All checks were successful
CI / lint (pull_request) Successful in 1m8s
CI / build (pull_request) Successful in 53s
CI / unit (pull_request) Successful in 58s
CI / frontend (pull_request) Successful in 2m10s
CI / mutation (pull_request) Successful in 3m58s
CI / verify-stack (pull_request) Successful in 7m48s
The token-attachment bug (secureRoutes set to the app origin, which a relative api-client URL never matches) was only caught by the full-stack e2e. Add a fast unit guard: drive the REAL angular-auth-oidc-client interceptor and the REAL api-client against the production route value, faking only the config source and the token storage. Asserts the bearer token rides the relative /self-service/ call and is withheld from the anonymous /openbaar/ call. Extract the value to a shared SECURE_API_ROUTES constant so the test binds to exactly what the app configures. Verified the guard fails (Authorization null) if the value regresses to an origin. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2.7 KiB
2.7 KiB