Added request dynamic headers view

[Gugabit]

Description

Introduces the ability to preview dynamic and hidden request headers (e.g.: content-type, authorization, user-agent) directly in the UI before sending the request. This can be very important to find or make it more obvious for the user specific errors when debugging.

Design Decisions

1. Dry-Run
Replicating complex request logic on the frontend simply to calculate headers would be error-prone, brittle, and lead to duplicated code.
Instead, I introduced a dry-run-http-request IPC handler. This allows us to run the request through the exact same backend pipeline. The pipeline is aborted, and the final evaluated headers are returned to the UI. This guarantees 100% accuracy on the displayed headers.

Contribution Checklist:

• I've used AI significantly to create this pull request
  • Initial POC was made by Copilot, however I have manually touched and tuned +80% of the present code.
• The pull request only addresses one issue or adds one feature.
• The pull request does not introduce any breaking changes
• I have added screenshots or gifs to help explain the change if applicable.
• I have read the contribution guidelines.
• Create an issue and link to the pull request.
  • Display request dynamic/hidden headers #8395

Summary by CodeRabbit

• New Features

  • Added a dynamic headers view that can show headers discovered from a dry-run request.
  • Added controls to show or hide these headers, and to reveal sensitive auth values when needed.

• Bug Fixes

  • Read-only rows can no longer be dragged, edited, reordered, or deleted.
  • Read-only request headers are now visually disabled and treated as non-editable in the table.

• UI Improvements

  • Updated the request headers actions bar styling and layout for a cleaner experience.

[coderabbitai]

Walkthrough

RequestHeaders now derives dynamic headers from a dry-run request, lets the user show or hide them, and keeps those rows out of persistence and reordering. EditableTable and row styling now treat read-only rows as non-editable. The app adds an IPC bridge plus Electron handler for dry-run header generation.

Changes

Dynamic request header preview

Layer / File(s)	Summary
Dry-run request bridge packages/bruno-app/src/utils/network/index.js, packages/bruno-electron/src/ipc/network/index.js	dryRunHttpRequest invokes the new IPC handler, and the handler builds the request, applies dry-run auth behavior, merges Axios/default/interceptor headers, and returns the final header set or an error.
Dynamic header preview packages/bruno-app/src/components/RequestPane/RequestHeaders/index.js, packages/bruno-app/src/components/RequestPane/RequestHeaders/StyledWrapper.js	RequestHeaders derives dynamic rows from dry-run results, filters them from persistence and reordering, switches EditableTable to the computed row list, and adds the visibility toggle and actions bar styling.
Header cell controls packages/bruno-app/src/components/RequestPane/RequestHeaders/index.js	The name and value editors receive row-level readOnly, and auth-related dynamic values can be hidden, shown, or used to switch the request pane to Authorization.
Read-only row controls packages/bruno-app/src/components/EditableTable/index.js	Drag, checkbox, and delete controls are suppressed for rows marked readOnly.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related issues

• Display request dynamic/hidden headers #8395 — The dry-run header pipeline and dynamic header UI match the issue’s preview flow.

Possibly related PRs

• usebruno/bruno#7810 — EditableTable drag handling changes intersect with the new readOnly drag guard.

Suggested labels

size/XL

Suggested reviewers

• bijin-bruno
• lohit-bruno
• naman-bruno
• sid-bruno

Poem

A dry-run whisper crossed the wire,
And headers shimmered, bright as fire.
Read-only rows said “not today,”
While eye icons peeked, then hid away.
The table bowed and kept its sway. 🎩

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main feature added: a dynamic headers view for requests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/bruno-app/src/components/RequestPane/RequestHeaders/index.js`:
- Around line 50-56: Add x-wsse to the auth header detection in RequestHeaders
so WSSE credentials are treated like authorization values and masked in the UI.
Update the authHeaderNames useMemo in RequestHeaders/index.js alongside the
existing authorization and apiKey header logic, keeping the same lowercased
Set-based matching so any x-wsse header name is included in the masked header
set.
- Around line 63-68: The dry-run preview in RequestHeaders/index.js can keep
stale data when dryRunHttpRequest fails or returns no headers, so clear the
previous preview before returning on those paths. Update the effect around
dryRunHttpRequest and setDryRunHeaders so that any { error } response, missing
res.headers, or caught rejection resets the headers state to an empty/cleared
value, while still guarding with isMounted before setting new headers.
- Around line 214-228: The new header-preview controls in RequestHeaders should
expose stable Playwright selectors. Add data-testid attributes to the
interactive elements in the isAuthHeader block and the dynamic-header toggle so
tests can target them reliably; use the existing RequestHeaders component
structure and the click handlers that dispatch updateRequestPaneTab and toggle
showAuthValue to identify the right elements. Keep the test ids stable and
unique for the reveal/show-hide control and the go-to-authorization control, and
apply the same pattern to the dynamic-header toggle referenced in the related
section.

In
`@packages/bruno-app/src/components/RequestPane/RequestHeaders/StyledWrapper.js`:
- Around line 41-44: The .read-only styling in StyledWrapper is blocking
interaction for preview rows by disabling pointer events, which prevents focus,
selection, and copy. Update the read-only styling so it still allows text
selection while keeping the visual disabled state, and leave readOnly behavior
enforcement to SingleLineEditor; reference the .read-only rule in StyledWrapper
when making the change.

In `@packages/bruno-electron/src/ipc/network/index.js`:
- Around line 1354-1396: The dry-run flow in
ipcMain.handle('dry-run-http-request') skips the same pre-request mutation step
used by runRequest(), so previewed headers can differ from the real send path.
Update this handler to run the equivalent pre-request logic before calling
configureRequest(), using the existing prepareRequest(), interpolateVars(), and
any runPreRequest-related helper used by runRequest(), so header changes from
scripts/variables are reflected in the preview.
- Around line 1387-1396: The dry-run path in the IPC handler is reusing the
send-time auth setup, which can eagerly resolve OAuth2 credentials when
RequestHeaders renders. Update the code around configureRequest() in the network
IPC flow so the Headers pane uses a non-authenticated/lightweight request
configuration and does not invoke token fetch/refresh or interactive auth flows
until the actual send action. Keep the fix localized to the request-building
path used by RequestHeaders and the configureRequest helper.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6ee1d4c4-80f5-495c-90ad-de8e25734ece

📥 Commits

Reviewing files that changed from the base of the PR and between 87f7426 and 1de876f.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (5)

• packages/bruno-app/src/components/EditableTable/index.js
• packages/bruno-app/src/components/RequestPane/RequestHeaders/StyledWrapper.js
• packages/bruno-app/src/components/RequestPane/RequestHeaders/index.js
• packages/bruno-app/src/utils/network/index.js
• packages/bruno-electron/src/ipc/network/index.js

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/bruno-electron/src/ipc/network/index.js (1)

1436-1441: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Match Axios interceptor order before building the dry-run header preview. Axios request interceptors run in LIFO order and honor runWhen, but this loop walks interceptors.request.handlers in registration order and invokes every fulfilled handler. That can make the preview headers differ from the real request when multiple request interceptors are registered here.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/bruno-electron/src/ipc/network/index.js` around lines 1436 - 1441,
The dry-run header preview in the axios request flow is applying request
interceptors in the wrong way, so it can diverge from the real request. Update
the interceptor replay in the network IPC code to match Axios request
interceptor behavior: execute request interceptors in LIFO order and respect
each interceptor’s runWhen predicate before calling its fulfilled handler. Use
the existing axiosInstance.interceptors.request.handlers logic in the dry-run
path so the preview produced from finalRequest matches what Axios will actually
send.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@packages/bruno-electron/src/ipc/network/index.js`:
- Around line 1436-1441: The dry-run header preview in the axios request flow is
applying request interceptors in the wrong way, so it can diverge from the real
request. Update the interceptor replay in the network IPC code to match Axios
request interceptor behavior: execute request interceptors in LIFO order and
respect each interceptor’s runWhen predicate before calling its fulfilled
handler. Use the existing axiosInstance.interceptors.request.handlers logic in
the dry-run path so the preview produced from finalRequest matches what Axios
will actually send.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bd068a14-d2c6-4fb5-80b5-15e974d6e387

📥 Commits

Reviewing files that changed from the base of the PR and between 1de876f and 251c118.

📒 Files selected for processing (3)

• packages/bruno-app/src/components/RequestPane/RequestHeaders/StyledWrapper.js
• packages/bruno-app/src/components/RequestPane/RequestHeaders/index.js
• packages/bruno-electron/src/ipc/network/index.js

💤 Files with no reviewable changes (1)

• packages/bruno-app/src/components/RequestPane/RequestHeaders/StyledWrapper.js

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/bruno-app/src/components/RequestPane/RequestHeaders/index.js