add policy to remove authorization header

Author: zhiyuanliang-ms

src/AzureAppConfigurationImpl.ts

@@ -62,7 +62,7 @@ import { FeatureFlagTracingOptions } from "./requestTracing/FeatureFlagTracingOp
 import { AIConfigurationTracingOptions } from "./requestTracing/AIConfigurationTracingOptions.js";
 import { KeyFilter, LabelFilter, SettingSelector } from "./types.js";
 import { ConfigurationClientManager } from "./ConfigurationClientManager.js";
-import { CDN_TOKEN_LOOKUP_HEADER, calculateResourceDeletedCacheConsistencyToken } from "./cdnTokenPipelinePolicy.js";
+import { CDN_TOKEN_LOOKUP_HEADER, calculateResourceDeletedCacheConsistencyToken } from "./azureFrontDoor/cdnRequestPipelinePolicy.js";
 import { getFixedBackoffDuration, getExponentialBackoffDuration } from "./common/backoffUtils.js";
 import { InvalidOperationError, ArgumentError, isFailoverableError, isInputError } from "./common/error.js";
 

src/cdnTokenPipelinePolicy.ts …ureFrontDoor/cdnRequestPipelinePolicy.tssrc/cdnTokenPipelinePolicy.ts renamed to src/azureFrontDoor/cdnRequestPipelinePolicy.ts src/cdnTokenPipelinePolicy.ts renamed to src/azureFrontDoor/cdnRequestPipelinePolicy.ts

@@ -2,7 +2,7 @@
 // Licensed under the MIT license.
 
 import { PipelinePolicy } from "@azure/core-rest-pipeline";
-import { getCryptoModule } from "./common/utils.js";
+import { getCryptoModule } from "../common/utils.js";
 
 const CDN_TOKEN_QUERY_PARAMETER = "_";
 const RESOURCE_DELETED_PREFIX = "ResourceDeleted";
@@ -54,3 +54,19 @@ export async function calculateResourceDeletedCacheConsistencyToken(etag: string
         return hash.toString("base64url");
     }
 }
+
+/**
+ * The pipeline policy that remove the authorization header from the request to allow anonymous access to the Azure Front Door.
+ * @remarks
+ * The policy position should be perRetry, since it should be executed after the "Sign" phase: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/core/core-client/src/serviceClient.ts
+ */
+export class AnonymousRequestPipelinePolicy implements PipelinePolicy {
+    name: string = "AppConfigurationAnonymousRequestPolicy";
+
+    async sendRequest(request, next) {
+        if (request.headers.has("authorization")) {
+            request.headers.delete("authorization");
+        }
+        return next(request);
+    }
+}

src/load.ts

@@ -6,15 +6,15 @@ import { AzureAppConfiguration } from "./AzureAppConfiguration.js";
 import { AzureAppConfigurationImpl } from "./AzureAppConfigurationImpl.js";
 import { AzureAppConfigurationOptions } from "./AzureAppConfigurationOptions.js";
 import { ConfigurationClientManager } from "./ConfigurationClientManager.js";
-import { CdnTokenPipelinePolicy } from "./cdnTokenPipelinePolicy.js";
+import { CdnTokenPipelinePolicy, AnonymousRequestPipelinePolicy } from "./azureFrontDoor/cdnRequestPipelinePolicy.js";
 import { instanceOfTokenCredential } from "./common/utils.js";
 import { ArgumentError } from "./common/error.js";
 
 const MIN_DELAY_FOR_UNHANDLED_ERROR: number = 5_000; // 5 seconds
 
-// Empty token credential to be used when loading from CDN
+// Empty token credential to be used when loading from Azure Front Door
 const emptyTokenCredential: TokenCredential = {
-    getToken: async () => ({ token: "", expiresOnTimestamp: 0 })
+    getToken: async () => ({ token: "", expiresOnTimestamp: Number.MAX_SAFE_INTEGER })
 };
 
 /**
@@ -93,7 +93,8 @@ export async function loadFromAzureFrontDoor(
         // Add etag url policy to append etag to the request url for breaking CDN cache
         additionalPolicies: [
             ...(appConfigOptions.clientOptions?.additionalPolicies || []),
-            { policy: new CdnTokenPipelinePolicy(), position: "perCall" }
+            { policy: new CdnTokenPipelinePolicy(), position: "perCall" },
+            { policy: new AnonymousRequestPipelinePolicy(), position: "perRetry" }
         ]
     };