starred/hoppscotch

Fork 0

mirror of https://github.com/hoppscotch/hoppscotch.git synced 2026-04-25 08:45:58 +03:00

[GH-ISSUE #5523] [bug]: crypto.subtle is missing in Pre-request script envrironment. #2130

New issue

Closed

opened 2026-03-16 23:17:11 +03:00 by kerem · 4 comments

kerem commented

2026-03-16 23:17:11 +03:00

Owner

Originally created by @liudonghua123 on GitHub (Oct 29, 2025).
Original GitHub issue: https://github.com/hoppscotch/hoppscotch/issues/5523

Is there an existing issue for this?

I have searched existing issues and this bug hasn't been reported yet

Platform

Desktop App

Browser

Chrome

Operating System

Windows

Bug Description

When I tried to use hmacSHA256 like the following code in pre-request scripts. The web crypto module is missing.

/**
 * 计算 HMAC-SHA256 签名
 */
async function hmacSHA256(key, message) {
    const enc = new TextEncoder();
    const keyData = enc.encode(key);
    const msgData = enc.encode(message);

    const cryptoKey = await crypto.subtle.importKey(
        "raw",
        keyData,
        { name: "HMAC", hash: "SHA-256" },
        false,
        ["sign"]
    );

    const signatureBuffer = await crypto.subtle.sign("HMAC", cryptoKey, msgData);
    const hashArray = Array.from(new Uint8Array(signatureBuffer));
    return hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
}

/**
 * 生成签名头
 */
async function generateSignature(method, url, body) {
    console.log(`execute generateSignature`);
    const urlObj = new URL(url);
    const path = urlObj.pathname;
    const query = urlObj.search ? urlObj.search.slice(1) : "";
    const timestamp = Math.floor(Date.now() / 1000).toString();
    console.log(`execute generateSignature 0`);

    let bodyString = "";
    if (body) {
        try {
            const json = JSON.parse(body);
            bodyString = JSON.stringify(json);
        } catch {
            bodyString = body.toString();
        }
    }

    const parts = [
        method.toUpperCase(),
        path,
        query,
        CLIENT_ID,
        timestamp,
        bodyString,
    ];
    console.log(`execute generateSignature 1`);
    const signString = parts.join("\n");
    const signature = await hmacSHA256(CLIENT_SECRET, signString);
    console.log(`execute generateSignature 2`);

    return {
        "x-client-id": CLIENT_ID,
        "x-timestamp": timestamp,
        "x-signature": signature,
    };
}

And the crypto.subtle module is normal in browser web or node environment.

Deployment Type

Hoppscotch Cloud

Version

The latest v25.9.1-0 version.

Originally created by @liudonghua123 on GitHub (Oct 29, 2025). Original GitHub issue: https://github.com/hoppscotch/hoppscotch/issues/5523 ### Is there an existing issue for this? - [x] I have searched existing issues and this bug hasn't been reported yet ### Platform Desktop App ### Browser Chrome ### Operating System Windows ### Bug Description When I tried to use hmacSHA256 like the following code in pre-request scripts. The web crypto module is missing. ```js /** * 计算 HMAC-SHA256 签名 */ async function hmacSHA256(key, message) { const enc = new TextEncoder(); const keyData = enc.encode(key); const msgData = enc.encode(message); const cryptoKey = await crypto.subtle.importKey( "raw", keyData, { name: "HMAC", hash: "SHA-256" }, false, ["sign"] ); const signatureBuffer = await crypto.subtle.sign("HMAC", cryptoKey, msgData); const hashArray = Array.from(new Uint8Array(signatureBuffer)); return hashArray.map((b) => b.toString(16).padStart(2, "0")).join(""); } /** * 生成签名头 */ async function generateSignature(method, url, body) { console.log(`execute generateSignature`); const urlObj = new URL(url); const path = urlObj.pathname; const query = urlObj.search ? urlObj.search.slice(1) : ""; const timestamp = Math.floor(Date.now() / 1000).toString(); console.log(`execute generateSignature 0`); let bodyString = ""; if (body) { try { const json = JSON.parse(body); bodyString = JSON.stringify(json); } catch { bodyString = body.toString(); } } const parts = [ method.toUpperCase(), path, query, CLIENT_ID, timestamp, bodyString, ]; console.log(`execute generateSignature 1`); const signString = parts.join("\n"); const signature = await hmacSHA256(CLIENT_SECRET, signString); console.log(`execute generateSignature 2`); return { "x-client-id": CLIENT_ID, "x-timestamp": timestamp, "x-signature": signature, }; } ``` And the crypto.subtle module is normal in browser web or node environment. <img width="743" height="632" alt="Image" src="https://github.com/user-attachments/assets/679764ef-93ea-4a3e-aa99-ab7f931d96e3" /> ### Deployment Type Hoppscotch Cloud ### Version The latest v25.9.1-0 version.

kerem

2026-03-16 23:17:11 +03:00

closed this issue
added the
bug

duplicate

need testing
labels

kerem commented

2026-03-16 23:17:28 +03:00

Author

Owner

@liudonghua123 commented on GitHub (Oct 29, 2025):

@liudonghua123 commented on GitHub (Oct 29, 2025): Maybe it's related to https://github.com/hoppscotch/hoppscotch/issues/3353, https://github.com/AndrewBastin/faraday-cage/issues/1, https://github.com/authts/oidc-client-ts/issues/1550.

kerem commented

2026-03-16 23:17:33 +03:00

Author

Owner

@liudonghua123 commented on GitHub (Oct 29, 2025):

Maybe use https to fix it? The crypto.subtle is only available in Secure context.

Secure context: This feature is available only in secure contexts (HTTPS).

https://developer.mozilla.org/en-US/docs/Web/API/Crypto/subtle

@liudonghua123 commented on GitHub (Oct 29, 2025): Maybe use https to fix it? The crypto.subtle is only available in `Secure context`. > Secure context: This feature is available only in [secure contexts](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts) (HTTPS). https://developer.mozilla.org/en-US/docs/Web/API/Crypto/subtle <img width="355" height="288" alt="Image" src="https://github.com/user-attachments/assets/9bf1f787-f509-4bdf-b7bd-58484286e93f" /> <img width="499" height="383" alt="Image" src="https://github.com/user-attachments/assets/80a6cc27-5f77-4081-b177-3412a87f945c" /> <img width="500" height="321" alt="Image" src="https://github.com/user-attachments/assets/7f4bcd1b-08fd-405e-98cb-e5549aa7bd1d" />

kerem commented

2026-03-16 23:17:38 +03:00

Author

Owner

@liudonghua123 commented on GitHub (Oct 30, 2025):

Currently, I am using import CryptoJS from 'https://esm.run/crypto-js@4.2.0'; to replace the functionality of crypto.subtle. However, I would prefer to use crypto.subtle.

@liudonghua123 commented on GitHub (Oct 30, 2025): Currently, I am using `import CryptoJS from 'https://esm.run/crypto-js@4.2.0';` to replace the functionality of `crypto.subtle`. However, I would prefer to use `crypto.subtle`.

kerem commented

2026-03-16 23:17:43 +03:00

Author

Owner

@jamesgeorge007 commented on GitHub (Nov 6, 2025):

Hi, thanks for reporting. We're aware of certain limitations with the native crypto module. ESM imports offer an alternative approach. Ongoing scripting improvements are tracked in https://github.com/hoppscotch/hoppscotch/discussions/5221.

You can continue to use the native crypto module by opting out of the Experimental scripting sandbox.

Closing this issue in favour of #2015.

@jamesgeorge007 commented on GitHub (Nov 6, 2025): Hi, thanks for reporting. We're aware of certain limitations with the native crypto module. ESM imports offer an alternative approach. Ongoing scripting improvements are tracked in https://github.com/hoppscotch/hoppscotch/discussions/5221. You can continue to use the native `crypto` module by opting out of the `Experimental scripting sandbox`. <img width="1906" height="565" alt="Image" src="https://github.com/user-attachments/assets/cc14967c-edac-4e40-a74e-9377a97dfb76" /> Closing this issue in favour of #2015.