fix: normalize header names before appending

Author: jbeckwith-oai

src/internal/headers.ts

@@ -12,6 +12,7 @@ export type HeadersLike =
   | NullableHeaders;
 
 const brand_privateNullableHeaders = /* @__PURE__ */ Symbol('brand.privateNullableHeaders');
+const httpTokenHeaderName = /^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/;
 
 /**
  * @internal
@@ -74,16 +75,19 @@ export const buildHeaders = (newHeaders: HeadersLike[]): NullableHeaders => {
   for (const headers of newHeaders) {
     const seenHeaders = new Set<string>();
     for (const [name, value] of iterateHeaders(headers)) {
+      if (!httpTokenHeaderName.test(name)) {
+        throw new TypeError(`Header name must be a valid HTTP token ["${name}"]`);
+      }
       const lowerName = name.toLowerCase();
       if (!seenHeaders.has(lowerName)) {
-        targetHeaders.delete(name);
+        targetHeaders.delete(lowerName);
         seenHeaders.add(lowerName);
       }
       if (value === null) {
-        targetHeaders.delete(name);
+        targetHeaders.delete(lowerName);
         nullHeaders.add(lowerName);
       } else {
-        targetHeaders.append(name, value);
+        targetHeaders.append(lowerName, value);
         nullHeaders.delete(lowerName);
       }
     }

tests/buildHeaders.test.ts

@@ -85,4 +85,76 @@ describe('buildHeaders', () => {
       expect(inspectNullableHeaders(buildHeaders(input))).toEqual(expected);
     });
   }
+
+  test('normalizes OpenAI headers with locale-invariant ASCII casing', () => {
+    expect('OpenAI-Organization'.toLocaleLowerCase('tr-TR')).toBe('openaı-organization');
+    expect('OpenAI-Project'.toLocaleLowerCase('tr-TR')).toBe('openaı-project');
+
+    const result = buildHeaders([
+      {
+        'OpenAI-Organization': 'org_test',
+        'OpenAI-Project': 'proj_test',
+      },
+    ]);
+
+    const keys = [...result.values.keys()];
+    expect(keys).toEqual(['openai-organization', 'openai-project']);
+    expect(keys.every((key) => /^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/.test(key))).toBe(true);
+  });
+
+  test('rejects header names that lowercase into valid ASCII tokens', () => {
+    expect('cooKie'.toLowerCase()).toBe('cookie');
+    expect(() => buildHeaders([{ cooKie: 'value' }])).toThrow(
+      'Header name must be a valid HTTP token ["cooKie"]',
+    );
+  });
+
+  test('passes normalized OpenAI header names to Headers implementations', () => {
+    const OriginalHeaders = globalThis.Headers;
+
+    class LocaleSensitiveHeaders {
+      #values = new Map<string, string>();
+
+      append(name: string, value: string) {
+        this.#values.set(normalizeHeaderName(name), value);
+      }
+
+      delete(name: string) {
+        this.#values.delete(normalizeHeaderName(name));
+      }
+
+      entries() {
+        return this.#values.entries();
+      }
+
+      keys() {
+        return this.#values.keys();
+      }
+    }
+
+    const normalizeHeaderName = (name: string) => {
+      const normalized = name.toLocaleLowerCase('tr-TR');
+      if (!/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/.test(normalized)) {
+        throw new TypeError(`Header name must be a valid HTTP token ["${normalized}"]`);
+      }
+      return normalized;
+    };
+
+    globalThis.Headers = LocaleSensitiveHeaders as unknown as typeof Headers;
+    try {
+      const result = buildHeaders([
+        {
+          'OpenAI-Organization': 'org_test',
+          'OpenAI-Project': 'proj_test',
+        },
+      ]);
+
+      expect([...result.values.entries()]).toEqual([
+        ['openai-organization', 'org_test'],
+        ['openai-project', 'proj_test'],
+      ]);
+    } finally {
+      globalThis.Headers = OriginalHeaders;
+    }
+  });
 });