(baseUrl: string, path: string, init: RequestInit = {})
| 642 | `; |
| 643 | |
| 644 | async function signedFetch(baseUrl: string, path: string, init: RequestInit = {}): Promise<Response> { |
| 645 | const method = (init.method ?? 'GET').toUpperCase(); |
| 646 | const body = init.body ? JSON.parse(init.body as string) : undefined; |
| 647 | const authHeader = (init.headers as Record<string, string> | undefined)?.['Authorization']; |
| 648 | const authorizationToken = authHeader?.startsWith('Bearer ') ? authHeader.substring(7) : undefined; |
| 649 | |
| 650 | const sig = buildSignatureHeader({ |
| 651 | privateKey: TEST_PRIVATE_KEY, |
| 652 | method, |
| 653 | pathWithQuery: path, |
| 654 | body, |
| 655 | authorizationToken, |
| 656 | }); |
| 657 | return fetch(`${baseUrl}${path}`, { |
| 658 | ...init, |
| 659 | headers: { |
| 660 | ...(init.headers as Record<string, string>), |
| 661 | 'x-zenstack-signature': sig, |
| 662 | }, |
| 663 | }); |
| 664 | } |
| 665 | |
| 666 | it('anonymous request should not bypass access policy', async () => { |
| 667 | const { client, app } = await createPolicyApp(zmodel); |
no test coverage detected