Use separate http clients for auth and management (#564)

Author: itaihanski

examples/managementCli/package-lock.json

@@ -3,7 +3,6 @@ import DescopeClient, { SdkResponse } from '@descope/node-sdk';
 import { config } from 'dotenv';
 import { writeFileSync, readFileSync } from 'fs';
 import { Command } from 'commander';
-import { UserResponse } from '@descope/core-js-sdk';
 
 config();
 

examples/managementCli/src/index.ts

@@ -509,9 +509,11 @@ describe('sdk', () => {
     it('should add descope headers to request', async () => {
       jest.resetModules();
       const createCoreJs = jest.fn();
+      const createHttpClient = jest.fn();
       jest.doMock('@descope/core-js-sdk', () => ({
         __esModule: true,
         default: createCoreJs,
+        createHttpClient,
         wrapWith: (sdkInstance: object) => sdkInstance,
         addHooksToConfig: (config, hooks) => {
           // eslint-disable-next-line no-param-reassign
@@ -542,10 +544,12 @@ describe('sdk', () => {
     it('should add auth management key to request when there is no token', async () => {
       jest.resetModules();
       const createCoreJs = jest.fn();
+      const createHttpClient = jest.fn();
 
       jest.doMock('@descope/core-js-sdk', () => ({
         __esModule: true,
         default: createCoreJs,
+        createHttpClient,
         wrapWith: (sdkInstance: object) => sdkInstance,
         addHooksToConfig: (config, hooks) => {
           // eslint-disable-next-line no-param-reassign
@@ -581,10 +585,12 @@ describe('sdk', () => {
     it('should add auth management key to request when there is token', async () => {
       jest.resetModules();
       const createCoreJs = jest.fn();
+      const createHttpClient = jest.fn();
 
       jest.doMock('@descope/core-js-sdk', () => ({
         __esModule: true,
         default: createCoreJs,
+        createHttpClient,
         wrapWith: (sdkInstance: object) => sdkInstance,
         addHooksToConfig: (config, hooks) => {
           // eslint-disable-next-line no-param-reassign
@@ -612,11 +618,13 @@ describe('sdk', () => {
     it('should merge before request hooks if they are defined', async () => {
       jest.resetModules();
       const createCoreJs = jest.fn();
+      const createHttpClient = jest.fn();
       const existingHook = jest.fn((config) => ({ ...config, customField: 'test' }));
 
       jest.doMock('@descope/core-js-sdk', () => ({
         __esModule: true,
         default: createCoreJs,
+        createHttpClient,
         wrapWith: (sdkInstance: object) => sdkInstance,
         addHooksToConfig: (config, hooks) => {
           // eslint-disable-next-line no-param-reassign

lib/index.test.ts

@@ -4,6 +4,9 @@ import createSdk, {
   SdkResponse,
   JWTResponse as CoreJWTResponse,
   wrapWith,
+  createHttpClient,
+  CreateHttpClientConfig,
+  RequestConfig,
 } from '@descope/core-js-sdk';
 import { JWK, JWTHeaderParameters, KeyLike, errors, importJWK, jwtVerify } from 'jose';
 import {
@@ -38,19 +41,24 @@ type NodeSdkArgs = Parameters<typeof createSdk>[0] & {
 };
 
 const nodeSdk = ({ authManagementKey, managementKey, publicKey, ...config }: NodeSdkArgs) => {
-  const coreSdk = createSdk({
+  const nodeHeaders = {
+    'x-descope-sdk-name': 'nodejs',
+    'x-descope-sdk-node-version': process?.versions?.node || '',
+    'x-descope-sdk-version': BUILD_VERSION,
+  };
+
+  const authSdkConfig = {
     fetch,
     ...config,
     baseHeaders: {
       ...config.baseHeaders,
-      'x-descope-sdk-name': 'nodejs',
-      'x-descope-sdk-node-version': process?.versions?.node || '',
-      'x-descope-sdk-version': BUILD_VERSION,
+      ...nodeHeaders,
     },
     hooks: {
       ...config.hooks,
       beforeRequest: [
-        (requestConfig) => {
+        // auth requests append the auth management key if provided
+        (requestConfig: RequestConfig) => {
           if (authManagementKey) {
             // eslint-disable-next-line no-param-reassign
             requestConfig.token = !requestConfig.token
@@ -62,7 +70,8 @@ const nodeSdk = ({ authManagementKey, managementKey, publicKey, ...config }: Nod
         },
       ].concat(config.hooks?.beforeRequest || []),
     },
-  });
+  };
+  const coreSdk = createSdk(authSdkConfig);
 
   const { projectId, logger } = config;
 
@@ -98,7 +107,29 @@ const nodeSdk = ({ authManagementKey, managementKey, publicKey, ...config }: Nod
     );
   };
 
-  const management = withManagement(coreSdk, managementKey);
+  const mgmtSdkConfig = {
+    fetch,
+    ...config,
+    baseConfig: {
+      baseHeaders: {
+        ...config.baseHeaders,
+        ...nodeHeaders,
+      },
+    },
+    hooks: {
+      ...config.hooks,
+      beforeRequest: [
+        // management requests always use the management key as the token
+        (requestConfig: RequestConfig) => {
+          // eslint-disable-next-line no-param-reassign
+          requestConfig.token = managementKey;
+          return requestConfig;
+        },
+      ].concat(config.hooks?.beforeRequest || []),
+    },
+  };
+  const mgmtHttpClient = createHttpClient(mgmtSdkConfig);
+  const management = withManagement(mgmtHttpClient);
 
   const sdk = {
     ...coreSdk,

lib/index.ts

@@ -1,10 +1,10 @@
 import { SdkResponse } from '@descope/core-js-sdk';
 import withManagement from '.';
 import apiPaths from './paths';
-import { mockCoreSdk, mockHttpClient } from './testutils';
+import { mockHttpClient, resetMockHttpClient } from './testutils';
 import { CreatedAccessKeyResponse, AccessKey } from './types';
 
-const management = withManagement(mockCoreSdk, 'key');
+const management = withManagement(mockHttpClient);
 
 const mockAccessKeyResponse = {
   id: 'ak1',
@@ -23,7 +23,7 @@ const mockMgmtAccessKeysResponse = {
 describe('Management Access Keys', () => {
   afterEach(() => {
     jest.clearAllMocks();
-    mockHttpClient.reset();
+    resetMockHttpClient();
   });
 
   describe('create', () => {
@@ -53,20 +53,16 @@ describe('Management Access Keys', () => {
         ['10.0.0.1', '192.168.1.0/24'],
       );
 
-      expect(mockHttpClient.post).toHaveBeenCalledWith(
-        apiPaths.accessKey.create,
-        {
-          name: 'foo',
-          expireTime: 123456789,
-          roleNames: ['r1', 'r2'],
-          keyTenants: null,
-          userId: 'uid',
-          customClaims: { k1: 'v1' },
-          description: 'hey',
-          permittedIps: ['10.0.0.1', '192.168.1.0/24'],
-        },
-        { token: 'key' },
-      );
+      expect(mockHttpClient.post).toHaveBeenCalledWith(apiPaths.accessKey.create, {
+        name: 'foo',
+        expireTime: 123456789,
+        roleNames: ['r1', 'r2'],
+        keyTenants: null,
+        userId: 'uid',
+        customClaims: { k1: 'v1' },
+        description: 'hey',
+        permittedIps: ['10.0.0.1', '192.168.1.0/24'],
+      });
 
       expect(resp).toEqual({
         code: 200,
@@ -93,7 +89,6 @@ describe('Management Access Keys', () => {
 
       expect(mockHttpClient.get).toHaveBeenCalledWith(apiPaths.accessKey.load, {
         queryParams: { id: 'id' },
-        token: 'key',
       });
 
       expect(resp).toEqual({
@@ -119,11 +114,9 @@ describe('Management Access Keys', () => {
 
       const resp: SdkResponse<AccessKey[]> = await management.accessKey.searchAll(['t1']);
 
-      expect(mockHttpClient.post).toHaveBeenCalledWith(
-        apiPaths.accessKey.search,
-        { tenantIds: ['t1'] },
-        { token: 'key' },
-      );
+      expect(mockHttpClient.post).toHaveBeenCalledWith(apiPaths.accessKey.search, {
+        tenantIds: ['t1'],
+      });
 
       expect(resp).toEqual({
         code: 200,
@@ -156,19 +149,15 @@ describe('Management Access Keys', () => {
         ['1.2.3.4'],
       );
 
-      expect(mockHttpClient.post).toHaveBeenCalledWith(
-        apiPaths.accessKey.update,
-        {
-          id: 'id',
-          name: 'name',
-          description: 'description',
-          roleNames: ['r1', 'r2'],
-          keyTenants: undefined,
-          customClaims: { k1: 'v1' },
-          permittedIps: ['1.2.3.4'],
-        },
-        { token: 'key' },
-      );
+      expect(mockHttpClient.post).toHaveBeenCalledWith(apiPaths.accessKey.update, {
+        id: 'id',
+        name: 'name',
+        description: 'description',
+        roleNames: ['r1', 'r2'],
+        keyTenants: undefined,
+        customClaims: { k1: 'v1' },
+        permittedIps: ['1.2.3.4'],
+      });
 
       expect(resp).toEqual({
         code: 200,
@@ -193,11 +182,7 @@ describe('Management Access Keys', () => {
 
       const resp: SdkResponse<AccessKey> = await management.accessKey.deactivate('id');
 
-      expect(mockHttpClient.post).toHaveBeenCalledWith(
-        apiPaths.accessKey.deactivate,
-        { id: 'id' },
-        { token: 'key' },
-      );
+      expect(mockHttpClient.post).toHaveBeenCalledWith(apiPaths.accessKey.deactivate, { id: 'id' });
 
       expect(resp).toEqual({
         code: 200,
@@ -222,11 +207,7 @@ describe('Management Access Keys', () => {
 
       const resp: SdkResponse<AccessKey> = await management.accessKey.activate('id');
 
-      expect(mockHttpClient.post).toHaveBeenCalledWith(
-        apiPaths.accessKey.activate,
-        { id: 'id' },
-        { token: 'key' },
-      );
+      expect(mockHttpClient.post).toHaveBeenCalledWith(apiPaths.accessKey.activate, { id: 'id' });
 
       expect(resp).toEqual({
         code: 200,
@@ -251,11 +232,7 @@ describe('Management Access Keys', () => {
 
       const resp: SdkResponse<AccessKey> = await management.accessKey.delete('id');
 
-      expect(mockHttpClient.post).toHaveBeenCalledWith(
-        apiPaths.accessKey.delete,
-        { id: 'id' },
-        { token: 'key' },
-      );
+      expect(mockHttpClient.post).toHaveBeenCalledWith(apiPaths.accessKey.delete, { id: 'id' });
 
       expect(resp).toEqual({
         code: 200,