kevin1024
Replay attack prevention bypass in response headers
I'm running tests against an API that has replay attack prevention by passing a "Correlation-ID" in the request that is mirrored back in the response. I'd like to set up VCR so that the replay of each request replaces the header in BOTH the request and response because the API client library verifies it before returning to my code.
I was able to figure out how to monkey patch out the replay protection in the client library, so I'm not blocked.
Looking through the code, it seems that the Cassette object is the only part of VCR that has access to both the request and the response. The events that fire before recording only have access to one of the request or response pairs.