feat: add protected api client

src/shared/protected-api-client.ts

@@ -0,0 +1,62 @@
+import { isAuthResponseMessage } from "./auth-messages";
+
+interface FetchResponseLike {
+  json(): Promise<unknown>;
+  ok: boolean;
+  status: number;
+}
+
+type FetchLike = (
+  input: string,
+  init?: RequestInit
+) => Promise<FetchResponseLike>;
+
+type SendMessageLike = (message: unknown) => Promise<unknown>;
+
+export function createProtectedApiClient(options: {
+  baseUrl: string;
+  fetchImpl?: FetchLike;
+  sendMessage: SendMessageLike;
+}) {
+  const fetchImpl = options.fetchImpl ?? fetch;
+
+  return {
+    async loadProtectedMockData() {
+      const token = await readAccessToken(options.sendMessage);
+      const response = await fetchImpl(
+        new URL("/api/mock/protected", options.baseUrl).toString(),
+        {
+          headers: {
+            Authorization: `Bearer ${token}`
+          },
+          method: "GET"
+        }
+      );
+
+      if (response.status === 401 || response.status === 403) {
+        throw new Error("protected api unauthorized");
+      }
+
+      if (!response.ok) {
+        throw new Error(`protected api request failed: ${response.status}`);
+      }
+
+      return response.json();
+    }
+  };
+}
+
+async function readAccessToken(sendMessage: SendMessageLike): Promise<string> {
+  const response = await sendMessage({ type: "auth:get-access-token" });
+
+  if (
+    !isAuthResponseMessage(response) ||
+    !response.ok ||
+    response.type !== "auth:token" ||
+    !response.value.accessToken.trim()
+  ) {
+    throw new Error("protected api token unavailable");
+  }
+
+  return response.value.accessToken;
+}

tests/protected-api-client.test.ts

@@ -0,0 +1,73 @@
+import { describe, expect, test, vi } from "vitest";
+
+import { createProtectedApiClient } from "../src/shared/protected-api-client";
+
+describe("protected-api-client", () => {
+  test("requests a token before calling the protected endpoint", async () => {
+    const sendMessage = vi.fn(async () => ({
+      ok: true,
+      type: "auth:token",
+      value: { accessToken: "abc123" }
+    }));
+    const fetchImpl = vi.fn(async () => ({
+      ok: true,
+      status: 200,
+      json: async () => ({ ok: true })
+    }));
+
+    const client = createProtectedApiClient({
+      baseUrl: "http://127.0.0.1:4319",
+      fetchImpl,
+      sendMessage
+    });
+
+    await client.loadProtectedMockData();
+
+    expect(sendMessage).toHaveBeenCalledWith({ type: "auth:get-access-token" });
+    expect(fetchImpl).toHaveBeenCalledWith(
+      "http://127.0.0.1:4319/api/mock/protected",
+      expect.objectContaining({
+        headers: expect.objectContaining({
+          Authorization: "Bearer abc123"
+        }),
+        method: "GET"
+      })
+    );
+  });
+
+  test("throws before fetch when the token is unavailable", async () => {
+    const sendMessage = vi.fn(async () => ({
+      ok: false,
+      type: "auth:error",
+      error: "token missing"
+    }));
+    const fetchImpl = vi.fn();
+
+    const client = createProtectedApiClient({
+      baseUrl: "http://127.0.0.1:4319",
+      fetchImpl,
+      sendMessage
+    });
+
+    await expect(client.loadProtectedMockData()).rejects.toThrow(/token/i);
+    expect(fetchImpl).not.toHaveBeenCalled();
+  });
+
+  test("throws an authorization error on 401", async () => {
+    const client = createProtectedApiClient({
+      baseUrl: "http://127.0.0.1:4319",
+      fetchImpl: vi.fn(async () => ({
+        ok: false,
+        status: 401,
+        json: async () => ({ ok: false, error: "unauthorized" })
+      })),
+      sendMessage: vi.fn(async () => ({
+        ok: true,
+        type: "auth:token",
+        value: { accessToken: "abc123" }
+      }))
+    });
+
+    await expect(client.loadProtectedMockData()).rejects.toThrow(/unauthorized/i);
+  });
+});