[GH-ISSUE #640] OAuthSwiftHTTPRequest old headers overriding new headers

No labels

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/OAuthSwift#423

kerem commented

2026-03-03 16:48:33 +03:00

Owner

Originally created by @mariuskurgonas on GitHub (Dec 28, 2020).
Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/640

Description:

OAuthSwiftHTTPRequest.swift line 423:

self.urlRequest.allHTTPHeaderFields = requestHeaders + headers

Here requestHeaders are potentially new headers set after the access token was refreshed and headers are old headers.

Problems comes when both variables contain the same key and different value. When merging with a + operator in swift - it takes the last elements values.

So after token refresh if there was a new access token header set on requestHeaders and headers contained old value,
in the end the final headers would contain the old value.

THE FIX:

Reverse the order or variables being merged like:

self.urlRequest.allHTTPHeaderFields = headers + requestHeaders

OAuth Provider? (Twitter, Github, ..):

OAuth Version:

Version 1
Version 2

OS (Please fill the version) :

iOS :
OSX :
TVOS :
WatchOS :

Installation method:

Carthage
CocoaPods
Swift Package Manager
Manually

Library version:

head
v2.1.0
v2.0.0
v1.4.1
other: (Please fill in the version you are using.)

Xcode version:

11.4 (Swift 5.2)
11.x (Swift 5.1)
10.x (Swift 5.0)
other: (Please fill in the version you are using.)
objective c
swift

Originally created by @mariuskurgonas on GitHub (Dec 28, 2020). Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/640 ### Description: OAuthSwiftHTTPRequest.swift line 423: `self.urlRequest.allHTTPHeaderFields = requestHeaders + headers` Here `requestHeaders` are potentially new headers set after the access token was refreshed and `headers` are old headers. Problems comes when both variables contain the same key and different value. When merging with a + operator in swift - it takes the last elements values. So after token refresh if there was a new access token header set on `requestHeaders` and `headers` contained old value, in the end the final headers would contain the old value. THE FIX: Reverse the order or variables being merged like: `self.urlRequest.allHTTPHeaderFields = headers + requestHeaders ` ### OAuth Provider? (Twitter, Github, ..): ### OAuth Version: - [ ] Version 1 - [x] Version 2 ### OS (Please fill the version) : - [x] iOS : - [ ] OSX : - [ ] TVOS : - [ ] WatchOS : ### Installation method: - [ ] Carthage - [x] CocoaPods - [ ] Swift Package Manager - [ ] Manually ### Library version: - [x] head - [x] v2.1.0 - [ ] v2.0.0 - [ ] v1.4.1 - [ ] other: (Please fill in the version you are using.) ### Xcode version: - [x] 11.4 (Swift 5.2) - [x] 11.x (Swift 5.1) - [ ] 10.x (Swift 5.0) - [ ] other: (Please fill in the version you are using.) - [ ] objective c - [x] swift

Rows
Columns

[GH-ISSUE #640] OAuthSwiftHTTPRequest old headers overriding new headers #423