幂等键被同时发送到请求体 / Idempotency key is also sent in request bodies

[saxon134]

问题 / Problem

中文：VideosResource.create 和 TasksResource.create 从 params.get("idempotency_key") 生成 Idempotency-Key header，但同一个 params 又传给 _payload 作为 JSON body，因此调用 create(..., idempotency_key="idem_1") 会同时发送 header 和 body 字段 idempotency_key。如果服务端 schema 不接受该字段，请求会被拒绝；即使接受，也会把只应属于传输层的控制参数混入业务 payload。修复应在构造 body 前移除 idempotency_key。价值：减少 4xx 请求失败和排障成本，让 SDK 参数语义更清晰可靠。English: VideosResource.create and TasksResource.create derive the Idempotency-Key header from params.get("idempotency_key"), but the same params is also passed to _payload as the JSON body, so create(..., idempotency_key="idem_1") sends both the header and a body field named idempotency_key. If the server schema rejects unknown fields, the request fails; even if accepted, a transport control parameter leaks into the business payload. Remove idempotency_key before building the body. Value: fewer 4xx failures and lower debugging cost, with clearer SDK parameter semantics.

价值 / Value

修复该问题可以提升正确性、可靠性和用户信任，降低 idempotency_key leaked into create request bodies 带来的排障与运维成本。

Fixing this issue improves correctness, reliability, and user trust while reducing debugging and operational cost caused by idempotency_key leaked into create request bodies.

证据 / Evidence

File: src/globalrouter/_resources.py

Line: 335

Severity / 严重级别: medium

Summary / 摘要: idempotency_key leaked into create request bodies

[saxon134]

Coding Loop Plan

Refined Issue

When callers pass idempotency_key to idempotent create methods, the SDK should send it only as the Idempotency-Key header and must not include idempotency_key in the JSON request body.

Implementation Plan

Fix idempotency handling only for the affected create endpoints: VideosResource.create, VideosResource.create_async, TasksResource.create, and TasksResource.create_async. Continue deriving the Idempotency-Key header from the public idempotency_key parameter, but remove that SDK-only control parameter before constructing the JSON payload for those calls. Do not rename public parameters and do not change unrelated payload behavior.

Add regression assertions using mock HTTP requests for video creation and task creation that pass idempotency_key and verify both conditions: the outgoing request contains the expected Idempotency-Key header, and the serialized JSON body does not contain idempotency_key. Cover async variants as well, or factor the filtering through a shared helper and test that helper plus both resources so the async call sites cannot keep leaking the parameter.

Development Tasks

1. Remove idempotency_key from idempotent request bodies
   Update the idempotent create paths so idempotency_key is consumed for the Idempotency-Key header but is not passed into BaseResource._payload. Prefer a small local helper or a filtered params copy in VideosResource.create, VideosResource.create_async, TasksResource.create, and TasksResource.create_async; keep the existing header behavior unchanged. Add regression coverage in tests/test_client.py that captures the outgoing request JSON for /api/v1/videos and /v1/tasks, asserts the idempotency-key header is present, and asserts idempotency_key is absent from the JSON body while normal fields remain present.
   Files: src/globalrouter/_resources.py, tests/test_client.py
   Tests: python -m pytest tests/test_client.py, python -m pytest