refactor: update WebOps API URL handling to use dynamic functions

Author: vlaux

packages/core/src/pages/api/fs/auth/login.ts

@@ -37,7 +37,7 @@ const handler: NextApiHandler = async (
       return
     }
 
-    const webopsResponse = await fetch(sessionUrl, {
+    const webopsResponse = await fetch(sessionUrl(), {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({ storeId, password }),

packages/core/src/server/authentication-service.ts

@@ -37,7 +37,7 @@ let publicKeyCache: {
 } | null = null
 
 async function fetchPublicKeyPemFromWebOps(): Promise<string> {
-  const res = await fetch(publicKeyUrl, {
+  const res = await fetch(publicKeyUrl(), {
     signal: AbortSignal.timeout(passwordProtectionTimeouts.publicKeyMs),
   })
 
@@ -188,7 +188,7 @@ export class AuthenticationService {
     payload: TokenPayload
   ): Promise<AuthResult> {
     try {
-      const res = await fetch(renewUrl, {
+      const res = await fetch(renewUrl(), {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({
@@ -221,7 +221,7 @@ export class AuthenticationService {
 
   private async handleNoAuth(request: NextRequest): Promise<AuthResult> {
     try {
-      const res = await fetch(protectionStatusUrl, {
+      const res = await fetch(protectionStatusUrl(), {
         signal: AbortSignal.timeout(passwordProtectionTimeouts.defaultMs),
       })
 

packages/core/src/server/password-protection/webops-api.ts

@@ -2,26 +2,34 @@ import discoveryConfig from '../../../discovery.config'
 
 const DEFAULT_WEBOPS_ORIGIN = 'https://faststore.vtex.com'
 
-let origin =
-  process.env.WEBOPS_API_URL?.trim().replaceAll(/\/+$/g, '') ??
-  DEFAULT_WEBOPS_ORIGIN
-
-origin = origin.startsWith('http') ? origin : `https://${origin}`
-
-export const publicKeyUrl = new URL(
-  '/api/v1/password-protection/public-key',
-  origin
-)
-
-export const protectionStatusUrl = new URL(
-  '/api/v1/password-protection/status',
-  origin
-)
-protectionStatusUrl.searchParams.set('storeId', discoveryConfig.api.storeId)
-
-export const sessionUrl = new URL('/api/v1/password-protection/session', origin)
-
-export const renewUrl = new URL('/api/v1/password-protection/renew', origin)
+function getWebopsOrigin(): string {
+  const hostFromEnv = process.env.WEBOPS_API_URL?.trim() ?? ''
+  const hostWithoutTrailingSlash = hostFromEnv.replace(/\/+$/, '')
+  const origin =
+    hostWithoutTrailingSlash.length > 0
+      ? hostWithoutTrailingSlash
+      : DEFAULT_WEBOPS_ORIGIN
+
+  return /^https?:\/\//i.test(origin) ? origin : `https://${origin}`
+}
+
+export function publicKeyUrl(): URL {
+  return new URL('/api/v1/password-protection/public-key', getWebopsOrigin())
+}
+
+export function protectionStatusUrl(): URL {
+  const url = new URL('/api/v1/password-protection/status', getWebopsOrigin())
+  url.searchParams.set('storeId', discoveryConfig.api.storeId)
+  return url
+}
+
+export function sessionUrl(): URL {
+  return new URL('/api/v1/password-protection/session', getWebopsOrigin())
+}
+
+export function renewUrl(): URL {
+  return new URL('/api/v1/password-protection/renew', getWebopsOrigin())
+}
 
 /** Timeouts for WebOps password-protection calls (middleware / API routes). */
 export const passwordProtectionTimeouts = {