[PR #5596] [MERGED] feat(scripting-revamp): add support for sending requests in scripting context #5274

New issue

Closed

opened 2026-03-17 02:44:11 +03:00 by kerem · 0 comments

kerem commented

2026-03-17 02:44:11 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hoppscotch/hoppscotch/pull/5596
Author: @jamesgeorge007
Created: 11/19/2025
Status: ✅ Merged
Merged: 11/26/2025
Merged by: @jamesgeorge007

Base: next ← Head: feat/updated-scripting-system

📝 Commits (6)

3960262 feat(scripting-revamp): add support for sending requests in scripting context
2e301f2 fix: address Cubic AI review feedback
eac120b chore: merge latest changes alongside conflict resolution
573da10 fix: address code review feedback for hopp.fetch implementation
895f8aa fix: address additional Cubic AI code review feedback
022e2ea chore: cleanup

📊 Changes

70 files changed (+12934 additions, -1067 deletions)

View changed files

📝 packages/hoppscotch-cli/package.json (+2 -0)
📝 packages/hoppscotch-cli/src/__tests__/e2e/commands/test.spec.ts (+548 -49)
📝 packages/hoppscotch-cli/src/__tests__/e2e/fixtures/collections/scripting-revamp-coll.json (+948 -119)
➕ packages/hoppscotch-cli/src/__tests__/unit/hopp-fetch.spec.ts (+579 -0)
➕ packages/hoppscotch-cli/src/utils/hopp-fetch.ts (+274 -0)
📝 packages/hoppscotch-cli/src/utils/pre-request.ts (+4 -1)
📝 packages/hoppscotch-cli/src/utils/request.ts (+28 -0)
📝 packages/hoppscotch-cli/src/utils/test.ts (+5 -1)
📝 packages/hoppscotch-common/locales/en.json (+7 -0)
📝 packages/hoppscotch-common/src/components/MonacoScriptEditor.vue (+8 -1)
📝 packages/hoppscotch-common/src/components/embeds/Request.vue (+13 -7)
📝 packages/hoppscotch-common/src/components/http/Request.vue (+89 -30)
📝 packages/hoppscotch-common/src/components/http/Response.vue (+10 -2)
📝 packages/hoppscotch-common/src/components/http/ResponseMeta.vue (+15 -6)
📝 packages/hoppscotch-common/src/components/http/TestResult.vue (+21 -4)
📝 packages/hoppscotch-common/src/components/http/TestResultEntry.vue (+34 -3)
📝 packages/hoppscotch-common/src/components/http/test/Response.vue (+13 -2)
📝 packages/hoppscotch-common/src/components/lenses/ResponseBodyRenderer.vue (+4 -1)
📝 packages/hoppscotch-common/src/helpers/RequestRunner.ts (+52 -71)
➕ packages/hoppscotch-common/src/helpers/__tests__/hopp-fetch.spec.ts (+799 -0)

...and 50 more files

📄 Description

This PR implements request-sending capabilities inside the scripting sandbox by introducing hopp.fetch() and a global fetch() (alias) with standards-aligned Fetch primitives (Request, Response, Headers, FormData, URLSearchParams), as proposed in #5221.

Additionally, it adds support for pm.sendRequest() for collections imported from Postman.

It enables practical workflows such as OAuth token refresh, data lookups, chained API calls, and follow-up validations directly in pre-request and post-request scripts without leaving the scripting context. The implementation is designed for the QuickJS sandbox with proper marshalling across the VM boundary and predictable types for assertions and test reporting.

Note

It is recommended to use the Agent interceptor on the Web App and the Native interceptor on the Desktop App for fetch, hopp.fetch and pm.sendRequest usages.

On self-hosted instances, there is a known security concern with same-origin requests made from scripts to Hoppscotch's own backend API using cookie-based authentication, as these bypass CSRF protections. The scripting interceptor inspector will warn when this pattern is detected.

Inspector Detection Limitations: The CSRF detection currently uses regex-based pattern matching on script text, which covers common inline patterns (pm.sendRequest("/path"), pm.sendRequest({ url: "/path" })) but does not detect variable references, template literals, or dynamically constructed URLs. Full detection would require AST parsing and data flow analysis, which is deferred to maintain reasonable performance overhead during script editing.

Related to #3305 #4558 HFE-319.

Usage

// hopp.fetch() - Promise-based request sending
const response = await hopp.fetch("https://api.example.com/data", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ key: "value" }),
})

const data = await response.json()
console.log("External API response:", data)

// pm.sendRequest() - Postman-compatible callback-style API
pm.sendRequest("https://api.example.com/data", (error, response) => {
  if (error) {
    console.error("Request failed:", error)
    return
  }
  console.log("Status:", response.code)
  console.log("Body:", response.json())
})

// With request object
const requestObject = {
  url: "https://api.example.com/users",
  method: "POST",
  header: {
    "Content-Type": "application/json",
    Authorization: "Bearer " + pm.environment.get("token"),
  },
  body: {
    mode: "raw",
    raw: JSON.stringify({ name: "John Doe" }),
  },
}

pm.sendRequest(requestObject, (error, response) => {
  if (!error) {
    pm.environment.set("userId", response.json().id)
  }
})

What’s Changed

Introduced hopp.fetch() and global fetch() with standards-aligned primitives (Request, Response, Headers, FormData, URLSearchParams), enabling request-sending within scripts.
- Response objects serialised as plain objects with _bodyBytes numeric arrays to safely cross the QuickJS VM boundary, avoiding invalid state after cage disposal.
- Single-consumption body semantics enforced for .json(), .text(), and .arrayBuffer() matching platform behavior.
- Headers support case-insensitive access, stable iteration, and getSetCookie() API for reliable multi-value Set-Cookie header extraction.
Web app requests route through KernelInterceptorService respecting the user's interceptor preference (Agent/Extension/Browser). At the same time, CLI uses axios with axios-cookiejar-support and tough-cookie for automatic RFC 6265-compliant cookie management across redirects.
Bootstrap code updated to expose fetch and pm.sendRequest() in both pre-request and post-request scripting contexts.
Pre-request runners updated to early-return on error with success-only result capture, preventing partial/misleading state from failed scripts.
Test runners updated to propagate script errors as Left values, surfacing them in test failures rather than silently failing.
Added pm.sendRequest() with error-first callback API for Postman compatibility, supporting both string URLs and request objects with header/body configuration.
Custom fetch cage module implemented in-house within js-sandbox for the added use cases regarding asynchronous execution with fetch() calls, etc, that the module exposed from faraday-cage library has limited support for.
Type definitions extended with FetchCallMeta (url, method, timestamp) and HoppFetchHook types, integrating fetch operations into script runner options.
Monaco editor configured with ES2022 target for top-level await support, with diagnostic codes 1375 and 1378 suppressed to prevent false "top-level await in non-module" errors.
Scripting interceptor inspector added to warn when Extension/Proxy interceptors are used with fetch operations (limited reliability), and same-origin requests made with cookie-based auth on self-hosted instances via the new hasCookieBasedAuth platform feature flag.
Comprehensive test coverage added spanning fetch API primitives, HTTP methods, headers, bodies, single-consumption semantics, error handling, and Postman compatibility layer.
E2E collection updated with fetch operations for validation, and network retry logic added for snapshot tests detecting ECONNRESET/DNS failures with graceful skip on persistent errors.
Test result flicker prevented by resetting testResults to null on request start, ensuring a clean state between runs.
Localisation strings added for fetch-related warnings and inspector messages across UI components.
Backwards compatibility maintained with legacy pw namespace and existing scripts unchanged.

Reviewer Map (Touched Areas)

`packages/hoppscotch-js-sandbox`

src/cage-modules/custom-fetch.ts: Core Fetch implementation, marshalling, single-consumption enforcement.
src/cage-modules/scripting-modules.ts: Module exposure, lifecycle, hook registration.
src/web/pre-request/index.ts & src/node/pre-request/index.ts: Early-return on error; success-only capture semantics.
src/web/test-runner/index.ts & src/node/test-runner/experimental.ts: Error propagation as Left for test failures.
src/bootstrap-code/pre-request.js & post-request.js: Fetch exposure in sandbox; pm.sendRequest wrapper.
src/__tests__/fetch/* & src/__tests__/hopp-namespace/fetch.spec.ts: Coverage across API and edge cases.

`packages/hoppscotch-common`

src/helpers/hopp-fetch.ts: Web app fetch hook routing through KernelInterceptorService.
src/helpers/RequestRunner.ts: Fetch hook creation and injection into script context.
src/components/http/Request.vue: Reset testResults at send to remove flicker.
src/components/MonacoScriptEditor.vue: ES2022 target, top-level await support, diagnostic suppression.
src/services/scripting-interceptor-inspector.service.ts: Inspector tracking fetch calls, CSRF/interceptor warnings.

`packages/hoppscotch-cli`

src/utils/hopp-fetch.ts: CLI fetch hook with axios + cookie jar integration.
src/utils/pre-request.ts & src/utils/test.ts: Fetch hook creation and injection.
src/__tests__/e2e/commands/test.spec.ts: Network retry logic for snapshot tests.
src/__tests__/e2e/fixtures/collections/scripting-revamp-coll.json: E2E test collection with fetch operations.

Note: Paths listed are representative to guide review across the major surfaces.

Notes to Reviewers

Validate the global fetch and hopp.fetch method behaviours via the collection as part of the CLI e2e test suite.

There's a known issue when using Extension as the interceptor, especially with requests having async actions related to fetch() calls, etc. As observed from the stack trace, it appears to be related to Extension internals and needs further investigation.

Such an attempt would lead to the app crashing in development mode, which is intentional to catch errors for debugging, whereas they continue non-blocked in production mode; however, the results are not expected to be on par. Hence, the inspector's warning regarding supported interceptors.

Import the Postman collection here to validate the pm.sendRequest() method behaviors.
Test same-origin fetch with cookie auth to see CSRF warning; test Extension/Proxy interceptor usage to see compatibility warning.

Summary by cubic

Adds request-sending to the scripting sandbox with hopp.fetch(), global fetch(), and pm.sendRequest so pre/post-request scripts can perform token refreshes, chained calls, and validations. Requests respect the chosen interceptor across web, desktop, and CLI, with strong typing and extensive tests.

New Features
- hopp.fetch() and global fetch with Request/Response/Headers/FormData/URLSearchParams support and single-read body semantics.
- pm.sendRequest for Postman compatibility (string URL or request object), backed by the same fetch layer.
- Interceptor-aware routing: Kernel interceptor on web, axios + cookie jar on CLI; improved Set-Cookie multi-header handling and binary/text processing.
- Monaco typing and top-level await enabled for a smoother scripting DX.
- Scripting interceptor inspector: warns on Extension/Proxy usage and CSRF risks on same-origin calls when using cookie auth.
Bug Fixes
- Test expectation placement now preserves context (no more root-level assertions), improving JUnit structure.
- Better error surfacing for runtime and syntax errors in scripts; CLI reports uncaught runtime errors.
- UI: loading state stabilized (Send/Cancel updates immediately); response/test views stay loading during script run and hide empty test groups.
- Safer cancel handling and robust header processing across interceptors.

^{Written for commit 022e2eadda. Summary will update automatically on new commits.}

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hoppscotch/hoppscotch/pull/5596 **Author:** [@jamesgeorge007](https://github.com/jamesgeorge007) **Created:** 11/19/2025 **Status:** ✅ Merged **Merged:** 11/26/2025 **Merged by:** [@jamesgeorge007](https://github.com/jamesgeorge007) **Base:** `next` ← **Head:** `feat/updated-scripting-system` --- ### 📝 Commits (6) - [`3960262`](https://github.com/hoppscotch/hoppscotch/commit/3960262e87230b0cae007bb3174186b8493de646) feat(scripting-revamp): add support for sending requests in scripting context - [`2e301f2`](https://github.com/hoppscotch/hoppscotch/commit/2e301f2158e36a27250c1052a317d7298ec79972) fix: address Cubic AI review feedback - [`eac120b`](https://github.com/hoppscotch/hoppscotch/commit/eac120b99c83cffcb84b12797273386464f4d836) chore: merge latest changes alongside conflict resolution - [`573da10`](https://github.com/hoppscotch/hoppscotch/commit/573da10f1642299d5566417e5aa7c78ec5326542) fix: address code review feedback for hopp.fetch implementation - [`895f8aa`](https://github.com/hoppscotch/hoppscotch/commit/895f8aa899482469e613ff446420102094666e3e) fix: address additional Cubic AI code review feedback - [`022e2ea`](https://github.com/hoppscotch/hoppscotch/commit/022e2eadda41033f16ccc763bbebc624b57ccf11) chore: cleanup ### 📊 Changes **70 files changed** (+12934 additions, -1067 deletions) <details> <summary>View changed files</summary> 📝 `packages/hoppscotch-cli/package.json` (+2 -0) 📝 `packages/hoppscotch-cli/src/__tests__/e2e/commands/test.spec.ts` (+548 -49) 📝 `packages/hoppscotch-cli/src/__tests__/e2e/fixtures/collections/scripting-revamp-coll.json` (+948 -119) ➕ `packages/hoppscotch-cli/src/__tests__/unit/hopp-fetch.spec.ts` (+579 -0) ➕ `packages/hoppscotch-cli/src/utils/hopp-fetch.ts` (+274 -0) 📝 `packages/hoppscotch-cli/src/utils/pre-request.ts` (+4 -1) 📝 `packages/hoppscotch-cli/src/utils/request.ts` (+28 -0) 📝 `packages/hoppscotch-cli/src/utils/test.ts` (+5 -1) 📝 `packages/hoppscotch-common/locales/en.json` (+7 -0) 📝 `packages/hoppscotch-common/src/components/MonacoScriptEditor.vue` (+8 -1) 📝 `packages/hoppscotch-common/src/components/embeds/Request.vue` (+13 -7) 📝 `packages/hoppscotch-common/src/components/http/Request.vue` (+89 -30) 📝 `packages/hoppscotch-common/src/components/http/Response.vue` (+10 -2) 📝 `packages/hoppscotch-common/src/components/http/ResponseMeta.vue` (+15 -6) 📝 `packages/hoppscotch-common/src/components/http/TestResult.vue` (+21 -4) 📝 `packages/hoppscotch-common/src/components/http/TestResultEntry.vue` (+34 -3) 📝 `packages/hoppscotch-common/src/components/http/test/Response.vue` (+13 -2) 📝 `packages/hoppscotch-common/src/components/lenses/ResponseBodyRenderer.vue` (+4 -1) 📝 `packages/hoppscotch-common/src/helpers/RequestRunner.ts` (+52 -71) ➕ `packages/hoppscotch-common/src/helpers/__tests__/hopp-fetch.spec.ts` (+799 -0) _...and 50 more files_ </details> ### 📄 Description This PR implements request-sending capabilities inside the scripting sandbox by introducing `hopp.fetch()` and a global `fetch()` (alias) with standards-aligned Fetch primitives (`Request`, `Response`, `Headers`, `FormData`, `URLSearchParams`), as proposed in [#5221](https://github.com/hoppscotch/hoppscotch/discussions/5221). Additionally, it adds support for `pm.sendRequest()` for collections imported from Postman. It enables practical workflows such as OAuth token refresh, data lookups, chained API calls, and follow-up validations directly in pre-request and post-request scripts without leaving the scripting context. The implementation is designed for the QuickJS sandbox with proper marshalling across the VM boundary and predictable types for assertions and test reporting. > [!NOTE] > It is recommended to use the Agent interceptor on the Web App and the Native interceptor on the Desktop App for `fetch`, `hopp.fetch` and `pm.sendRequest` usages. > > On self-hosted instances, there is a known security concern with same-origin requests made from scripts to Hoppscotch's own backend API using cookie-based authentication, as these bypass CSRF protections. The scripting interceptor inspector will warn when this pattern is detected. > > **Inspector Detection Limitations**: The CSRF detection currently uses regex-based pattern matching on script text, which covers common inline patterns (`pm.sendRequest("/path")`, `pm.sendRequest({ url: "/path" })`) but does not detect variable references, template literals, or dynamically constructed URLs. Full detection would require AST parsing and data flow analysis, which is deferred to maintain reasonable performance overhead during script editing. <img width="1224" height="730" alt="image" src="https://github.com/user-attachments/assets/2ed66856-bde3-4beb-b2a7-34ed4fc49e9a" /> <img width="1218" height="799" alt="image" src="https://github.com/user-attachments/assets/28508a56-1515-4426-b69e-5224fd727107" /> Related to #3305 #4558 HFE-319. --- ## Usage ```javascript // hopp.fetch() - Promise-based request sending const response = await hopp.fetch("https://api.example.com/data", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ key: "value" }), }) const data = await response.json() console.log("External API response:", data) ``` ```javascript // pm.sendRequest() - Postman-compatible callback-style API pm.sendRequest("https://api.example.com/data", (error, response) => { if (error) { console.error("Request failed:", error) return } console.log("Status:", response.code) console.log("Body:", response.json()) }) // With request object const requestObject = { url: "https://api.example.com/users", method: "POST", header: { "Content-Type": "application/json", Authorization: "Bearer " + pm.environment.get("token"), }, body: { mode: "raw", raw: JSON.stringify({ name: "John Doe" }), }, } pm.sendRequest(requestObject, (error, response) => { if (!error) { pm.environment.set("userId", response.json().id) } }) ``` --- ## What’s Changed - Introduced `hopp.fetch()` and global `fetch()` with standards-aligned primitives (`Request`, `Response`, `Headers`, `FormData`, `URLSearchParams`), enabling request-sending within scripts. - Response objects serialised as plain objects with `_bodyBytes` numeric arrays to safely cross the QuickJS VM boundary, avoiding invalid state after cage disposal. - Single-consumption body semantics enforced for `.json()`, `.text()`, and `.arrayBuffer()` matching platform behavior. - Headers support case-insensitive access, stable iteration, and `getSetCookie()` API for reliable multi-value Set-Cookie header extraction. - Web app requests route through `KernelInterceptorService` respecting the user's interceptor preference (Agent/Extension/Browser). At the same time, CLI uses axios with `axios-cookiejar-support` and `tough-cookie` for automatic RFC 6265-compliant cookie management across redirects. - Bootstrap code updated to expose fetch and `pm.sendRequest()` in both pre-request and post-request scripting contexts. - Pre-request runners updated to early-return on error with success-only result capture, preventing partial/misleading state from failed scripts. - Test runners updated to propagate script errors as Left values, surfacing them in test failures rather than silently failing. - Added `pm.sendRequest()` with error-first callback API for Postman compatibility, supporting both string URLs and request objects with header/body configuration. - Custom `fetch` cage module implemented in-house within `js-sandbox` for the added use cases regarding asynchronous execution with `fetch()` calls, etc, that the module exposed from [faraday-cage](https://www.npmjs.com/package/faraday-cage) library has limited support for. - Type definitions extended with `FetchCallMeta` (url, method, timestamp) and `HoppFetchHook` types, integrating fetch operations into script runner options. - Monaco editor configured with ES2022 target for top-level await support, with diagnostic codes `1375` and `1378` suppressed to prevent false "top-level await in non-module" errors. - Scripting interceptor inspector added to warn when Extension/Proxy interceptors are used with fetch operations (limited reliability), and same-origin requests made with cookie-based auth on self-hosted instances via the new `hasCookieBasedAuth` platform feature flag. - Comprehensive test coverage added spanning fetch API primitives, HTTP methods, headers, bodies, single-consumption semantics, error handling, and Postman compatibility layer. - E2E collection updated with fetch operations for validation, and network retry logic added for snapshot tests detecting `ECONNRESET/DNS` failures with graceful skip on persistent errors. - Test result flicker prevented by resetting `testResults` to null on request start, ensuring a clean state between runs. - Localisation strings added for fetch-related warnings and inspector messages across UI components. - Backwards compatibility maintained with legacy `pw` namespace and existing scripts unchanged. --- ## Reviewer Map (Touched Areas) ### `packages/hoppscotch-js-sandbox` - `src/cage-modules/custom-fetch.ts`: Core Fetch implementation, marshalling, single-consumption enforcement. - `src/cage-modules/scripting-modules.ts`: Module exposure, lifecycle, hook registration. - `src/web/pre-request/index.ts` & `src/node/pre-request/index.ts`: Early-return on error; success-only capture semantics. - `src/web/test-runner/index.ts` & `src/node/test-runner/experimental.ts`: Error propagation as Left for test failures. - `src/bootstrap-code/pre-request.js` & `post-request.js`: Fetch exposure in sandbox; pm.sendRequest wrapper. - `src/__tests__/fetch/*` & `src/__tests__/hopp-namespace/fetch.spec.ts`: Coverage across API and edge cases. ### `packages/hoppscotch-common` - `src/helpers/hopp-fetch.ts`: Web app fetch hook routing through KernelInterceptorService. - `src/helpers/RequestRunner.ts`: Fetch hook creation and injection into script context. - `src/components/http/Request.vue`: Reset testResults at send to remove flicker. - `src/components/MonacoScriptEditor.vue`: ES2022 target, top-level await support, diagnostic suppression. - `src/services/scripting-interceptor-inspector.service.ts`: Inspector tracking fetch calls, CSRF/interceptor warnings. ### `packages/hoppscotch-cli` - `src/utils/hopp-fetch.ts`: CLI fetch hook with axios + cookie jar integration. - `src/utils/pre-request.ts` & `src/utils/test.ts`: Fetch hook creation and injection. - `src/__tests__/e2e/commands/test.spec.ts`: Network retry logic for snapshot tests. - `src/__tests__/e2e/fixtures/collections/scripting-revamp-coll.json`: E2E test collection with fetch operations. > Note: Paths listed are representative to guide review across the major surfaces. --- ## Notes to Reviewers - Validate the global `fetch` and `hopp.fetch` method behaviours via the [collection](https://github.com/hoppscotch/hoppscotch/pull/5596/files#diff-918d3794b0c7c8c088f3586a83cd32be359403c1d35b02e89ca10599b625eb35) as part of the CLI e2e test suite. > There's a known issue when using `Extension` as the interceptor, especially with requests having async actions related to `fetch()` calls, etc. As observed from the stack trace, it appears to be related to [Extension internals](https://github.com/hoppscotch/hoppscotch-extension) and needs further investigation. > Such an attempt would lead to the app crashing in development mode, which is intentional to catch errors for debugging, whereas they continue non-blocked in production mode; however, the results are not expected to be on par. Hence, the inspector's warning regarding supported interceptors. <img width="423" height="45" alt="image" src="https://github.com/user-attachments/assets/fb4a8f58-7244-400d-b420-ae6328d3a10c" /> - Import the Postman collection [here](https://gist.github.com/jamesgeorge007/c9be5a0aaf1211dfb934cce4f9719556) to validate the `pm.sendRequest()` method behaviors. - Test same-origin fetch with cookie auth to see CSRF warning; test Extension/Proxy interceptor usage to see compatibility warning.  --- ## Summary by cubic Adds request-sending to the scripting sandbox with hopp.fetch(), global fetch(), and pm.sendRequest so pre/post-request scripts can perform token refreshes, chained calls, and validations. Requests respect the chosen interceptor across web, desktop, and CLI, with strong typing and extensive tests. - **New Features** - hopp.fetch() and global fetch with Request/Response/Headers/FormData/URLSearchParams support and single-read body semantics. - pm.sendRequest for Postman compatibility (string URL or request object), backed by the same fetch layer. - Interceptor-aware routing: Kernel interceptor on web, axios + cookie jar on CLI; improved Set-Cookie multi-header handling and binary/text processing. - Monaco typing and top-level await enabled for a smoother scripting DX. - Scripting interceptor inspector: warns on Extension/Proxy usage and CSRF risks on same-origin calls when using cookie auth. - **Bug Fixes** - Test expectation placement now preserves context (no more root-level assertions), improving JUnit structure. - Better error surfacing for runtime and syntax errors in scripts; CLI reports uncaught runtime errors. - UI: loading state stabilized (Send/Cancel updates immediately); response/test views stay loading during script run and hide empty test groups. - Safer cancel handling and robust header processing across interceptors. <sup>Written for commit 022e2eadda41033f16ccc763bbebc624b57ccf11. Summary will update automatically on new commits.</sup>  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>