duanshuwen/zn-ai
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: enhance host API authentication handling and add regression tests

Browse Source
This commit is contained in:
duanshuwen
2026-04-23 19:09:30 +08:00
parent 71bcc3b3c5
commit c9617a3777
10 changed files with 471 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
dist-electron/main/main.js
View File

@@ -1,6 +1,6 @@
"use strict"; "use strict";
require("electron"); require("electron");
require("./main-BBEijEwg.js"); require("./main-DpM79zJd.js");
require("electron-squirrel-startup"); require("electron-squirrel-startup");
require("electron-log"); require("electron-log");
require("bytenode"); require("bytenode");

1
dist-electron/preload/preload.js
View File

@@ -2,6 +2,7 @@
const electron = require("electron"); const electron = require("electron");
var IPC_EVENTS = /* @__PURE__ */ ((IPC_EVENTS2) => { var IPC_EVENTS = /* @__PURE__ */ ((IPC_EVENTS2) => {
IPC_EVENTS2["HOST_API_FETCH"] = "hostapi:fetch"; IPC_EVENTS2["HOST_API_FETCH"] = "hostapi:fetch";
IPC_EVENTS2["HOST_API_TOKEN"] = "hostapi:token";
IPC_EVENTS2["EXTERNAL_OPEN"] = "external-open"; IPC_EVENTS2["EXTERNAL_OPEN"] = "external-open";
IPC_EVENTS2["APP_SET_FRAMELESS"] = "app:set-frameless"; IPC_EVENTS2["APP_SET_FRAMELESS"] = "app:set-frameless";
IPC_EVENTS2["APP_LOAD_PAGE"] = "app:load-page"; IPC_EVENTS2["APP_LOAD_PAGE"] = "app:load-page";

19
electron/api/server.ts
View File

@@ -11,6 +11,7 @@ import {
} from './route-utils'; } from './route-utils';
const DEFAULT_HOST_API_PORT = 13210; const DEFAULT_HOST_API_PORT = 13210;
const HOST_API_UNAUTHORIZED_CODE = 'HOST_API_UNAUTHORIZED';
type StartHostApiServerOptions = { type StartHostApiServerOptions = {
ctx: HostApiContext; ctx: HostApiContext;
@@ -50,21 +51,19 @@ export function startHostApiServer(options: StartHostApiServerOptions): Server {
return; return;
} }
const bearerHeader = req.headers.authorization || ''; const headerToken = req.headers['x-host-api-token'];
const bearerToken = bearerHeader.startsWith('Bearer ') const token = typeof headerToken === 'string'
? bearerHeader.slice('Bearer '.length) ? headerToken
: ''; : Array.isArray(headerToken)
const token = ( ? headerToken[0]
req.headers['x-host-api-token'] : (requestUrl.searchParams.get('token') || '');
|| requestUrl.searchParams.get('token')
|| bearerToken
);
if (token !== hostApiToken) { if (token !== hostApiToken) {
sendJsonResponse(res, 401, { sendJsonResponse(res, 401, {
success: false, success: false,
ok: false, ok: false,
error: 'Unauthorized', code: HOST_API_UNAUTHORIZED_CODE,
error: 'Host API authentication failed',
}); });
return; return;
} }

93
electron/gateway/manager.ts
View File

@@ -18,8 +18,6 @@ import { CONFIG_KEYS } from '@runtime/lib/constants';
import { normalizeAgentSessionKey } from '@runtime/lib/models'; import { normalizeAgentSessionKey } from '@runtime/lib/models';
import type { ContentBlock, RawMessage } from '@runtime/shared/chat-model'; import type { ContentBlock, RawMessage } from '@runtime/shared/chat-model';
import type { GatewayEvent, GatewayRpcParams, RuntimeRefreshTopic } from './types'; import type { GatewayEvent, GatewayRpcParams, RuntimeRefreshTopic } from './types';
import * as providerHandlers from './handlers/provider';
import * as skillHandlers from './handlers/skills';
import { import {
createInitialGatewayDiagnostics, createInitialGatewayDiagnostics,
type GatewayDiagnosticsSnapshot, type GatewayDiagnosticsSnapshot,
@@ -64,6 +62,7 @@ import {
} from './reload-policy'; } from './reload-policy';
import { GatewayStateController, type GatewayRuntimeStatus } from './state'; import { GatewayStateController, type GatewayRuntimeStatus } from './state';
import { connectGatewaySocket, waitForGatewayReady } from './ws-client'; import { connectGatewaySocket, waitForGatewayReady } from './ws-client';
import { dispatchGatewayRpcMethod } from './rpc-dispatch';
type RuntimeChangeBroadcast = { type RuntimeChangeBroadcast = {
topics: RuntimeRefreshTopic[]; topics: RuntimeRefreshTopic[];
@@ -1785,88 +1784,16 @@ export class GatewayManager extends EventEmitter {
await this.init(); await this.init();
} }
const localDispatch = dispatchGatewayRpcMethod(
method,
params,
(event) => this.broadcast(event),
);
if (localDispatch.handled) {
return localDispatch.result;
}
switch (method) { switch (method) {
case 'chat.send': {
const request = params as GatewayRpcParams['chat.send'];
const sessionKey = normalizeAgentSessionKey(request.sessionKey);
const messageText = extractTextFromRawMessage(request.message);
const response = await this.rpcGateway('chat.send', {
sessionKey,
message: messageText,
deliver: false,
idempotencyKey: request.message.id || randomUUID(),
}, { timeoutMs: 30_000 });
const runId = (
isRecord(response) &&
typeof response.runId === 'string' &&
response.runId.trim()
)
? response.runId
: '';
if (!runId) {
throw new Error('OpenClaw Gateway chat.send did not return a runId');
}
return { runId };
}
case 'chat.history': {
const request = params as GatewayRpcParams['chat.history'];
const response = await this.rpcGateway('chat.history', {
sessionKey: normalizeAgentSessionKey(request.sessionKey),
limit: request.limit ?? 50,
}, { timeoutMs: 15_000 });
if (!isRecord(response) || !Array.isArray(response.messages)) {
return [];
}
return response.messages
.map((message) => normalizeGatewayRawMessage(message))
.filter((message): message is RawMessage => message !== null);
}
case 'chat.abort': {
const request = params as GatewayRpcParams['chat.abort'];
await this.rpcGateway('chat.abort', {
sessionKey: normalizeAgentSessionKey(request.sessionKey),
}, { timeoutMs: 10_000 });
return;
}
case 'session.list': {
const response = await this.rpcGateway('sessions.list', {}, { timeoutMs: 10_000 });
if (!isRecord(response) || !Array.isArray(response.sessions)) {
return [];
}
return response.sessions
.map((session) => (
isRecord(session) && typeof session.key === 'string'
? session.key
: null
))
.filter((sessionKey): sessionKey is string => Boolean(sessionKey));
}
case 'session.delete': {
const request = params as GatewayRpcParams['session.delete'];
if (normalizeAgentSessionKey(request.sessionKey).endsWith(':main')) {
return { success: false };
}
await this.rpcGateway('sessions.delete', {
key: normalizeAgentSessionKey(request.sessionKey),
deleteTranscript: true,
}, { timeoutMs: 15_000 });
return { success: true };
}
case 'provider.list':
return providerHandlers.handleProviderList();
case 'provider.getDefault':
return providerHandlers.handleProviderGetDefault();
case 'skills.status':
return skillHandlers.handleSkillsStatus();
case 'skills.update':
return skillHandlers.handleSkillsUpdate(params);
default: default:
throw new Error(`Unknown gateway RPC method: ${method}`); throw new Error(`Unknown gateway RPC method: ${method}`);
} }

80
electron/gateway/rpc-dispatch.ts Normal file
View File

@@ -0,0 +1,80 @@
import { normalizeAgentSessionKey } from '@runtime/lib/models';
import type { GatewayEvent, GatewayRpcParams } from './types';
import * as chatHandlers from './handlers/chat';
import * as providerHandlers from './handlers/provider';
import * as skillHandlers from './handlers/skills';
type GatewayBroadcast = (event: GatewayEvent) => void;
export function dispatchGatewayRpcMethod(
method: string,
params: unknown,
broadcast: GatewayBroadcast,
): { handled: boolean; result?: unknown } {
switch (method) {
case 'chat.send':
return {
handled: true,
result: chatHandlers.handleChatSend(
params as GatewayRpcParams['chat.send'],
broadcast,
),
};
case 'chat.history':
return {
handled: true,
result: chatHandlers.handleChatHistory(
params as GatewayRpcParams['chat.history'],
),
};
case 'chat.abort':
return {
handled: true,
result: chatHandlers.handleChatAbort(
params as GatewayRpcParams['chat.abort'],
broadcast,
),
};
case 'session.list':
return {
handled: true,
result: chatHandlers.handleSessionList(),
};
case 'session.delete': {
const request = params as GatewayRpcParams['session.delete'];
if (normalizeAgentSessionKey(request.sessionKey).endsWith(':main')) {
return {
handled: true,
result: { success: false },
};
}
return {
handled: true,
result: chatHandlers.handleSessionDelete(request),
};
}
case 'provider.list':
return {
handled: true,
result: providerHandlers.handleProviderList(),
};
case 'provider.getDefault':
return {
handled: true,
result: providerHandlers.handleProviderGetDefault(),
};
case 'skills.status':
return {
handled: true,
result: skillHandlers.handleSkillsStatus(),
};
case 'skills.update':
return {
handled: true,
result: skillHandlers.handleSkillsUpdate(params),
};
default:
return { handled: false };
}
}

75
src/lib/host-api.ts
View File

@@ -1,11 +1,12 @@
import { IPC_EVENTS } from './constants'; import { IPC_EVENTS } from './constants';
import type { HostApiResult } from '../types/runtime'; import type { HostApiResult } from '../types/runtime';
import { logout, readPersistedAuthToken } from '../router/auth-session'; import { readPersistedAuthToken } from '../router/auth-session';
type RequestInitLike = Pick<RequestInit, 'method' | 'headers' | 'body'>; type RequestInitLike = Pick<RequestInit, 'method' | 'headers' | 'body'>;
const HOST_API_PORT = 13210; const HOST_API_PORT = 13210;
const HOST_API_BASE = `http://127.0.0.1:${HOST_API_PORT}`; const HOST_API_BASE = `http://127.0.0.1:${HOST_API_PORT}`;
const HOST_API_UNAUTHORIZED_CODE = 'HOST_API_UNAUTHORIZED';
type LooseIpcBridge = { type LooseIpcBridge = {
invoke<T = unknown>(channel: string, ...args: any[]): Promise<T>; invoke<T = unknown>(channel: string, ...args: any[]): Promise<T>;
@@ -14,6 +15,11 @@ type LooseIpcBridge = {
let cachedHostApiToken: string | null = null; let cachedHostApiToken: string | null = null;
type HostApiErrorDetails = {
code?: string;
message: string;
};
function normalizeHeaders(headers?: HeadersInit): Headers { function normalizeHeaders(headers?: HeadersInit): Headers {
return new Headers(headers ?? {}); return new Headers(headers ?? {});
} }
@@ -41,9 +47,6 @@ function extractResult<T>(response: unknown): T {
if (response && typeof response === 'object') { if (response && typeof response === 'object') {
const result = response as HostApiResult<T>; const result = response as HostApiResult<T>;
if (result.success === false || result.ok === false) { if (result.success === false || result.ok === false) {
if (isUnauthorizedStatus(result.status) || isUnauthorizedMessage(result.error) || isUnauthorizedMessage(result.text)) {
handleUnauthorized();
}
throw new Error(result.error || result.text || 'Request failed'); throw new Error(result.error || result.text || 'Request failed');
} }
@@ -57,23 +60,12 @@ function extractResult<T>(response: unknown): T {
return response as T; return response as T;
} }
function isUnauthorizedStatus(status?: number): boolean { function isHostApiUnauthorized(code?: string): boolean {
return status === 401; return code === HOST_API_UNAUTHORIZED_CODE;
} }
function isUnauthorizedMessage(message?: string): boolean { async function getHostApiToken(forceRefresh = false): Promise<string> {
if (!message) return false; if (!forceRefresh && cachedHostApiToken) {
return /\b401\b|unauthorized|unauthenticated|invalid token|token expired|鉴权失败|认证失败|未授权|未登录|登录失效|token已失效/i.test(message);
}
function handleUnauthorized(): void {
const from = typeof window === 'undefined' ? undefined : window.location.hash.replace(/^#/, '') || undefined;
logout({ reason: 'unauthorized', from });
}
async function getHostApiToken(): Promise<string> {
if (cachedHostApiToken) {
return cachedHostApiToken; return cachedHostApiToken;
} }
@@ -81,11 +73,34 @@ async function getHostApiToken(): Promise<string> {
return cachedHostApiToken; return cachedHostApiToken;
} }
async function parseHostApiError(response: Response): Promise<HostApiErrorDetails> {
const contentType = response.headers.get('content-type') ?? '';
if (contentType.includes('application/json')) {
const payload = (await response.json().catch(() => ({}))) as HostApiResult<unknown> & { message?: string };
return {
code: typeof payload.code === 'string' ? payload.code : undefined,
message:
payload.error
|| payload.text
|| payload.message
|| response.statusText
|| `Request failed with ${response.status}`,
};
}
const text = await response.text();
return {
message: text || response.statusText || `Request failed with ${response.status}`,
};
}
async function fetchViaLocalHostApi<T>( async function fetchViaLocalHostApi<T>(
path: string, path: string,
method: string, method: string,
headers: Headers, headers: Headers,
body: BodyInit | null | undefined, body: BodyInit | null | undefined,
allowRetry = true,
): Promise<T> { ): Promise<T> {
const hostApiToken = await getHostApiToken(); const hostApiToken = await getHostApiToken();
const localHeaders = new Headers(headers); const localHeaders = new Headers(headers);
@@ -103,14 +118,14 @@ async function fetchViaLocalHostApi<T>(
}); });
if (!response.ok) { if (!response.ok) {
if (isUnauthorizedStatus(response.status)) { const errorDetails = await parseHostApiError(response);
handleUnauthorized();
if (response.status === 401 && isHostApiUnauthorized(errorDetails.code) && allowRetry) {
cachedHostApiToken = null;
return fetchViaLocalHostApi<T>(path, method, headers, body, false);
} }
const text = await response.text();
if (!isUnauthorizedStatus(response.status) && isUnauthorizedMessage(text)) { throw new Error(errorDetails.message);
handleUnauthorized();
}
throw new Error(text || response.statusText || `Request failed with ${response.status}`);
} }
const contentType = response.headers.get('content-type') ?? ''; const contentType = response.headers.get('content-type') ?? '';
@@ -199,13 +214,7 @@ export async function hostApiFetch<T>(path: string, init?: RequestInitLike): Pro
}); });
if (!response.ok) { if (!response.ok) {
if (isUnauthorizedStatus(response.status)) {
handleUnauthorized();
}
const text = await response.text(); const text = await response.text();
if (!isUnauthorizedStatus(response.status) && isUnauthorizedMessage(text)) {
handleUnauthorized();
}
throw new Error(text || response.statusText || `Request failed with ${response.status}`); throw new Error(text || response.statusText || `Request failed with ${response.status}`);
} }
@@ -224,7 +233,7 @@ export async function hostApiFetch<T>(path: string, init?: RequestInitLike): Pro
} }
export async function createHostEventSource(path = '/api/events'): Promise<EventSource> { export async function createHostEventSource(path = '/api/events'): Promise<EventSource> {
const token = await getHostApiToken(); const token = await getHostApiToken(true);
const separator = path.includes('?') ? '&' : '?'; const separator = path.includes('?') ? '&' : '?';
return new EventSource(`${HOST_API_BASE}${path}${separator}token=${encodeURIComponent(token)}`); return new EventSource(`${HOST_API_BASE}${path}${separator}token=${encodeURIComponent(token)}`);
} }

1
src/types/runtime.ts
View File

@@ -57,6 +57,7 @@ export interface HostApiResult<T = unknown> {
text?: string; text?: string;
error?: string; error?: string;
status?: number; status?: number;
code?: string;
} }
export type GatewayEvent = export type GatewayEvent =

118
tests/app-router-host-api-auth-regression.test.tsx Normal file
View File

@@ -0,0 +1,118 @@
import React from 'react';
import { render, screen, waitFor } from '@testing-library/react';
import { HashRouter } from 'react-router-dom';
import { beforeEach, describe, expect, it, vi } from 'vitest';
import { setLocale } from '../src/i18n';
const mocks = vi.hoisted(() => ({
invoke: vi.fn(),
}));
vi.mock('../src/pages/Login', async () => {
const ReactModule = await import('react');
return {
default: function LoginPageMock() {
return ReactModule.createElement('div', null, 'login-page');
},
};
});
vi.mock('../src/pages/Setting', async () => {
const ReactModule = await import('react');
return {
default: function SettingPageMock() {
ReactModule.useEffect(() => {
void import('../src/lib/host-api').then(({ hostApiFetch }) => {
void hostApiFetch('/api/gateway/status').catch(() => {});
});
}, []);
return ReactModule.createElement('div', null, 'protected-setting-page');
},
};
});
import { AppRouter } from '../src/router';
describe('AppRouter host api auth regression', () => {
function renderProtectedRoute() {
render(
<HashRouter>
<AppRouter />
</HashRouter>,
);
}
beforeEach(() => {
vi.clearAllMocks();
setLocale('en');
window.sessionStorage.clear();
window.localStorage.clear();
document.cookie = 'token=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/';
window.location.hash = '#/setting';
window.sessionStorage.setItem('token', JSON.stringify('access-token'));
(window as typeof window & { api?: unknown }).api = {
invoke: mocks.invoke,
platform: 'darwin',
};
mocks.invoke.mockImplementation(async (channel: string) => {
if (channel === 'hostapi:fetch') {
return {
success: false,
ok: false,
status: 401,
code: 'HOST_API_UNAUTHORIZED',
error: 'Host API authentication failed',
};
}
throw new Error(`Unexpected IPC channel: ${channel}`);
});
});
it('keeps the user on a protected route when local host api auth fails', async () => {
renderProtectedRoute();
expect(await screen.findByText('protected-setting-page')).toBeTruthy();
await waitFor(() => {
expect(mocks.invoke).toHaveBeenCalledWith('hostapi:fetch', expect.objectContaining({
path: '/api/gateway/status',
}));
});
await waitFor(() => {
expect(screen.queryByText('login-page')).toBeNull();
expect(screen.getByText('protected-setting-page')).toBeTruthy();
expect(window.sessionStorage.getItem('token')).toBe(JSON.stringify('access-token'));
});
});
it('keeps the user on a protected route when upstream api returns unauthorized', async () => {
mocks.invoke.mockResolvedValueOnce({
success: false,
ok: false,
status: 401,
error: 'Unauthorized',
});
renderProtectedRoute();
expect(await screen.findByText('protected-setting-page')).toBeTruthy();
await waitFor(() => {
expect(mocks.invoke).toHaveBeenCalledWith('hostapi:fetch', expect.objectContaining({
path: '/api/gateway/status',
}));
});
await waitFor(() => {
expect(screen.queryByText('login-page')).toBeNull();
expect(screen.getByText('protected-setting-page')).toBeTruthy();
expect(window.sessionStorage.getItem('token')).toBe(JSON.stringify('access-token'));
});
});
});

149
tests/gateway-rpc-dispatch.test.ts Normal file
View File

@@ -0,0 +1,149 @@
// @vitest-environment node
import { beforeEach, describe, expect, it, vi } from 'vitest';
const mocks = vi.hoisted(() => ({
handleChatSend: vi.fn(),
handleChatHistory: vi.fn(),
handleChatAbort: vi.fn(),
handleSessionList: vi.fn(),
handleSessionDelete: vi.fn(),
handleProviderList: vi.fn(),
handleProviderGetDefault: vi.fn(),
handleSkillsStatus: vi.fn(),
handleSkillsUpdate: vi.fn(),
}));
vi.mock('../electron/gateway/handlers/chat', () => ({
handleChatSend: mocks.handleChatSend,
handleChatHistory: mocks.handleChatHistory,
handleChatAbort: mocks.handleChatAbort,
handleSessionList: mocks.handleSessionList,
handleSessionDelete: mocks.handleSessionDelete,
}));
vi.mock('../electron/gateway/handlers/provider', () => ({
handleProviderList: mocks.handleProviderList,
handleProviderGetDefault: mocks.handleProviderGetDefault,
}));
vi.mock('../electron/gateway/handlers/skills', () => ({
handleSkillsStatus: mocks.handleSkillsStatus,
handleSkillsUpdate: mocks.handleSkillsUpdate,
}));
describe('dispatchGatewayRpcMethod', () => {
beforeEach(() => {
vi.clearAllMocks();
});
it('routes chat history to the local chat handler', async () => {
const messages = [{ role: 'user', content: 'hello' }];
mocks.handleChatHistory.mockReturnValue(messages);
const { dispatchGatewayRpcMethod } = await import('../electron/gateway/rpc-dispatch');
const result = dispatchGatewayRpcMethod(
'chat.history',
{ sessionKey: 'agent:test:main', limit: 20 },
vi.fn(),
);
expect(result).toEqual({ handled: true, result: messages });
expect(mocks.handleChatHistory).toHaveBeenCalledWith({
sessionKey: 'agent:test:main',
limit: 20,
});
});
it('routes chat send locally and forwards the broadcast callback', async () => {
mocks.handleChatSend.mockReturnValue({ runId: 'run-1' });
const { dispatchGatewayRpcMethod } = await import('../electron/gateway/rpc-dispatch');
const broadcast = vi.fn();
const result = dispatchGatewayRpcMethod(
'chat.send',
{
sessionKey: 'agent:test:main',
message: { role: 'user', content: 'hello' },
},
broadcast,
);
expect(result).toEqual({ handled: true, result: { runId: 'run-1' } });
expect(mocks.handleChatSend).toHaveBeenCalledTimes(1);
expect(mocks.handleChatSend.mock.calls[0]?.[1]).toBe(broadcast);
});
it('prevents deleting the main session', async () => {
const { dispatchGatewayRpcMethod } = await import('../electron/gateway/rpc-dispatch');
const result = dispatchGatewayRpcMethod(
'session.delete',
{ sessionKey: 'agent:test:main' },
vi.fn(),
);
expect(result).toEqual({ handled: true, result: { success: false } });
expect(mocks.handleSessionDelete).not.toHaveBeenCalled();
});
it('routes non-main session deletion and session listing locally', async () => {
mocks.handleSessionDelete.mockReturnValue({ success: true });
mocks.handleSessionList.mockReturnValue(['agent:test:main', 'agent:test:secondary']);
const { dispatchGatewayRpcMethod } = await import('../electron/gateway/rpc-dispatch');
expect(
dispatchGatewayRpcMethod('session.list', {}, vi.fn()),
).toEqual({
handled: true,
result: ['agent:test:main', 'agent:test:secondary'],
});
expect(
dispatchGatewayRpcMethod(
'session.delete',
{ sessionKey: 'agent:test:secondary' },
vi.fn(),
),
).toEqual({
handled: true,
result: { success: true },
});
expect(mocks.handleSessionDelete).toHaveBeenCalledWith({
sessionKey: 'agent:test:secondary',
});
});
it('routes provider and skills methods locally and leaves unknown methods unhandled', async () => {
mocks.handleProviderGetDefault.mockReturnValue({ accountId: 'provider-1' });
mocks.handleSkillsStatus.mockReturnValue({ skills: [] });
mocks.handleSkillsUpdate.mockReturnValue({ success: true });
const { dispatchGatewayRpcMethod } = await import('../electron/gateway/rpc-dispatch');
expect(
dispatchGatewayRpcMethod('provider.getDefault', {}, vi.fn()),
).toEqual({
handled: true,
result: { accountId: 'provider-1' },
});
expect(
dispatchGatewayRpcMethod('skills.status', {}, vi.fn()),
).toEqual({
handled: true,
result: { skills: [] },
});
expect(
dispatchGatewayRpcMethod('skills.update', { skillKey: 'demo' }, vi.fn()),
).toEqual({
handled: true,
result: { success: true },
});
expect(
dispatchGatewayRpcMethod('gateway.ping', {}, vi.fn()),
).toEqual({
handled: false,
});
});
});

60
tests/host-api-auth.test.ts Normal file
View File

@@ -0,0 +1,60 @@
import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
const mocks = vi.hoisted(() => ({
logout: vi.fn(),
readPersistedAuthToken: vi.fn(),
invoke: vi.fn(),
}));
vi.mock('../src/router/auth-session', () => ({
logout: mocks.logout,
readPersistedAuthToken: mocks.readPersistedAuthToken,
}));
const HOST_API_UNAUTHORIZED_CODE = 'HOST_API_UNAUTHORIZED';
describe('hostApiFetch auth handling', () => {
beforeEach(() => {
vi.resetModules();
mocks.logout.mockReset();
mocks.readPersistedAuthToken.mockReset();
mocks.invoke.mockReset();
mocks.readPersistedAuthToken.mockReturnValue('access-token');
(window as typeof window & { api?: unknown }).api = {
invoke: mocks.invoke,
};
});
afterEach(() => {
delete (window as typeof window & { api?: unknown }).api;
});
it('does not log out when local Host API authentication fails', async () => {
mocks.invoke.mockResolvedValue({
success: false,
ok: false,
status: 401,
code: HOST_API_UNAUTHORIZED_CODE,
error: 'Host API authentication failed',
});
const { hostApiFetch } = await import('../src/lib/host-api');
await expect(hostApiFetch('/api/gateway/status')).rejects.toThrow('Host API authentication failed');
expect(mocks.logout).not.toHaveBeenCalled();
});
it('keeps auth state when upstream business API returns unauthorized', async () => {
mocks.invoke.mockResolvedValue({
success: false,
ok: false,
status: 401,
error: 'Unauthorized',
});
const { hostApiFetch } = await import('../src/lib/host-api');
await expect(hostApiFetch('/api/providers')).rejects.toThrow('Unauthorized');
expect(mocks.logout).not.toHaveBeenCalled();
});
});