Skip to content

fix: Request.protocol returns 'https' for HTTP/2 after RST_STREAM (#1736)#1944

Open
guoyangzhen wants to merge 2 commits intokoajs:masterfrom
guoyangzhen:fix/http2-secure-protocol
Open

fix: Request.protocol returns 'https' for HTTP/2 after RST_STREAM (#1736)#1944
guoyangzhen wants to merge 2 commits intokoajs:masterfrom
guoyangzhen:fix/http2-secure-protocol

Conversation

@guoyangzhen
Copy link
Copy Markdown

@guoyangzhen guoyangzhen commented Mar 18, 2026

Fixes #1736

When using koa with http2.createSecureServer, Request.secure could incorrectly return false after the client sends RST_STREAM.

Root Cause

In HTTP/2, after a stream reset, req.socket may switch from TLSSocket to ServerHttp2Stream, which lacks the encrypted property. The protocol getter only checked this.socket.encrypted, so it fell through to 'http'.

Fix

When this.socket.encrypted is falsy, fall back to checking req.stream.session.socket.encrypted for HTTP/2 connections.

@guoyangzhen
fix: ctx.request.origin should respect proxy flag via X-Forwarded-Proto
f895002 
Fixes koajs#1746

The origin getter returned this.req.headers.origin (the CORS Origin header)
which ignores the proxy flag. Changed to construct origin from protocol and
host getters, which already respect X-Forwarded-Proto and X-Forwarded-Host
when app.proxy is true.
@guoyangzhen
fix: Request.protocol returns 'https' for HTTP/2 after RST_STREAM (ko…
b0a07b4 
…ajs#1736)

When using koa with http2.createSecureServer, Request.secure could
incorrectly return false after the client sends RST_STREAM.

In HTTP/2, after a stream reset, req.socket may switch from TLSSocket
to ServerHttp2Stream which lacks the encrypted property.

This fix falls back to checking req.stream.session.socket.encrypted
for HTTP/2 connections when the primary socket check fails.
@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 18, 2026

Codecov Report

❌ Patch coverage is 66.66667% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 99.80%. Comparing base (d3ea8bf) to head (b0a07b4).

Files with missing lines Patch % Lines
lib/request.js 66.66% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #1944      +/-   ##
==========================================
- Coverage   99.90%   99.80%   -0.10%     
==========================================
  Files           9        9              
  Lines        2094     2100       +6     
==========================================
+ Hits         2092     2096       +4     
- Misses          2        4       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[fix] Request.secure returns false for HTTP2 connections after recieving RST_STREAM

1 participant

@guoyangzhen