import { provideHttpClient, withInterceptors } from '@angular/common/http'; import { ApplicationConfig, provideBrowserGlobalErrorListeners } from '@angular/core'; import { provideRouter } from '@angular/router'; import { authInterceptor, provideMedewerkerAuth } from 'auth'; import { appRoutes } from './app.routes'; /** Environment-specific settings fetched from /config.json at startup (see main.ts). */ export interface RuntimeConfig { /** The Keycloak `medewerker` realm issuer as the browser reaches it (dev: localhost; compose: keycloak:8080). */ authority: string; } /** * Route prefixes whose requests carry the medewerker token. These MUST match the **relative** URLs * the api-client actually calls (same-origin via the nginx proxy) — the interceptor matches on * `req.url`, which stays relative, so an absolute origin would never match and the token would go * unattached. Only `/behandel/` is secured; the app calls no other endpoint group. */ export const SECURE_API_ROUTES = ['/behandel/']; /** * Build the app providers from runtime config. `redirectUrl` is the app's own origin (where Keycloak * redirects back). `secureRoutes` uses {@link SECURE_API_ROUTES} — relative prefixes, not the origin. */ export function appConfig(runtime: RuntimeConfig): ApplicationConfig { const origin = typeof window !== 'undefined' ? window.location.origin : '/'; return { providers: [ provideBrowserGlobalErrorListeners(), provideRouter(appRoutes), provideHttpClient(withInterceptors([authInterceptor()])), provideMedewerkerAuth({ authority: runtime.authority, redirectUrl: origin, secureRoutes: SECURE_API_ROUTES, }), ], }; }