From 9b3356e1c7c845d979d2bce0d24532523adf0a76 Mon Sep 17 00:00:00 2001
From: Cristhian Zanforlin Lousa <cristhian.lousa@gmail.com>
Date: Tue, 15 Jul 2025 20:09:48 -0300
Subject: [PATCH] fix: Prevent Authorization header on external URLs (#9061)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🐛 (api.tsx): fix issue where Authorization header was not being set correctly for internal requests
💡 (api.tsx): improve logic to set Authorization header only for internal requests and add custom headers for all requests
---
 src/frontend/src/controllers/API/api.tsx | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/frontend/src/controllers/API/api.tsx b/src/frontend/src/controllers/API/api.tsx
index 2edede810..22b46ff39 100644
--- a/src/frontend/src/controllers/API/api.tsx
+++ b/src/frontend/src/controllers/API/api.tsx
@@ -49,11 +49,11 @@ function ApiInterceptor() {
       request: (url, config) => {
         const accessToken = customGetAccessToken();
 
-        if (accessToken && !isAuthorizedURL(config?.url)) {
-          config.headers["Authorization"] = `Bearer ${accessToken}`;
-        }
-
         if (!isExternalURL(url)) {
+          if (accessToken && !isAuthorizedURL(config?.url)) {
+            config.headers["Authorization"] = `Bearer ${accessToken}`;
+          }
+
           for (const [key, value] of Object.entries(customHeaders)) {
             config.headers[key] = value;
           }