chore(auth): replace axios with fetch in third-party auth routes#20729
Conversation
| { | ||
| method: 'POST', | ||
| headers: { 'Content-Type': 'application/json' }, | ||
| body: JSON.stringify(data), |
There was a problem hiding this comment.
Keeping the request identical to what axios previously sent: turn the plain object into a JSON body with application/json header.
| const res = await fetch(this.config.appleAuthConfig.tokenEndpoint, { | ||
| method: 'POST', | ||
| headers: { | ||
| 'Content-Type': 'application/x-www-form-urlencoded', |
There was a problem hiding this comment.
Keeping the request identical to what axios previously sent for Apple: form-encoded instead of JSON (application/x-www-form-urlencoded).
Note: this header added to the call is mandatory - fetch won't add automatically. Test added so we can catch it if it ever gets dropped.
There was a problem hiding this comment.
Pull request overview
This PR continues the auth-server migration away from axios by switching third-party (Google/Apple) auth route HTTP calls to native fetch, and adds/updates unit tests to cover the new fetch-based behavior.
Changes:
- Replace
axioswithfetchfor Apple/Google public-key retrieval inthird-party-events.ts. - Replace
axioswithfetchfor Google/Apple OAuth token exchange inlinked-accounts.ts. - Update/add Jest coverage by stubbing
global.fetch, including new tests for third-party public-key fetchers.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
packages/fxa-auth-server/lib/routes/utils/third-party-events.ts |
Migrates Apple/Google public-key retrieval from axios to fetch and adjusts response parsing/error handling. |
packages/fxa-auth-server/lib/routes/utils/third-party-events.spec.ts |
Adds unit tests for the public-key fetch functions using global.fetch stubs. |
packages/fxa-auth-server/lib/routes/linked-accounts.ts |
Migrates Google/Apple token exchange POSTs from axios to fetch with explicit res.ok checks and JSON parsing. |
packages/fxa-auth-server/lib/routes/linked-accounts.spec.ts |
Removes axios mocking and updates tests to stub global.fetch, including non-OK response coverage. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| jwk2pem: jest.fn(() => 'fake-pem'), | ||
| })); | ||
|
|
||
| describe('third-party-events public key fetching', () => { |
Because
axiosis a recurring source of security advisories. Continues the migration to nativefetch(FXA-13427); this PR covers the auth-server third-party (Google/Apple) auth routes.This pull request
axioswith nativefetchin the Google/Apple OAuth token-exchange POSTs (linked-accounts.ts) and the public-key GETs (third-party-events.ts).linked-accounts.spec.tsoffjest.mock('axios')toglobal.fetchstubs, including non-ok andContent-Typecoverage.third-party-events.spec.tscovering the previously-untested public-key fetch functions.Issue that this pull request solves
Closes: FXA-13427 (auth routes)
Checklist
Put an
xin the boxes that applyOther information (Optional)
axiosdep remains infxa-auth-server'spackage.jsonfor now —customs.jsandscripts/google-events-cli.jsstill use it.