All checks were successful
CI / lint (pull_request) Successful in 1m8s
CI / build (pull_request) Successful in 53s
CI / unit (pull_request) Successful in 58s
CI / frontend (pull_request) Successful in 2m10s
CI / mutation (pull_request) Successful in 3m58s
CI / verify-stack (pull_request) Successful in 7m48s
The token-attachment bug (secureRoutes set to the app origin, which a relative api-client URL never matches) was only caught by the full-stack e2e. Add a fast unit guard: drive the REAL angular-auth-oidc-client interceptor and the REAL api-client against the production route value, faking only the config source and the token storage. Asserts the bearer token rides the relative /self-service/ call and is withheld from the anonymous /openbaar/ call. Extract the value to a shared SECURE_API_ROUTES constant so the test binds to exactly what the app configures. Verified the guard fails (Authorization null) if the value regresses to an origin. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
43 lines
1.7 KiB
TypeScript
43 lines
1.7 KiB
TypeScript
import { provideHttpClient, withInterceptors } from '@angular/common/http';
|
|
import {
|
|
ApplicationConfig,
|
|
provideBrowserGlobalErrorListeners,
|
|
} from '@angular/core';
|
|
import { provideRouter } from '@angular/router';
|
|
import { authInterceptor, provideDigiadAuth } from 'auth';
|
|
import { appRoutes } from './app.routes';
|
|
|
|
/** Environment-specific settings fetched from /config.json at startup (see main.ts). */
|
|
export interface RuntimeConfig {
|
|
/** The Keycloak `digid` realm issuer as the browser reaches it (dev: localhost; compose: keycloak:8080). */
|
|
authority: string;
|
|
}
|
|
|
|
/**
|
|
* Route prefixes whose requests carry the DigiD token. These MUST match the **relative** URLs the
|
|
* api-client actually calls (same-origin via the nginx proxy) — the interceptor matches on `req.url`,
|
|
* which stays relative, so an absolute origin would never match and the token would go unattached.
|
|
* `/openbaar/` is deliberately excluded: it is the anonymous public register.
|
|
*/
|
|
export const SECURE_API_ROUTES = ['/self-service/'];
|
|
|
|
/**
|
|
* Build the app providers from runtime config. `redirectUrl` is the app's own origin (where Keycloak
|
|
* redirects back). `secureRoutes` uses {@link SECURE_API_ROUTES} — relative prefixes, not the origin.
|
|
*/
|
|
export function appConfig(runtime: RuntimeConfig): ApplicationConfig {
|
|
const origin = typeof window !== 'undefined' ? window.location.origin : '/';
|
|
return {
|
|
providers: [
|
|
provideBrowserGlobalErrorListeners(),
|
|
provideRouter(appRoutes),
|
|
provideHttpClient(withInterceptors([authInterceptor()])),
|
|
provideDigiadAuth({
|
|
authority: runtime.authority,
|
|
redirectUrl: origin,
|
|
secureRoutes: SECURE_API_ROUTES,
|
|
}),
|
|
],
|
|
};
|
|
}
|