[austin-denoble]

I think it was just auto-formatting removing the line at the end of the file.

[ssmith-pc]

Suggest rephrasing this to "required unless Authorization header provided"

[ssmith-pc]

http headers are typically case in-sensitive so we probably want to relax this check

[austin-denoble]

Updated to use strings.ToLower(key), "authorization"), thanks!

[gitguardian]

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
Once a secret has been leaked into a git repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.

---

^{_{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}}

[haruska]

Good improvements. The creation of the index connection still seems a bit clunky but I think that's just an artifact of the public constructor(s) being off Client. Overall, the PR is much better than the current impl in main.