Merge pull request #8493 from BitGo/claude/review-header-whitelist-JB0UY

sandra-wang-bitgo · web-flow · commit 531d4f67de96 · 2026-04-14T07:55:34.000-04:00
feat: forward X-BitGo-OTP header from client requests to BitGo API
diff --git a/modules/express/src/clientRoutes.ts b/modules/express/src/clientRoutes.ts
@@ -69,6 +69,12 @@ const debug = debugLib('bitgo:express');
 
 const BITGOEXPRESS_USER_AGENT = `BitGoExpress/${pjson.version} BitGoJS/${version}`;
 
+/**
+ * Headers from the incoming request that should be forwarded to the BitGo API.
+ * Header names must be lowercase (Express normalizes incoming headers to lowercase).
+ */
+const FORWARDED_HEADERS = ['x-bitgo-otp'];
+
 function handlePing(
   req: ExpressApiRouteRequest<'express.ping', 'get'>,
   res: express.Response,
@@ -1337,6 +1343,13 @@ export function redirectRequest(
       request.set('enterprise-id', req.params.enterpriseId);
     }
 
+    for (const header of FORWARDED_HEADERS) {
+      const value = req.headers[header];
+      if (value) {
+        request.set(header, Array.isArray(value) ? value[0] : value);
+      }
+    }
+
     return request.result().then((result) => {
       const status = request.res?.statusCode || 200;
       return { status, body: result };
diff --git a/modules/express/test/unit/clientRoutes/index.ts b/modules/express/test/unit/clientRoutes/index.ts
@@ -16,6 +16,7 @@ describe('common methods', () => {
       req = {
         body: {},
         params: {},
+        headers: {},
         bitgo,
       } as express.Request;
       next = () => undefined;
@@ -52,6 +53,36 @@ describe('common methods', () => {
       result.body.should.deepEqual({ success: true });
     });
 
+    it('should forward X-BitGo-OTP header when present', async () => {
+      const url = 'https://example.com/api';
+      const setStub = sandbox.stub();
+      const response = { res: { statusCode: 200 }, result: async () => ({ success: true }), set: setStub };
+      sandbox
+        .stub(bitgo, 'get')
+        .withArgs(url)
+        .returns(response as any);
+
+      req.headers = { 'x-bitgo-otp': '123456' } as any;
+      const result = await redirectRequest(bitgo, 'GET', url, req, next);
+      result.status.should.equal(200);
+      setStub.calledWith('x-bitgo-otp', '123456').should.be.true();
+    });
+
+    it('should not forward X-BitGo-OTP header when not present', async () => {
+      const url = 'https://example.com/api';
+      const setStub = sandbox.stub();
+      const response = { res: { statusCode: 200 }, result: async () => ({ success: true }), set: setStub };
+      sandbox
+        .stub(bitgo, 'get')
+        .withArgs(url)
+        .returns(response as any);
+
+      req.headers = {} as any;
+      const result = await redirectRequest(bitgo, 'GET', url, req, next);
+      result.status.should.equal(200);
+      setStub.calledWith('x-bitgo-otp').should.be.false();
+    });
+
     it('should handle error response and return status and body', async () => {
       const url = 'https://example.com/api';
       const response = {
