fix(portal-self-service): attach the DigiD token to relative BFF calls (refs #68)
All checks were successful
CI / lint (pull_request) Successful in 1m12s
CI / build (pull_request) Successful in 51s
CI / unit (pull_request) Successful in 1m3s
CI / verify-stack (pull_request) Successful in 7m59s
CI / frontend (pull_request) Successful in 1m48s
CI / mutation (pull_request) Successful in 3m57s
All checks were successful
CI / lint (pull_request) Successful in 1m12s
CI / build (pull_request) Successful in 51s
CI / unit (pull_request) Successful in 1m3s
CI / verify-stack (pull_request) Successful in 7m59s
CI / frontend (pull_request) Successful in 1m48s
CI / mutation (pull_request) Successful in 3m57s
After login the submit silently did nothing: the confirmation ("...is
ontvangen...") never rendered because the POST to the BFF went out with no
Authorization header, so the BFF rejected it and the no-error-handler
subscribe left the page unchanged.
Root cause: angular-auth-oidc-client's interceptor attaches the token when
`req.url.startsWith(secureRoute)`. The api-client calls the BFF with RELATIVE
URLs (same-origin via the nginx proxy), so `req.url` is `/self-service/...` —
but secureRoutes was configured as the app ORIGIN (`http://self-service`),
which a relative URL never starts with. No match → no token.
Configure secureRoutes with the relative `/self-service/` prefix instead. The
unit test mocked the api-client, so only the walking-skeleton e2e exercises the
real token attachment — now green.
Verified against a focused stack (keycloak + self-service + real BFF + stub
domain): the submit now carries the bearer token, the BFF forwards to the
domain, and the portal shows the confirmation with the returned reference.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -14,9 +14,11 @@ export interface RuntimeConfig {
|
||||
}
|
||||
|
||||
/**
|
||||
* Build the app providers from runtime config. `redirectUrl` and `secureApiOrigin` are the app's own
|
||||
* origin: the app is served same-origin as the BFF (nginx proxies /self-service + /openbaar), so the
|
||||
* api-client's relative calls stay same-origin and the token interceptor attaches to them.
|
||||
* Build the app providers from runtime config. `redirectUrl` is the app's own origin (where Keycloak
|
||||
* redirects back). The app is served same-origin as the BFF (nginx proxies /self-service + /openbaar),
|
||||
* so the api-client uses **relative** URLs — hence `secureRoutes` is the relative `/self-service/`
|
||||
* prefix (the guarded BFF route), not the origin: the interceptor matches on `req.url`, which stays
|
||||
* relative, so an origin would never match and the token would not be attached.
|
||||
*/
|
||||
export function appConfig(runtime: RuntimeConfig): ApplicationConfig {
|
||||
const origin = typeof window !== 'undefined' ? window.location.origin : '/';
|
||||
@@ -28,7 +30,7 @@ export function appConfig(runtime: RuntimeConfig): ApplicationConfig {
|
||||
provideDigiadAuth({
|
||||
authority: runtime.authority,
|
||||
redirectUrl: origin,
|
||||
secureApiOrigin: origin,
|
||||
secureRoutes: ['/self-service/'],
|
||||
}),
|
||||
],
|
||||
};
|
||||
|
||||
@@ -13,8 +13,13 @@ export interface DigiadAuthOptions {
|
||||
authority: string;
|
||||
/** Where Keycloak redirects back to after login (usually the app origin). */
|
||||
redirectUrl: string;
|
||||
/** The BFF origin whose requests get the bearer token attached (secure route). */
|
||||
secureApiOrigin: string;
|
||||
/**
|
||||
* Route prefixes whose requests get the bearer token attached. The api-client calls the BFF with
|
||||
* **relative** URLs (same-origin via the nginx proxy), so these must be relative path prefixes
|
||||
* (e.g. `/self-service/`) — angular-auth-oidc-client matches `req.url.startsWith(route)`, and a
|
||||
* relative `req.url` never starts with an absolute origin.
|
||||
*/
|
||||
secureRoutes: string[];
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -35,7 +40,7 @@ export function provideDigiadAuth(options: DigiadAuthOptions): EnvironmentProvid
|
||||
responseType: 'code',
|
||||
silentRenew: true,
|
||||
useRefreshToken: true,
|
||||
secureRoutes: [options.secureApiOrigin],
|
||||
secureRoutes: options.secureRoutes,
|
||||
logLevel: LogLevel.Warn,
|
||||
},
|
||||
},
|
||||
|
||||
Reference in New Issue
Block a user