📡 feat: Add Configurable HyperDX Browser Real User Monitoring#13287
Conversation
upman
force-pushed
the
feat/hyperdx-rum
branch
4 times, most recently
from
a31c2bb to
8c3aeaa
Compare
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8c3aeaaf70
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| return { | ||
| provider: 'hyperdx', | ||
| enabled: true, | ||
| url: parsedUrl.href.replace(/\/$/, ''), |
There was a problem hiding this comment.
When RUM_URL includes embedded credentials (for example https://user:pass@collector), this code forwards parsedUrl.href directly into /api/config, which is returned to browsers. That leaks collector credentials to every client that fetches startup config and can expose secrets via browser tooling, logs, and network captures. Reject URLs with username/password or strip userinfo before serializing the URL.
Useful? React with 👍 / 👎.
| } | ||
|
|
||
| function isLocalhost(url) { | ||
| return url.hostname === 'localhost' || url.hostname === '127.0.0.1' || url.hostname === '::1'; |
There was a problem hiding this comment.
The localhost allowlist checks url.hostname === '::1', but new URL('http://[::1]:4318').hostname is '[::1]'. In public-token mode this makes valid loopback URLs fail isSafeRumUrl, so RUM is unexpectedly disabled for IPv6 localhost setups. Normalizing or accepting the bracketed IPv6 loopback hostname fixes this.
Useful? React with 👍 / 👎.
| return; | ||
| } | ||
|
|
||
| originalOpen.call(this, method, url, true); |
There was a problem hiding this comment.
The interceptor rewrites xhr.open() and forces originalOpen(..., true) whenever async is not explicitly boolean, which discards the optional username/password arguments in that call path. Any XHR that relies on omitted async while supplying credentials can lose authentication and start failing (for example 401 responses), and this affects all XHR usage because the wrapper replaces window.XMLHttpRequest globally.
Useful? React with 👍 / 👎.
|
@upman please review eslint errors |
|
@danny-avila Fixed |
|
@codex review |
|
@upman additional eslint issues here |
|
Codex Review: Didn't find any major issues. Chef's kiss. ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
danny-avila
changed the title
2 participants
Pull Request Template
Summary
Adds opt-in HyperDX browser RUM support with a startup config surface, early fetch/XHR authorization header injection, HyperDX SDK initialization, route/user attributes, privacy-safe defaults, and tests.
Documentation PR: LibreChat-AI/librechat.ai#585
Change Type
Testing
npx jest server/routes/__tests__/config.spec.js server/routes/__tests__/config.rum.spec.js --runInBandnpx jest src/lib/rum/routes.spec.ts src/lib/rum/early.spec.ts src/lib/rum/useRum.spec.tsx --runInBandTest Configuration:
HyperDX RUM was tested with config-driven startup values and unit coverage for public token and authenticated user JWT modes.
Checklist