Add SecureSplitHttpClient and PushManagerSecure for JWT management

EmilianoSanchez · EmilianoSanchez · commit f8eb362b2590 · 2026-03-27T14:48:11.000-03:00
diff --git a/src/services/secureSplitHttpClient.ts b/src/services/secureSplitHttpClient.ts
@@ -0,0 +1,218 @@
+import { IRequestOptions, IResponse, ISplitHttpClient, NetworkError, IAuthCredential, IAuthProvider } from './types';
+import { objectAssign } from '../utils/lang/objectAssign';
+import { ERROR_HTTP, ERROR_CLIENT_CANNOT_GET_READY } from '../logger/constants';
+import { ISettings } from '../types';
+import { IPlatform } from '../sdkFactory/types';
+import { decorateHeaders, removeNonISO88591 } from './decorateHeaders';
+import { splitHttpClientFactory } from './splitHttpClient';
+import { timeout } from '../utils/promise/timeout';
+import { decodeJWTtoken } from '../utils/jwt';
+import { SECONDS_BEFORE_EXPIRATION } from '../sync/streaming/constants';
+
+const PENDING_FETCH_ERROR_TIMEOUT = 100;
+const messageNoFetch = 'Global fetch API is not available.';
+
+/**
+ * Creates an AuthProvider that transparently manages JWT credential lifecycle:
+ * fetching, caching, expiry checks, invalidation, and deduplication of concurrent requests.
+ *
+ * @param innerHttpClient - standard HTTP client (authenticated with SDK key) used to call the auth endpoint
+ * @param settings - SDK settings, used to build the auth endpoint URL
+ */
+function authProviderFactory(innerHttpClient: ISplitHttpClient, settings: ISettings): IAuthProvider & { invalidate(): void } {
+  let currentCredential: IAuthCredential | null = null;
+  let pendingRequest: Promise<IAuthCredential> | null = null;
+
+  function fetchCredential(): Promise<IAuthCredential> {
+    const url = settings.urls.auth + '/v2/auth?s=' + settings.sync.flagSpecVersion;
+    return innerHttpClient(url)
+      .then(function (resp) { return resp.json(); })
+      .then(function (json) {
+        let credential: IAuthCredential;
+        if (json.token) {
+          const decodedToken = decodeJWTtoken(json.token);
+          if (typeof decodedToken.iat !== 'number' || typeof decodedToken.exp !== 'number') {
+            throw new Error('token properties "issuedAt" (iat) or "expiration" (exp) are missing or invalid');
+          }
+          const channels = JSON.parse(decodedToken['x-ably-capability']);
+          credential = {
+            token: json.token,
+            pushEnabled: json.pushEnabled !== false,
+            decodedToken: decodedToken,
+            channels: channels,
+            connDelay: json.connDelay
+          };
+        } else {
+          credential = {
+            token: '',
+            pushEnabled: false,
+            decodedToken: { 'x-ably-capability': '{}', exp: 0, iat: 0 },
+            channels: {},
+            connDelay: json.connDelay
+          };
+        }
+        currentCredential = credential;
+        return credential;
+      });
+  }
+
+  function isExpired(credential: IAuthCredential): boolean {
+    // Consider token expired SECONDS_BEFORE_EXPIRATION (600s) before actual expiry,
+    // so that proactive refresh (e.g., for streaming) gets a fresh token
+    return Date.now() / 1000 >= credential.decodedToken.exp - SECONDS_BEFORE_EXPIRATION;
+  }
+
+  return {
+    getAuthData() {
+      // Return cached credential if valid and not expired
+      if (currentCredential && !isExpired(currentCredential)) {
+        return Promise.resolve(currentCredential);
+      }
+
+      // Deduplicate concurrent requests
+      if (pendingRequest) return pendingRequest;
+
+      pendingRequest = fetchCredential().then(
+        function (credential) {
+          pendingRequest = null;
+          return credential;
+        },
+        function (error) {
+          pendingRequest = null;
+          throw error;
+        }
+      );
+
+      return pendingRequest;
+    },
+
+    invalidate() {
+      currentCredential = null;
+    }
+  };
+}
+
+/**
+ * Factory of Secure Split HTTP clients. Like `splitHttpClientFactory`, but transparently
+ * manages JWT authentication: obtains a JWT from the auth endpoint (using the SDK key internally),
+ * caches it, and retries once on 401 responses with a fresh token.
+ *
+ * @param settings - SDK settings
+ * @param platform - object containing environment-specific dependencies
+ * @returns an object with `httpClient` (ISplitHttpClient) and `authProvider` (IAuthProvider)
+ */
+export function secureSplitHttpClientFactory(
+  settings: ISettings,
+  platform: Pick<IPlatform, 'getOptions' | 'getFetch'>
+): { httpClient: ISplitHttpClient; authProvider: IAuthProvider } {
+
+  const { getOptions, getFetch } = platform;
+  const { log, version, runtime: { ip, hostname } } = settings;
+  const options = getOptions && getOptions(settings);
+  const fetch = getFetch && getFetch(settings);
+
+  // if fetch is not available, log Error
+  if (!fetch) log.error(ERROR_CLIENT_CANNOT_GET_READY, [messageNoFetch]);
+
+  const commonHeaders: Record<string, string> = {
+    'Accept': 'application/json',
+    'Content-Type': 'application/json',
+    'SplitSDKVersion': version
+  };
+
+  if (ip) commonHeaders['SplitSDKMachineIP'] = ip;
+  if (hostname) commonHeaders['SplitSDKMachineName'] = removeNonISO88591(hostname);
+
+  // Inner standard HTTP client for auth endpoint calls (authenticates with SDK key)
+  const innerHttpClient = splitHttpClientFactory(settings, platform);
+  const authProvider = authProviderFactory(innerHttpClient, settings);
+
+  function doFetch(url: string, request: Record<string, any>): Promise<IResponse> {
+    return fetch!(url, request)
+      .then(function (response) {
+        if (!response.ok) {
+          return timeout(PENDING_FETCH_ERROR_TIMEOUT, response.text()).then(
+            function (message) { return Promise.reject({ response: response, message: message }); },
+            function () { return Promise.reject({ response: response }); }
+          );
+        }
+        return response;
+      });
+  }
+
+  function buildRequest(reqOpts: IRequestOptions, authToken: string): Record<string, any> {
+    const headers = objectAssign({}, commonHeaders, { 'Authorization': 'Bearer ' + authToken }, reqOpts.headers || {});
+    return objectAssign({
+      headers: decorateHeaders(settings, headers),
+      method: reqOpts.method || 'GET',
+      body: reqOpts.body
+    }, options);
+  }
+
+  function handleError(error: any, url: string, logErrorsAsInfo: boolean): NetworkError {
+    const resp = error && error.response;
+    let msg = '';
+
+    if (resp) {
+      switch (resp.status) {
+        case 404: msg = 'Invalid SDK key or resource not found.';
+          break;
+        default: msg = error.message;
+          break;
+      }
+    } else {
+      msg = error.message || 'Network Error';
+    }
+
+    if (!resp || resp.status !== 403) {
+      log[logErrorsAsInfo ? 'info' : 'error'](ERROR_HTTP, [resp ? 'status code ' + resp.status : 'no status code', url, msg]);
+    }
+
+    const networkError: NetworkError = new Error(msg);
+    networkError.statusCode = resp && resp.status;
+    return networkError;
+  }
+
+  function httpClient(url: string, reqOpts: IRequestOptions = {}, latencyTracker: (error?: NetworkError) => void = function () { }, logErrorsAsInfo: boolean = false): Promise<IResponse> {
+    if (!fetch) return Promise.reject(new Error(messageNoFetch));
+
+    return authProvider.getAuthData()
+      .then(function (credential) {
+        const request = buildRequest(reqOpts, credential.token);
+        return doFetch(url, request)
+          .then(function (response) {
+            latencyTracker();
+            return response;
+          })
+          .catch(function (error) {
+            const resp = error && error.response;
+
+            // On 401, invalidate credential and retry once with a fresh token
+            if (resp && resp.status === 401) {
+              authProvider.invalidate();
+              return authProvider.getAuthData()
+                .then(function (freshCredential) {
+                  const retryRequest = buildRequest(reqOpts, freshCredential.token);
+                  return doFetch(url, retryRequest)
+                    .then(function (response) {
+                      latencyTracker();
+                      return response;
+                    });
+                });
+            }
+
+            throw error;
+          });
+      })
+      .catch((error) => {
+        const networkError = handleError(error, url, logErrorsAsInfo);
+        latencyTracker(networkError);
+        throw networkError;
+      });
+  }
+
+  return {
+    httpClient: httpClient,
+    authProvider: authProvider
+  };
+}
diff --git a/src/services/splitApi.ts b/src/services/splitApi.ts
@@ -1,7 +1,7 @@
 import { IPlatform } from '../sdkFactory/types';
 import { ISettings } from '../types';
 import { splitHttpClientFactory } from './splitHttpClient';
-import { ISplitApi } from './types';
+import { ISplitApi, ISplitHttpClient } from './types';
 import { objectAssign } from '../utils/lang/objectAssign';
 import { ITelemetryTracker } from '../trackers/types';
 import { SPLITS, IMPRESSIONS, IMPRESSIONS_COUNT, EVENTS, TELEMETRY, TOKEN, SEGMENT, MEMBERSHIPS } from '../utils/constants';
@@ -19,17 +19,19 @@ function userKeyToQueryParam(userKey: string) {
  * @param settings - validated settings object
  * @param platform - object containing environment-specific dependencies
  * @param telemetryTracker - telemetry tracker
+ * @param _splitHttpClient - optional split http client to use instead of the default one
  */
 export function splitApiFactory(
   settings: ISettings,
   platform: Pick<IPlatform, 'getOptions' | 'getFetch'>,
-  telemetryTracker: ITelemetryTracker
+  telemetryTracker: ITelemetryTracker,
+  _splitHttpClient?: ISplitHttpClient
 ): ISplitApi {
 
   const urls = settings.urls;
   const filterQueryString = settings.sync.__splitFiltersValidation && settings.sync.__splitFiltersValidation.queryString;
   const SplitSDKImpressionsMode = settings.sync.impressionsMode;
-  const splitHttpClient = splitHttpClientFactory(settings, platform);
+  const splitHttpClient = _splitHttpClient || splitHttpClientFactory(settings, platform);
 
   return {
     // @TODO throw errors if health check requests fail, to log them in the Synchronizer
diff --git a/src/services/types.ts b/src/services/types.ts
@@ -1,3 +1,5 @@
+import { IDecodedJWTToken } from '../utils/jwt/types';
+
 export type IRequestOptions = {
 	method?: string,
 	headers?: Record<string, string>,
@@ -84,3 +86,17 @@ interface IEventSource {
 }
 
 export type IEventSourceConstructor = new (url: string, eventSourceInitDict?: any) => IEventSource
+
+// Auth credential (JWT) with decoded metadata, used by SecureSplitHttpClient
+export interface IAuthCredential {
+	token: string
+	pushEnabled: boolean
+	decodedToken: IDecodedJWTToken
+	channels: Record<string, string[]>
+	connDelay?: number
+}
+
+// AuthProvider interface for transparent JWT management
+export interface IAuthProvider {
+	getAuthData(): Promise<IAuthCredential>
+}
diff --git a/src/sync/streaming/pushManagerSecure.ts b/src/sync/streaming/pushManagerSecure.ts
