Supporting case-insensitive for Box's API response headers

[kiseyob]

Hello,

I got the below email from Box.

"We're reaching out to notify you of a change that may affect your Box application(s). On May 10th, 2021, as part of our continued infrastructure upgrade, Box's API response headers will standardize to always return as lowercase, in line with industry best practices and our API documentation. Applications that are using these headers, such as "location" and "retry-after", will need to verify that their applications are checking for these headers in a case-insensitive fashion. Over the past 12 months Box has been upgrading its networking and observability infrastructure. These upgrades aim to improve reliability and availability of Box's products for our customers. This specific change allows Box to deploy an updated service proxy, enabling Box to more easily monitor service traffic, quickly find problem areas, and tune application performance.

How to verify whether your application(s) will be impacted
Verifying whether your application(s) will be impacted will require a review of your code. If you are solely using one of the official Box SDKs to connect to Box APIs, you will not be impacted as the SDKs handle response headers in a case-insensitive manner.

You may verify whether you are impacted with the following steps:
· Locate the code in your application which handles the responses from Box API requests. If you are not extracting the response headers from these responses, you are not impacted.
· If you are extracting those response headers, you may be impacted if you are expecting those headers in a case-sensitive fashion.

For instance, if you are expecting the "Location" header to be returned with a starting capital "L", a direct string comparison with a specific case, then your code will need to be altered to prevent it from breaking after the change is made.

How to make the change
To update the impacted application(s), ensure that you are checking these response headers in a case-insensitive manner. Specifically, your code should be built in a defensive way to ensure that if a header, such as "Location", is sent with an initial capital "L" or a lowercase "l", it'll be handled in the same way. For example, forcing all headers to lowercase before checking, or using a case-insensitive regex string check, are two viable methods for handling this process.

Additional dates to be aware of
In addition to the date that this change will take effect, May 10th, 2021, we will be running two tests to ensure that we can identify and support applications that may be impacted. During these tests, if your application is impacted, you may see an increase in error rates when checking for those headers. The current dates of these tests, which may shift, are:
· March 15th, 2021
· April 22nd, 2021

When I check the code in boxr, there are couple places like header['WWW-Authenticate'], header['Location'], header['Retry-After'], headers['If-Match'], headers["Content-Type"].
Do you have a plan to deal this soon?

[xhocquet]

Hi @kiseyob , thanks for reaching out. I have just been made aware of this change, but thankfully it should be pretty simple to resolve. I will put it on my to-do list and try to get a release out. If you wanted to work on PR though, that would be greatly appreciated!

[kiseyob]

Thank you for your quick reply. I'm looking forward it could be done before May.
Unfortunately, I'm not familiar with boxr code inside. So I'm hesitating to fix it myself. Have a good day!

[xhocquet]

Hey @kiseyob , update for you! After some investigation, it seems like no change is needed and that Boxr will continue to work as expected after the header update from Box.

If you look at the source for Httpclient which we use for HTTP requests, you will notice that header lookups are case-insensitive already. I verified this by debugging some calls to the .download_file method and verifying the following:

3.0.0 :004 > response.header['connection']
 => ["keep-alive"]
3.0.0 :005 > response.header['Connection']
 => ["keep-alive"]

Thankfully most HTTP libraries already adhere to the HTTP spec that headers are not case-sensitive, so there is nothing to be done by users of this library. Thanks for the report!

[kiseyob]

Indeed, httpclient handle with upcase in get method of Headers class. Thank you for checking it, @xhocquet
It makes me much more comfortable.