test(portal-self-service): guard that the DigiD token attaches to relative BFF calls (refs #68)
All checks were successful
CI / lint (pull_request) Successful in 1m8s
CI / build (pull_request) Successful in 53s
CI / unit (pull_request) Successful in 58s
CI / frontend (pull_request) Successful in 2m10s
CI / mutation (pull_request) Successful in 3m58s
CI / verify-stack (pull_request) Successful in 7m48s
All checks were successful
CI / lint (pull_request) Successful in 1m8s
CI / build (pull_request) Successful in 53s
CI / unit (pull_request) Successful in 58s
CI / frontend (pull_request) Successful in 2m10s
CI / mutation (pull_request) Successful in 3m58s
CI / verify-stack (pull_request) Successful in 7m48s
The token-attachment bug (secureRoutes set to the app origin, which a relative api-client URL never matches) was only caught by the full-stack e2e. Add a fast unit guard: drive the REAL angular-auth-oidc-client interceptor and the REAL api-client against the production route value, faking only the config source and the token storage. Asserts the bearer token rides the relative /self-service/ call and is withheld from the anonymous /openbaar/ call. Extract the value to a shared SECURE_API_ROUTES constant so the test binds to exactly what the app configures. Verified the guard fails (Authorization null) if the value regresses to an origin. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -13,12 +13,17 @@ export interface RuntimeConfig {
|
||||
authority: string;
|
||||
}
|
||||
|
||||
/**
|
||||
* Route prefixes whose requests carry the DigiD token. These MUST match the **relative** URLs the
|
||||
* api-client actually calls (same-origin via the nginx proxy) — the interceptor matches on `req.url`,
|
||||
* which stays relative, so an absolute origin would never match and the token would go unattached.
|
||||
* `/openbaar/` is deliberately excluded: it is the anonymous public register.
|
||||
*/
|
||||
export const SECURE_API_ROUTES = ['/self-service/'];
|
||||
|
||||
/**
|
||||
* Build the app providers from runtime config. `redirectUrl` is the app's own origin (where Keycloak
|
||||
* redirects back). The app is served same-origin as the BFF (nginx proxies /self-service + /openbaar),
|
||||
* so the api-client uses **relative** URLs — hence `secureRoutes` is the relative `/self-service/`
|
||||
* prefix (the guarded BFF route), not the origin: the interceptor matches on `req.url`, which stays
|
||||
* relative, so an origin would never match and the token would not be attached.
|
||||
* redirects back). `secureRoutes` uses {@link SECURE_API_ROUTES} — relative prefixes, not the origin.
|
||||
*/
|
||||
export function appConfig(runtime: RuntimeConfig): ApplicationConfig {
|
||||
const origin = typeof window !== 'undefined' ? window.location.origin : '/';
|
||||
@@ -30,7 +35,7 @@ export function appConfig(runtime: RuntimeConfig): ApplicationConfig {
|
||||
provideDigiadAuth({
|
||||
authority: runtime.authority,
|
||||
redirectUrl: origin,
|
||||
secureRoutes: ['/self-service/'],
|
||||
secureRoutes: SECURE_API_ROUTES,
|
||||
}),
|
||||
],
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user