PR #35724: fix: fix response header overwrite

• Repository: langgenius/dify
• Author: fatelei
• State: closed | merged: False
• Link: https://github.com/langgenius/dify/pull/35724

Description (problem / solution / changelog)

[!IMPORTANT]

1. Make sure you have read our contribution guidelines
2. Ensure there is an associated issue and you have been assigned to it
3. Use the correct syntax to link this PR: Fixes #<issue number>.

Summary

fix #35722 response header is overwrite

Screenshots

Checklist

• This change requires a documentation update, included: Dify Document
• I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)
• I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
• I've updated the documentation accordingly.
• I ran make lint && make type-check (backend) and cd web && pnpm exec vp staged (frontend) to appease the lint gods

Changed files

• api/core/plugin/utils/http_parser.py (modified, +2/-1)

PR #35726: fix(plugin): preserve multi-value HTTP response headers

• Repository: langgenius/dify
• Author: xr843
• State: closed | merged: True
• Link: https://github.com/langgenius/dify/pull/35726

Description (problem / solution / changelog)

Summary

Closes #35722. deserialize_response in api/core/plugin/utils/http_parser.py used dict-style assignment (response.headers[name] = value.strip()) on a flask.Response object. Same-named headers — most importantly Set-Cookie, but also any custom multi-value header — were silently overwritten so only the last occurrence survived.

close https://github.com/langgenius/dify/pull/35724

Root cause

The parser splits header_data on \r\n and produces one entry per line, so multiple Set-Cookie lines do reach the loop. The defect is the dict-style assignment in the loop body, which clobbers prior values for duplicate keys. Sibling function deserialize_request already uses headers.add() (line 68), so this is purely a correctness gap in deserialize_response.

Fix

Switch to Headers.add(), but first call response.headers.clear() to drop the defaults Flask injects in Response(...) (Content-Type: text/html; charset=utf-8 and Content-Length). Without clear(), every plugin response would acquire a duplicate Content-Type header.

Changes

• api/core/plugin/utils/http_parser.py: response.headers.clear() then response.headers.add(name, value) per parsed header
• api/tests/unit_tests/core/plugin/utils/test_http_parser.py: 3 new tests
  • duplicate Set-Cookie headers preserved
  • duplicate generic headers (X-Custom) preserved
  • default Content-Type not injected when the upstream response had none

Test plan

• cd api && PYTHONPATH=. python3 -m pytest tests/unit_tests/core/plugin/utils/test_http_parser.py -v → 43/43 pass
• ruff check and ruff format --check clean (per api/.ruff.toml)
• No other dict-style headers[...] = assignments in the file (grep confirmed)
• Verified the only caller (TriggerDispatchResponse.convert_response in core/plugin/entities/request.py) intends to faithfully relay the plugin's response, so dropping Flask's injected default Content-Type is a positive correction, not a regression.

Compliance with HTTP semantics

• Set-Cookie cannot be comma-merged (RFC 6265 §3), so the Headers.add() approach (one entry per occurrence) is the correct preservation strategy.
• werkzeug.Headers.items() yields each occurrence individually, so downstream serialize_response continues to round-trip multi-value headers correctly.

Changed files

• api/core/plugin/utils/http_parser.py (modified, +7/-1)
• api/tests/unit_tests/core/plugin/utils/test_http_parser.py (modified, +44/-0)