@openstax/ts-utils 1.33.0 → 1.34.0

package/packages/utils/src/services/apiGateway/index.ts

@@ -0,0 +1,189 @@
+import { Headers } from 'node-fetch';
+import * as pathToRegexp from 'path-to-regexp';
+import queryString from 'query-string';
+import { v4 as uuid } from 'uuid';
+import { merge } from '../..';
+import { ConfigProviderForConfig, resolveConfigValue } from '../../config';
+import { SessionExpiredError, UnauthorizedError } from '../../errors';
+import { ConfigForFetch, GenericFetch, Response } from '../../fetch';
+import { fetchStatusRetry } from '../../fetch/fetchStatusRetry';
+import { AnyRoute, ApiResponse, METHOD, OutputForRoute, ParamsForRoute, PayloadForRoute, QueryParams, RouteParams } from '../../routing';
+import { UnwrapPromise } from '../../types';
+import { Level, Logger } from '../logger';
+
+export type TResponsePayload<R> = R extends ApiResponse<any, infer P> ? P : never;
+export type TResponseStatus<R> = R extends ApiResponse<infer S, any> ? S : never;
+
+export type RouteClient<R> = {
+  (
+    config: { fetchConfig?: any; query?: QueryParams }
+      & (
+        ParamsForRoute<R> extends undefined
+        ? {}
+        : { params: ParamsForRoute<R> }
+      )
+      & (
+        PayloadForRoute<R> extends undefined
+        ? {}
+        : { payload: PayloadForRoute<R> }
+      )
+  ): Promise<UnsafeApiClientResponse<UnwrapPromise<OutputForRoute<R>>>>;
+  renderUrl: (
+    config: { query?: QueryParams }
+      & (
+        ParamsForRoute<R> extends undefined
+        ? {}
+        : { params: ParamsForRoute<R> }
+      )
+  ) => Promise<string>;
+};
+
+export interface AcceptStatus<Ro> {
+  <S extends TResponseStatus<Ro>[]>(...args: S): Promise<ApiClientResponse<Extract<Ro, Record<'statusCode', S[number]>>>>;
+  <S extends number[]>(...args: S): Promise<ApiClientResponse<any>>;
+}
+
+export type UnsafeApiClientResponse<Ro> = {
+  headers: Headers;
+  load: () => Promise<any>;
+  status: number;
+  acceptStatus: AcceptStatus<Ro>;
+};
+
+export type ApiClientResponse<Ro> = Ro extends any ? {
+  headers: Headers;
+  status: TResponseStatus<Ro>;
+  load: () => Promise<TResponsePayload<Ro>>;
+} : never;
+
+export type ExpandRoute<T> = T extends ((...args: infer A) => infer R) & { renderUrl: (...args: infer Ar) => Promise<string> } ? ((...args: A) => R) & { renderUrl: (...args: Ar) => Promise<string> } : never;
+
+export type MapRoutesToClient<Ru> = [Ru] extends [AnyRoute<Ru>]
+  ? { [N in Ru['name']]: ExpandRoute<RouteClient<Extract<Ru, Record<'name', N>>>> }
+  : never;
+
+export type MapRoutesToConfig<Ru> = [Ru] extends [AnyRoute<Ru>]
+  ? { [_N in Ru['name']]: {
+    path: string;
+    method: string;
+  } }
+  : never;
+
+/** Pulls the content out of a response based on the content type */
+export const loadResponse = (response: Response) => () => {
+  const [contentType] = (response.headers.get('content-type') || '').split(';');
+  switch (contentType) {
+    case 'text/plain':
+      return response.text();
+    case 'application/json':
+      return response.json();
+    default:
+      throw new Error(`unknown content type ${contentType}`);
+  }
+};
+
+const makeRouteClient = <F extends GenericFetch>(
+  initializer: {
+    fetch: F;
+  },
+  config: ConfigProviderForConfig<{
+    apiBase: string;
+  }>,
+  route: { path: string; method: METHOD },
+  app?: {
+    authProvider?: { getAuthorizedFetchConfig: () => Promise<ConfigForFetch<F>> };
+    logger?: Logger;
+    launchToken?: string;
+  }
+) => {
+  /* TODO this duplicates code with makeRenderRouteUrl, reuse that */
+  const renderUrl = async ({ params, query }: { params?: RouteParams; query?: QueryParams }) => {
+    const apiBase = await resolveConfigValue(config.apiBase);
+    const getPathForParams = pathToRegexp.compile(route.path, { encode: encodeURIComponent });
+    const search = query && queryString.stringify(query);
+    return apiBase.replace(/\/+$/, '') + getPathForParams(params || {}) + (search ? `?${search}` : '');
+  };
+
+  const routeClient = async ({ params, payload, query, fetchConfig }: { params?: RouteParams; payload?: any; query?: QueryParams; fetchConfig?: ConfigForFetch<F> }) => {
+    const { fetch } = initializer;
+
+    const url = await renderUrl({ params, query });
+    const body = payload ? JSON.stringify(payload) : undefined;
+    const baseOptions = merge((await app?.authProvider?.getAuthorizedFetchConfig()) || {}, fetchConfig || {});
+    const requestId = uuid();
+    const requestLogger = app?.logger?.createSubContext();
+    requestLogger?.setContext({ requestId, url, timeStamp: new Date().getTime() });
+    const fetcher = fetchStatusRetry(fetch, { retries: 1, status: [502], logger: requestLogger });
+
+    requestLogger?.log('Request Initiated', Level.Info);
+
+    return fetcher(url, merge(baseOptions, {
+      method: route.method,
+      body,
+      headers: {
+        ...fetchConfig?.headers,
+        ...(body ? { 'content-type': 'application/json' } : {}),
+        'x-request-id': requestId,
+        ...(app?.launchToken ? {
+          'x-launch-token': app.launchToken,
+        } : {}),
+      }
+    })).then(
+      response => {
+        if (response.status === 401) {
+          throw new UnauthorizedError();
+        }
+        if (response.status === 440) {
+          throw new SessionExpiredError();
+        }
+
+        return {
+          status: response.status,
+          acceptStatus: async (...status: number[]) => {
+            if (!status.includes(response.status)) {
+              throw new Error(`unexpected HTTP ${response.status} response from api: ${await response.text()}`);
+            }
+
+            return { status: response.status, headers: response.headers, load: loadResponse(response) };
+          },
+          headers: response.headers,
+          load: loadResponse(response),
+        };
+      }
+    );
+  };
+
+  routeClient.renderUrl = renderUrl;
+
+  return routeClient;
+};
+
+
+export interface MakeApiGateway<F> {
+  <Ru>(
+    config: ConfigProviderForConfig<{ apiBase: string }>,
+    routes: MapRoutesToConfig<Ru>,
+    app?: {
+      authProvider?: { getAuthorizedFetchConfig: () => Promise<ConfigForFetch<F>> };
+      logger?: Logger;
+      launchToken?: string;
+    }
+  ): MapRoutesToClient<Ru>;
+}
+
+export const createApiGateway = <F extends GenericFetch>(initializer: {
+  fetch: F;
+  // TODO - try harder
+  // @ts-ignore this type conversion is annoying
+}): MakeApiGateway<F> => (
+  config: ConfigProviderForConfig<{ apiBase: string }>,
+  routes: { [key: string]: { path: string; method: METHOD } },
+  app?: {
+    authProvider?: { getAuthorizedFetchConfig: () => Promise<ConfigForFetch<F>> };
+    logger?: Logger;
+    launchToken?: string;
+  }
+) => {
+    return Object.fromEntries(Object.entries(routes)
+      .map(([key, routeConfig]) => ([key, makeRouteClient(initializer, config, routeConfig, app)])));
+  };

package/packages/utils/src/services/authProvider/README.md

@@ -0,0 +1,21 @@
+
+# authProvider
+
+the authProvider interface is just a `getUser` function, there are several available drivers.
+
+
+## drivers
+
+### [subrequest](./subrequest.ts)
+
+for servers, takes a given cookie value and forwards it to another accounts server to get the user data. useful for dev or testing server implementations because you don't need any secrets.
+
+### [browser](./browser.ts)
+
+for browsers, queries an accounts server for the current user data
+
+### decode
+
+**note** not written yet, needs to be written
+
+decodes the given cookie value with secret keys. faster than making a subrequest

package/packages/utils/src/services/authProvider/browser.spec.ts

@@ -0,0 +1,391 @@
+import { browserAuthProvider, EventHandler, Window } from './browser';
+import { User } from '.';
+
+afterEach(() => {
+  jest.clearAllMocks();
+});
+
+describe('browserAuthProvider', () => {
+  let fetchSpy: jest.SpyInstance;
+  let postMessageSpy: jest.SpyInstance;
+  let addEventListenerSpy: jest.SpyInstance;
+  let removeEventListenerSpy: jest.SpyInstance;
+  let initializer: { window: Window };
+  const config = {
+    auth: {
+      accountsBase: 'accountsBase',
+    }
+  };
+
+  beforeEach(() => {
+    fetchSpy = jest.fn();
+    postMessageSpy = jest.fn();
+    addEventListenerSpy = jest.fn();
+    removeEventListenerSpy = jest.fn();
+    const win = {};
+
+    Object.assign(win, {
+      fetch: fetchSpy as any,
+      location: {search: ''},
+      parent: win,
+      document: {referrer: 'https://example.com'},
+      postMessage: postMessageSpy as any,
+      addEventListener: addEventListenerSpy as any,
+      removeEventListener: removeEventListenerSpy as any,
+    });
+
+    initializer = {
+      window: win as Window
+    };
+  });
+
+  describe('with cookie config', () => {
+    it('fetches user', async() => {
+      const userResponse = { id: 1 } as User;
+      fetchSpy.mockReturnValue(Promise.resolve({status: 200, json: () => userResponse}));
+      const loader = browserAuthProvider(initializer)(config);
+      await loader.getUser();
+      await loader.getUser();
+      const user = await loader.getUser();
+      expect(fetchSpy).toHaveBeenCalledTimes(1);
+      expect(fetchSpy).toHaveBeenCalledWith('accountsBase/api/user?always_200=true', {credentials: 'include'});
+      expect(user).toBe(userResponse);
+    });
+
+    it('handles empty object responses', async() => {
+      fetchSpy.mockReturnValue(Promise.resolve({status: 200, json: () => ({})}));
+      const loader = browserAuthProvider(initializer)(config);
+      await loader.getUser();
+      await loader.getUser();
+      const user = await loader.getUser();
+      expect(fetchSpy).toHaveBeenCalledTimes(1);
+      expect(fetchSpy).toHaveBeenCalledWith('accountsBase/api/user?always_200=true', {credentials: 'include'});
+      expect(user).toBeUndefined();
+    });
+
+    it('throws on other status codes', async() => {
+      fetchSpy.mockReturnValue(Promise.resolve({status: 500, text: () => 'oops'}));
+      const loader = browserAuthProvider(initializer)(config);
+      await expect(loader.getUser()).rejects.toThrow('Error response from Accounts 500: oops');
+      expect(fetchSpy).toHaveBeenCalledTimes(1);
+      expect(fetchSpy).toHaveBeenCalledWith('accountsBase/api/user?always_200=true', {credentials: 'include'});
+    });
+
+    it('generates authorized url', () => {
+      const provider = browserAuthProvider(initializer)(config);
+      expect(provider.getAuthorizedUrl('https://somecoolurl.com/?foo=bar')).toBe('https://somecoolurl.com/?foo=bar');
+      expect(provider.getAuthorizedLinkUrl('https://somecoolurl.com/?foo=bar')).toBe('https://somecoolurl.com/?foo=bar');
+      expect(provider.getAuthorizedEmbedUrl('https://somecoolurl.com/?foo=bar')).toBe('https://somecoolurl.com/?auth=embedded&embedded=true&foo=bar&subcontent=true');
+      expect(provider.getAuthorizedEmbedUrl('https://somecoolurl.com/?foo=bar', {test: 'true'})).toBe('https://somecoolurl.com/?auth=embedded&embedded=true&foo=bar&subcontent=true&test=true');
+    });
+
+    it('generates authorized fetch-config', async () => {
+      const userResponse = { id: 1 } as User;
+      fetchSpy.mockReturnValue(Promise.resolve({status: 200, json: () => userResponse}));
+      const provider = browserAuthProvider(initializer)(config);
+      expect(await provider.getAuthorizedFetchConfig()).toEqual({credentials: 'include'});
+    });
+
+    it('releases loaded identity to trusted embed', async () => {
+      let eventListener: EventHandler;
+
+      addEventListenerSpy.mockImplementation((_, handler) => eventListener = handler);
+
+      const userResponse = { id: 1 } as User;
+      fetchSpy.mockReturnValue(Promise.resolve({status: 200, json: () => userResponse}));
+      const provider = browserAuthProvider(initializer)(config);
+
+      provider.getAuthorizedEmbedUrl('https://somecoolurl.com/?foo=bar');
+      eventListener!({data: {type: 'request-user'}, origin: 'https://somecoolurl.com', source: initializer.window});
+
+      await new Promise(setImmediate);
+
+      expect(postMessageSpy).toHaveBeenCalledWith({
+        type: 'receive-user', userData: {token: null, user: userResponse}
+      }, 'https://somecoolurl.com');
+    });
+  });
+
+  describe('with token config', () => {
+    it('sends an Authorization: Bearer TOKEN header when given a token string', async() => {
+      const userResponse = { id: 1 } as User;
+      fetchSpy.mockReturnValue(Promise.resolve({status: 200, json: () => userResponse}));
+      initializer.window.location.search = '?auth=123abc';
+      const loader = browserAuthProvider(initializer)(config);
+      await loader.getUser();
+      await loader.getUser();
+      const user = await loader.getUser();
+      expect(fetchSpy).toHaveBeenCalledTimes(1);
+      expect(fetchSpy).toHaveBeenCalledWith(
+        'accountsBase/api/user?always_200=true', {headers: {Authorization: 'Bearer 123abc'}}
+      );
+      expect(user).toBe(userResponse);
+    });
+
+    it('generates authorized url', () => {
+      initializer.window.location.search = '?auth=123abc';
+      const provider = browserAuthProvider(initializer)(config);
+      expect(provider.getAuthorizedUrl('https://somecoolurl.com/?foo=bar')).toBe('https://somecoolurl.com/?foo=bar&auth=123abc');
+      expect(provider.getAuthorizedLinkUrl('https://somecoolurl.com/?foo=bar')).toBe('https://somecoolurl.com/?foo=bar&auth=123abc');
+    });
+
+    it('generates authorized fetch-config', async () => {
+      initializer.window.location.search = '?auth=123abc';
+      const provider = browserAuthProvider(initializer)(config);
+      expect(await provider.getAuthorizedFetchConfig()).toEqual({headers: {Authorization: 'Bearer 123abc'}});
+    });
+
+    it('generates authorized embed url', () => {
+      initializer.window.location.search = '?auth=123abc';
+      const provider = browserAuthProvider(initializer)(config);
+      expect(provider.getAuthorizedEmbedUrl('https://somecoolurl.com/?foo=bar')).toBe(
+        'https://somecoolurl.com/?auth=123abc&embedded=true&foo=bar&subcontent=true'
+      );
+    });
+
+    it('returns the auth token', async () => {
+      const userResponse = { id: 1 } as User;
+      fetchSpy.mockReturnValue(Promise.resolve({status: 200, json: () => userResponse}));
+      initializer.window.location.search = '?auth=123abc';
+      const provider = browserAuthProvider(initializer)(config);
+      expect(await provider.getAuthToken()).toBe('123abc');
+    });
+
+    it('releases loaded identity to trusted embed', async () => {
+      let eventListener: EventHandler;
+
+      addEventListenerSpy.mockImplementation((_, handler) => eventListener = handler);
+
+      const userResponse = { id: 1 } as User;
+      fetchSpy.mockReturnValue(Promise.resolve({status: 200, json: () => userResponse}));
+      initializer.window.location.search = '?auth=123abc';
+      const provider = browserAuthProvider(initializer)(config);
+
+      provider.getAuthorizedEmbedUrl('https://somecoolurl.com/?foo=bar');
+      eventListener!({data: {type: 'request-user'}, origin: 'https://somecoolurl.com', source: initializer.window});
+
+      await new Promise(setImmediate);
+
+      expect(postMessageSpy).toHaveBeenCalledWith({
+        type: 'receive-user', userData: {token: '123abc', user: userResponse}
+      }, 'https://somecoolurl.com');
+    });
+  });
+
+  describe('with embedded config', () => {
+    it('requests user identity', async () => {
+      let eventListener: EventHandler;
+
+      addEventListenerSpy.mockImplementation((_, handler) => eventListener = handler);
+      const userResponse = { id: 1 } as User;
+
+      const parentPostMessageSpy = jest.fn();
+      const parent = {
+        postMessage: parentPostMessageSpy,
+      } as NonNullable<Window['parent']>;
+
+      initializer.window.document.referrer = 'https://openstax.org/select-content';
+      initializer.window.parent = parent;
+      initializer.window.location.search = '?embedded=true';
+      const provider = browserAuthProvider(initializer)(config);
+
+      const promise = provider.getUser();
+
+      expect(addEventListenerSpy).toHaveBeenCalledTimes(2);
+      expect(parentPostMessageSpy).toHaveBeenCalledWith({type: 'request-user'}, 'https://openstax.org');
+      eventListener!({data: {type: 'receive-user', userData: {token: '123abc', user: userResponse}}, origin: 'https://openstax.org', source: parent});
+
+      await new Promise(setImmediate);
+
+      expect(await promise).toBe(userResponse);
+    });
+
+    it('requests with trusted subdomain referrer', async () => {
+      let eventListener: EventHandler;
+
+      addEventListenerSpy.mockImplementation((_, handler) => eventListener = handler);
+      const userResponse = { id: 1 } as User;
+
+      const parentPostMessageSpy = jest.fn();
+      const parent = {
+        postMessage: parentPostMessageSpy,
+      } as NonNullable<Window['parent']>;
+
+      initializer.window.document.referrer = 'https://lti.openstax.org/select-content';
+      initializer.window.parent = parent;
+      initializer.window.location.search = '?embedded=true';
+      const provider = browserAuthProvider(initializer)(config);
+
+      const promise = provider.getUser();
+
+      expect(addEventListenerSpy).toHaveBeenCalledTimes(2);
+      expect(parentPostMessageSpy).toHaveBeenCalledWith({type: 'request-user'}, 'https://lti.openstax.org');
+      eventListener!({data: {type: 'receive-user', userData: {token: '123abc', user: userResponse}}, origin: 'https://lti.openstax.org', source: parent});
+
+      await new Promise(setImmediate);
+
+      expect(await promise).toBe(userResponse);
+    });
+
+    it('does not request with untrusted referrer', async () => {
+      const parentPostMessageSpy = jest.fn();
+      const parent = {
+        postMessage: parentPostMessageSpy,
+      } as NonNullable<Window['parent']>;
+
+      initializer.window.document.referrer = 'https://notopenstax.org/select-content';
+      initializer.window.parent = parent;
+      initializer.window.location.search = '?embedded=true';
+      const provider = browserAuthProvider(initializer)(config);
+
+      await expect(() => provider.getUser()).rejects.toThrow('parent window is undefined or not trusted');
+
+      initializer.window.document.referrer = 'https://not.openstaxlorg/select-content';
+      const provider2 = browserAuthProvider(initializer)(config);
+
+      await expect(() => provider2.getUser()).rejects.toThrow('parent window is undefined or not trusted');
+    });
+
+    it('does not request without referrer', async () => {
+      const parentPostMessageSpy = jest.fn();
+      const parent = {
+        postMessage: parentPostMessageSpy,
+      } as NonNullable<Window['parent']>;
+
+      initializer.window.document.referrer = '';
+      initializer.window.parent = parent;
+      initializer.window.location.search = '?embedded=true';
+      const provider = browserAuthProvider(initializer)(config);
+
+      await expect(() => provider.getUser()).rejects.toThrow('parent window is undefined or not trusted');
+    });
+
+    it('ignores responses from the wrong origin', async () => {
+      let eventListener: EventHandler;
+
+      addEventListenerSpy.mockImplementation((_, handler) => eventListener = handler);
+      const userResponse = { id: 1 } as User;
+
+      const parentPostMessageSpy = jest.fn();
+      const parent = {
+        postMessage: parentPostMessageSpy,
+      } as NonNullable<Window['parent']>;
+
+      initializer.window.document.referrer = 'https://lti.openstax.org/select-content';
+      initializer.window.parent = parent;
+      initializer.window.location.search = '?embedded=true';
+      const provider = browserAuthProvider(initializer)(config);
+
+      const promise = provider.getUser();
+
+      expect(addEventListenerSpy).toHaveBeenCalledTimes(2);
+      expect(parentPostMessageSpy).toHaveBeenCalledWith({type: 'request-user'}, 'https://lti.openstax.org');
+      eventListener!({data: {type: 'receive-user', userData: {token: '123abc', user: userResponse}}, origin: 'https://malicious-site.com', source: parent});
+
+      await expect(promise).rejects.toThrow('loading user identity timed out');
+    }, 10000);
+
+    it('works with legacy auth=embedded urls', async () => {
+      let eventListener: EventHandler;
+
+      addEventListenerSpy.mockImplementation((_, handler) => eventListener = handler);
+      const userResponse = { id: 1 } as User;
+
+      const parentPostMessageSpy = jest.fn();
+      const parent = {
+        postMessage: parentPostMessageSpy,
+      } as NonNullable<Window['parent']>;
+
+      initializer.window.document.referrer = 'https://openstax.org/select-content';
+      initializer.window.parent = parent;
+      initializer.window.location.search = '?auth=embedded';
+      const provider = browserAuthProvider(initializer)(config);
+
+      const promise = provider.getUser();
+
+      expect(addEventListenerSpy).toHaveBeenCalledTimes(2);
+      expect(parentPostMessageSpy).toHaveBeenCalledWith({type: 'request-user'}, 'https://openstax.org');
+      eventListener!({data: {type: 'receive-user', userData: {token: '123abc', user: userResponse}}, origin: 'https://openstax.org', source: parent});
+
+      await new Promise(setImmediate);
+
+      expect(await promise).toBe(userResponse);
+    });
+  });
+
+  describe('with both token and embedded config', () => {
+    it('gets the parent window user', async() => {
+      const parentPostMessageSpy = jest.fn();
+      const parent = {
+        postMessage: parentPostMessageSpy,
+      } as NonNullable<Window['parent']>;
+      initializer.window.document.referrer = 'https://openstax.org/select-content';
+      initializer.window.parent = parent;
+      initializer.window.location.search = '?auth=123abc&embedded=true';
+      const provider = browserAuthProvider(initializer)(config);
+
+      const userResponse = { id: 1 } as User;
+      let eventListener: EventHandler;
+      addEventListenerSpy.mockImplementation((_, handler) => eventListener = handler);
+
+      const promise = provider.getUser();
+
+      expect(addEventListenerSpy).toHaveBeenCalledTimes(2);
+      expect(parentPostMessageSpy).toHaveBeenCalledWith({type: 'request-user'}, 'https://openstax.org');
+      eventListener!({
+        data: {type: 'receive-user', userData: {token: '123abc', user: userResponse}},
+        origin: 'https://openstax.org',
+        source: parent
+      });
+
+      const user = await promise;
+      expect(user).toBe(userResponse);
+    });
+
+    it('generates authorized url', () => {
+      initializer.window.location.search = '?auth=123abc&embedded=true';
+      const provider = browserAuthProvider(initializer)(config);
+      expect(provider.getAuthorizedUrl('https://somecoolurl.com/?foo=bar')).toBe(
+        'https://somecoolurl.com/?foo=bar&auth=123abc&embedded=true'
+      );
+      expect(provider.getAuthorizedLinkUrl('https://somecoolurl.com/?foo=bar')).toBe(
+        'https://somecoolurl.com/?foo=bar&auth=123abc'
+      );
+    });
+
+    it('sets auth=embedded for backwards compatibility', () => {
+      initializer.window.location.search = '?embedded=true';
+      const provider = browserAuthProvider(initializer)(config);
+      expect(provider.getAuthorizedUrl('https://somecoolurl.com/?foo=bar')).toBe(
+        'https://somecoolurl.com/?foo=bar&auth=embedded&embedded=true'
+      );
+    });
+
+    it('can update user settings', async() => {
+      const consent_preferences = {
+        accepted: ['necessary'],
+        rejected: ['functional', 'analytics', 'performance', 'advertisement', 'other']
+      };
+      const userResponse = { id: 1, consent_preferences } as User;
+      fetchSpy.mockReturnValue(Promise.resolve({status: 200, json: () => userResponse}));
+      const provider = browserAuthProvider(initializer)(config);
+
+      const response = await provider.updateUser({consent_preferences});
+      expect(response).toStrictEqual({ token: null, user: userResponse });
+    });
+
+    it('throws on other status codes when updating', async() => {
+      const consent_preferences = {
+        accepted: ['necessary'],
+        rejected: ['functional', 'analytics', 'performance', 'advertisement', 'other']
+      };
+      fetchSpy.mockReturnValue(Promise.resolve({status: 500, text: () => 'oops'}));
+      const provider = browserAuthProvider(initializer)(config);
+      await expect(provider.updateUser({consent_preferences})).rejects.toThrow('Error response from Accounts 500: oops');
+      expect(fetchSpy).toHaveBeenCalledTimes(1);
+      expect(fetchSpy).toHaveBeenCalledWith('accountsBase/api/user', {
+        body: JSON.stringify({consent_preferences}), credentials: 'include', method: 'PUT'
+      });
+    });
+  });
+});