import { provideHttpClient, withInterceptors } from '@angular/common/http'; import { HttpTestingController, provideHttpClientTesting } from '@angular/common/http/testing'; import { TestBed } from '@angular/core/testing'; import { BffApiV1Service } from 'api-client'; import { authInterceptor } from 'auth'; import { AbstractSecurityStorage, ConfigurationService } from 'angular-auth-oidc-client'; import { SECURE_API_ROUTES } from './app.config'; // Guards the medewerker token wiring end-to-end. The api-client calls the BFF with RELATIVE URLs, and // the angular-auth-oidc-client interceptor attaches the token only when `req.url` starts with a // configured secureRoute. A regression to an absolute origin makes the relative URL never match, so // the behandel calls go out unauthenticated and the BFF answers 401. This drives the REAL interceptor // and the REAL api-client against the REAL production route value (SECURE_API_ROUTES); only the config // source and token storage are faked, so the assertion turns on the actual route-matching. describe('behandel medewerker token wiring', () => { let http: HttpTestingController; let bff: BffApiV1Service; const token = 'medewerker-access-token'; beforeEach(() => { TestBed.configureTestingModule({ providers: [ provideHttpClient(withInterceptors([authInterceptor()])), provideHttpClientTesting(), { provide: ConfigurationService, useValue: { hasAtLeastOneConfig: () => true, getAllConfigurations: () => [{ configId: 'medewerker', secureRoutes: SECURE_API_ROUTES }], }, }, { // A signed-in session: the storage the interceptor's token lookup reads from. provide: AbstractSecurityStorage, useValue: { read: () => JSON.stringify({ authzData: token, authnResult: { id_token: 'id-token' } }), write: () => undefined, remove: () => undefined, clear: () => undefined, }, }, ], }); http = TestBed.inject(HttpTestingController); bff = TestBed.inject(BffApiV1Service); }); afterEach(() => http.verify()); it('attaches the bearer token to the relative werkbak call', () => { bff.getBehandelWerkbak().subscribe(); const req = http.expectOne('/behandel/werkbak'); expect(req.request.headers.get('Authorization')).toBe(`Bearer ${token}`); req.flush([]); }); it('attaches the bearer token to the relative decide call', () => { bff.postBehandelRegistrationsIdDecide('reg-1', { besluit: 'goedkeuren' }).subscribe(); const req = http.expectOne('/behandel/registrations/reg-1/decide'); expect(req.request.headers.get('Authorization')).toBe(`Bearer ${token}`); req.flush(null); }); it('leaves the anonymous openbaar register call unauthenticated', () => { bff.getOpenbaarRegister().subscribe(); const req = http.expectOne((r) => r.url === '/openbaar/register'); expect(req.request.headers.has('Authorization')).toBe(false); req.flush([]); }); });