chore: fix pr suggestions and code cleanups

Author: v3nant

.envrc.example

@@ -9,6 +9,19 @@ export ANALYTICS_URL='https://eol-api.herodevs.com/track';
 export OAUTH_CONNECT_URL='';
 export OAUTH_CLIENT_ID='';
 
+# IAM (for CI token provisioning)
+# export IAM_HOST='https://apps.herodevs.io/api/iam';
+# export IAM_PATH='/graphql';
+
+# Auth / User setup (optional)
+# export ENABLE_AUTH='true';
+# export ENABLE_USER_SETUP='true';
+
+# CI token (for headless auth - set when testing CI flow locally)
+# export HD_ORG_ID='1234';
+# export HD_AUTH_TOKEN='<long-lived-refresh-token>';
+# export HD_ACCESS_TOKEN='<access-token-from-auth-ci-login>';
+
 # Performance tuning (optional)
 # export CONCURRENT_PAGE_REQUESTS='3';
 # export PAGE_SIZE='500';

src/api/apollo.client.ts

@@ -5,8 +5,22 @@ import { requireAccessTokenForScan } from '../service/auth.svc.ts';
 export type TokenProvider = (forceRefresh?: boolean) => Promise<string>;
 
 function isTokenEndpoint(input: string | URL | Request): boolean {
-  const url = typeof input === 'string' ? input : input instanceof Request ? input.url : input.toString();
-  return url.endsWith('/token');
+  let urlString: string;
+  if (typeof input === 'string') {
+    urlString = input;
+  } else if (input instanceof Request) {
+    urlString = input.url;
+  } else {
+    urlString = input.toString();
+  }
+
+  try {
+    const url = new URL(urlString);
+    return url.pathname.endsWith('/token');
+  } catch {
+    const pathOnly = urlString.split('?')[0].split('#')[0];
+    return pathOnly.endsWith('/token');
+  }
 }
 
 const createAuthorizedFetch =
@@ -21,7 +35,7 @@ const createAuthorizedFetch =
       }
     }
 
-    let response = await fetch(input, { ...init, headers });
+    const response = await fetch(input, { ...init, headers });
 
     if (
       config.enableAuth &&
@@ -32,7 +46,7 @@ const createAuthorizedFetch =
       const refreshed = await tokenProvider(true);
       const retryHeaders = new Headers(init?.headers);
       retryHeaders.set('Authorization', `Bearer ${refreshed}`);
-      response = await fetch(input, { ...init, headers: retryHeaders });
+      return fetch(input, { ...init, headers: retryHeaders });
     }
 
     return response;

src/api/ci-token.client.ts

@@ -8,6 +8,8 @@ import { ApiError, type ApiErrorCode, isApiErrorCode } from './errors.ts';
 import { getOrgAccessTokensMutation } from './gql-operations.ts';
 import { getGraphQLErrors } from './graphql-errors.ts';
 
+const graphqlUrl = `${config.iamHost}${config.iamPath}`;
+
 const noAuthTokenProvider = async (): Promise<string> => '';
 
 function createOptionalTokenProvider(token?: string) {
@@ -41,20 +43,16 @@ type GetOrgAccessTokensResponse = {
   };
 };
 
-function getGraphqlUrl(): string {
-  return `${config.iamHost}${config.iamPath}`;
-}
-
 function extractErrorCode(errors: ReadonlyArray<GraphQLFormattedError>): ApiErrorCode | undefined {
   const code = (errors[0]?.extensions as { code?: string })?.code;
-  if (!code || !isApiErrorCode(code)) return undefined;
+  if (!code || !isApiErrorCode(code)) return;
   return code;
 }
 
 async function getOrgAccessTokens(
   input: IamAccessOrgTokensInput,
 ): Promise<{ accessToken: string; refreshToken: string }> {
-  const client = createApollo(getGraphqlUrl(), requireAccessToken);
+  const client = createApollo(graphqlUrl, requireAccessToken);
   const res = await client.mutate<GetOrgAccessTokensResponse, { input: IamAccessOrgTokensInput }>({
     mutation: getOrgAccessTokensMutation,
     variables: {
@@ -87,7 +85,7 @@ async function getOrgAccessTokens(
   };
 }
 
-async function getOrgAccessTokensUnauthenticated(
+export async function getOrgAccessTokensUnauthenticated(
   input: IamAccessOrgTokensInput,
 ): Promise<{ accessToken: string; refreshToken: string }> {
   return callGetOrgAccessTokensInternal(input, noAuthTokenProvider);
@@ -99,7 +97,7 @@ async function callGetOrgAccessTokensInternal(
   input: IamAccessOrgTokensInput,
   tokenProvider: TokenProvider,
 ): Promise<{ accessToken: string; refreshToken: string }> {
-  const client = createApollo(getGraphqlUrl(), tokenProvider);
+  const client = createApollo(graphqlUrl, tokenProvider);
   const res = await client.mutate<GetOrgAccessTokensResponse, { input: IamAccessOrgTokensInput }>({
     mutation: getOrgAccessTokensMutation,
     variables: { input },
@@ -144,16 +142,6 @@ export async function exchangeCITokenForAccess(
   return callGetOrgAccessTokensInternal({ orgId, previousToken: refreshToken }, tokenProvider);
 }
 
-export async function getAccessTokenFromCIRefresh(
-  refreshToken: string,
-  orgId: number,
-): Promise<{ accessToken: string; refreshToken: string }> {
-  return getOrgAccessTokensUnauthenticated({
-    orgId,
-    previousToken: refreshToken,
-  });
-}
-
 export async function provisionCIToken(options: ProvisionCITokenOptions = {}): Promise<ProvisionCITokenResponse> {
   const { orgId = null, previousToken = null } = options;
   const result = await getOrgAccessTokens({

test/api/ci-token.client.test.ts

@@ -19,7 +19,7 @@ vi.mock('../../src/config/constants.ts', async (importOriginal) => {
 
 import {
   exchangeCITokenForAccess,
-  getAccessTokenFromCIRefresh,
+  getOrgAccessTokensUnauthenticated,
   provisionCIToken,
 } from '../../src/api/ci-token.client.ts';
 import { FetchMock } from '../utils/mocks/fetch.mock.ts';
@@ -184,7 +184,7 @@ describe('ci-token.client', () => {
     await expect(provisionCIToken()).rejects.toThrow(/missing refreshToken/);
   });
 
-  describe('getAccessTokenFromCIRefresh', () => {
+  describe('getOrgAccessTokensUnauthenticated', () => {
     it('calls IAM with orgId and previousToken, without Bearer header', async () => {
       fetchMock.push(
         mockGraphQLResponse({
@@ -199,7 +199,10 @@ describe('ci-token.client', () => {
         }),
       );
 
-      const result = await getAccessTokenFromCIRefresh('stored-ci-refresh-token', 42);
+      const result = await getOrgAccessTokensUnauthenticated({
+        orgId: 42,
+        previousToken: 'stored-ci-refresh-token',
+      });
       expect(result.accessToken).toBe('new-access-from-refresh');
       expect(result.refreshToken).toBe('new-refresh');
 
@@ -221,13 +224,17 @@ describe('ci-token.client', () => {
     it('throws when GraphQL returns errors', async () => {
       fetchMock.push(mockGraphQLErrorResponse('Invalid refresh token'));
 
-      await expect(getAccessTokenFromCIRefresh('bad-token', 1)).rejects.toThrow(/Invalid refresh token/);
+      await expect(
+        getOrgAccessTokensUnauthenticated({ orgId: 1, previousToken: 'bad-token' }),
+      ).rejects.toThrow(/Invalid refresh token/);
     });
 
     it('throws when response is not ok', async () => {
       fetchMock.push(mockErrorResponse(500, 'Internal Server Error'));
 
-      await expect(getAccessTokenFromCIRefresh('token', 1)).rejects.toThrow(/500/);
+      await expect(
+        getOrgAccessTokensUnauthenticated({ orgId: 1, previousToken: 'token' }),
+      ).rejects.toThrow(/500/);
     });
   });