@djangocfg/monitor 2.1.420 → 2.1.422

package/src/_api/generated/client/types.gen.ts

@@ -151,12 +151,13 @@ type MethodFn = <
 
 type SseFn = <
   TData = unknown,
-  TError = unknown,
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  _TError = unknown,
   ThrowOnError extends boolean = false,
   TResponseStyle extends ResponseStyle = 'fields',
 >(
   options: Omit<RequestOptions<never, TResponseStyle, ThrowOnError>, 'method'>,
-) => Promise<ServerSentEventsResult<TData, TError>>;
+) => Promise<ServerSentEventsResult<TData>>;
 
 type RequestFn = <
   TData = unknown,

package/src/_api/generated/client/utils.gen.ts

@@ -118,14 +118,12 @@ const checkForExistence = (
   return false;
 };
 
-export const setAuthParams = async ({
-  security,
-  ...options
-}: Pick<Required<RequestOptions>, 'security'> &
-  Pick<RequestOptions, 'auth' | 'query'> & {
+export async function setAuthParams(
+  options: Pick<RequestOptions, 'auth' | 'query' | 'security'> & {
     headers: Headers;
-  }) => {
-  for (const auth of security) {
+  },
+): Promise<void> {
+  for (const auth of options.security ?? []) {
     if (checkForExistence(options, auth.name)) {
       continue;
     }
@@ -154,7 +152,7 @@ export const setAuthParams = async ({
         break;
     }
   }
-};
+}
 
 export const buildUrl: Client['buildUrl'] = (options) =>
   getUrl({

package/src/_api/generated/core/params.gen.ts

@@ -104,10 +104,10 @@ const stripEmptySlots = (params: Params) => {
 
 export const buildClientParams = (args: ReadonlyArray<unknown>, fields: FieldsConfig) => {
   const params: Params = {
-    body: {},
-    headers: {},
-    path: {},
-    query: {},
+    body: Object.create(null),
+    headers: Object.create(null),
+    path: Object.create(null),
+    query: Object.create(null),
   };
 
   const map = buildKeyMap(fields);

package/src/_api/generated/helpers/auth.ts

@@ -79,12 +79,30 @@ function detectLocale(): string | null {
   return null;
 }
 
-/** Default baseUrl from `NEXT_PUBLIC_API_URL`.
+/** Default baseUrl.
  *
- * Both browser and server use NEXT_PUBLIC_API_URL — requests go
- * directly to Django without Next.js proxy.
+ * Browser: uses NEXT_PUBLIC_API_PROXY_URL if set (empty string = same-origin
+ * Next.js proxy), otherwise falls back to NEXT_PUBLIC_API_URL directly.
+ * Set NEXT_PUBLIC_API_PROXY_URL='' in apps that proxy /apix/* via Next.js
+ * Route Handler; leave it unset in apps that hit Django directly.
+ *
+ * Server (SSR / RSC / Edge): use NEXT_PUBLIC_API_URL so server-side fetch
+ * reaches Django directly (proxy is a same-origin HTTP round-trip on server).
  */
 function defaultBaseUrl(): string {
+  if (typeof window !== 'undefined') {
+    try {
+      if (typeof process !== 'undefined' && process.env) {
+        if (process.env.NEXT_PUBLIC_STATIC_BUILD === 'true') return '';
+        // NEXT_PUBLIC_API_PROXY_URL='' means same-origin proxy (e.g. /apix/* route handler).
+        // Next.js inlines defined vars as their value; undefined means the var was not set.
+        if (process.env.NEXT_PUBLIC_API_PROXY_URL !== undefined)
+          return process.env.NEXT_PUBLIC_API_PROXY_URL;
+        return process.env.NEXT_PUBLIC_API_URL || '';
+      }
+    } catch {}
+    return '';
+  }
   try {
     if (typeof process !== 'undefined' && process.env) {
       if (process.env.NEXT_PUBLIC_STATIC_BUILD === 'true') return '';
@@ -96,13 +114,11 @@ function defaultBaseUrl(): string {
 
 /** Default API key fallback from `NEXT_PUBLIC_API_KEY`.
  *
- * In the browser: returns null — requests go through the Next.js rewrite
- * and the key is injected server-side (never exposed in the bundle).
- * On the server: reads NEXT_PUBLIC_API_KEY as a fallback for SSR calls
- * that bypass the rewrite (e.g. server components calling Django directly).
+ * Both browser and server: if NEXT_PUBLIC_API_KEY is set it is used as a
+ * global fallback (e.g. a public demo key). When not set, returns null so
+ * per-request keys passed via options.headers take effect unobstructed.
  */
 function defaultApiKey(): string | null {
-  if (isBrowser) return null;
   try {
     if (typeof process !== 'undefined' && process.env?.NEXT_PUBLIC_API_KEY) {
       return process.env.NEXT_PUBLIC_API_KEY;
@@ -286,6 +302,37 @@ async function tryRefresh(): Promise<string | null> {
  * non-browser environments, so headers populated by the interceptor
  * are simply absent server-side (which is the correct behaviour
  * unless the caller explicitly sets a server-side token).
+ *
+ * ── How API key auth works ────────────────────────────────────────────────
+ *
+ * There are three ways to supply X-API-Key, in priority order:
+ *
+ *   1. Per-request header (highest priority, overrides everything):
+ *        SomeApi.someEndpoint({ headers: { 'X-API-Key': userKey } })
+ *      Use this in playgrounds or any context where the key comes from
+ *      user input rather than app config.
+ *
+ *   2. Global override via auth.setApiKey(key) — applies to every request
+ *      from this client until cleared. Good for single-user sessions.
+ *
+ *   3. NEXT_PUBLIC_API_KEY env var — read by defaultApiKey() on every request.
+ *      Use as a public fallback key (e.g. a shared demo key for unauthenticated
+ *      visitors). When not set, returns null so per-request keys work freely.
+ *
+ * ── baseUrl gotcha with proxy packages ───────────────────────────────────
+ *
+ * If another package (e.g. @carapis/catalog-api/client) calls
+ * `auth.setBaseUrl('')` on import, ALL requests from this shared client
+ * will go to relative paths (Next.js proxy) instead of hitting Django
+ * directly. This is intentional for the public catalog — but breaks any
+ * feature that needs to reach Django with a dynamic API key from the
+ * browser (e.g. a playground).
+ *
+ * Fix: pass `baseUrl` explicitly per-call to override the global setting:
+ *   SomeApi.someEndpoint({
+ *     baseUrl: process.env.NEXT_PUBLIC_API_URL,
+ *     headers: { 'X-API-Key': userKey },
+ *   })
  */
 export function installAuthOnClient(client: HeyClient): void {
   if (_client) return; // idempotent
@@ -303,8 +350,10 @@ export function installAuthOnClient(client: HeyClient): void {
     const locale = auth.getLocale();
     if (locale) request.headers.set('Accept-Language', locale);
 
+    // Only set X-API-Key from global store if NOT already present on the
+    // request — per-request headers (option 1 above) take precedence.
     const apiKey = auth.getApiKey();
-    if (apiKey) request.headers.set('X-API-Key', apiKey);
+    if (apiKey && !request.headers.has('X-API-Key')) request.headers.set('X-API-Key', apiKey);
 
     try {
       const tz = Intl.DateTimeFormat().resolvedOptions().timeZone;

package/src/_api/generated/index.ts

@@ -29,5 +29,11 @@ export { API as CfgMonitorAPI } from './_cfg_monitor';
 // backend so the SDK class doesn't collide.
 export { CfgMonitor } from './_cfg_monitor';
 
+// Generated DTO / schema types (Hey API). The per-group barrels each
+// re-export these too; surfacing them at the top level lets consumers
+// `import { FleetSummary } from '<api>'` without reaching into a
+// group subpath.
+export type * from './types.gen';
+
 // Shared utilities (errors, storage adapters, logger).
 export * from './helpers';