@tacoreai/web-sdk 1.10.0 → 1.11.0

package/database/core/apps/AppServerRuntime.js

@@ -30,6 +30,20 @@ const getRequestSource = (isPlatformProxyRequest, isSchedulerRequest) => {
   return isPreviewMode() ? "preview-direct" : "external-direct";
 };
 
+const createRequestScopedAppsClient = (env, options = {}) => {
+  const { accessToken = null, previewAppServerApiKey = null } = options;
+  const config = {
+    ...env,
+    accessToken: accessToken || null,
+  };
+
+  if (previewAppServerApiKey) {
+    config.previewAppServerApiKey = previewAppServerApiKey;
+  }
+
+  return new AppsClient(env.appId, config);
+};
+
 const isPreviewApiKeyShapeValid = (apiKey) => {
   if (typeof apiKey !== "string") return false;
   const value = apiKey.trim();
@@ -247,7 +261,6 @@ export const createAppServerRuntime = async (options = {}) => {
       });
     }
 
-    const appsClient = AppsClient.getInstance(env.appId, { ...env, accessToken: requestAccessToken || null });
     const previewBridgeInteropToken =
       process.env.TACORE_APPSERVER_PREVIEW_BRIDGE_INTEROP_TOKEN ||
       process.env.TACORE_SERVER_INTEROP_APP_SERVER_API_KEY;
@@ -260,6 +273,7 @@ export const createAppServerRuntime = async (options = {}) => {
       process.env.CLOUDFLARE_WORKER_INTEROP_APP_SERVER_TOKEN
     );
     const requestSource = getRequestSource(isPlatformProxyRequest, isSchedulerRequest);
+    let previewAppServerApiKey = null;
 
     console.log(`[AppServer] invoke api="${apiName}" source="${requestSource}"`);
 
@@ -283,7 +297,10 @@ export const createAppServerRuntime = async (options = {}) => {
 
       let isValidApiKey = false;
       try {
-        isValidApiKey = await validateExternalApiKey(appsClient, env.appId, requestApiKey);
+        const authClient = createRequestScopedAppsClient(env, {
+          accessToken: requestAccessToken || null,
+        });
+        isValidApiKey = await validateExternalApiKey(authClient, env.appId, requestApiKey);
       } catch (error) {
         console.error("[AppServer] Failed to validate external API key:", error);
         return res.status(500).json({
@@ -300,9 +317,31 @@ export const createAppServerRuntime = async (options = {}) => {
           error: "Invalid X-API-Key",
         });
       }
+
+      if (isPreviewMode() && !requestAccessToken) {
+        previewAppServerApiKey = requestApiKey;
+      }
     }
 
     try {
+      console.log(`[AppServer Debug] invoke api="${apiName}" auth forwarding`, {
+        requestSource,
+        hasAuthorization: Boolean(requestAccessToken),
+        hasRequestApiKey: Boolean(requestApiKey),
+        hasPlatformInteropHeader: Boolean(platformInteropHeader),
+        hasSchedulerInteropHeader: Boolean(schedulerInteropHeader),
+        willForwardPreviewAppServerApiKey: Boolean(previewAppServerApiKey),
+      });
+
+      const appsClient = createRequestScopedAppsClient(env, {
+        accessToken: requestAccessToken || null,
+        previewAppServerApiKey,
+      });
+      console.log(`[AppServer Debug] scoped AppsClient api="${apiName}"`, {
+        hasAccessToken: Boolean(appsClient.getAccessToken()),
+        hasPreviewAppServerApiKey: Boolean(appsClient.config.previewAppServerApiKey),
+        hasInteropKey: Boolean(appsClient.config.tacoreServerInteropAppServerApiKey),
+      });
       const data = await appsClient.invokeAppServerAPI(apiName, payload, {
         appsClient,
         req,

package/database/core/apps/BaseAppsClient.js

@@ -1,6 +1,7 @@
 import { getAppsApiBaseUrl, isBrowser, isBackend, getGlobalOptions } from "../../../utils/index.js";
 
 const ACCESS_TOKEN_STORAGE_KEY = "tacoreai_apps_access_token";
+const PREVIEW_APPSERVER_API_KEY_HEADER = "x-tacore-preview-app-server-api-key";
 
 const normalizeAccessToken = (value) => {
   if (typeof value !== "string") {
@@ -44,6 +45,8 @@ const writePersistedAccessToken = (token) => {
   }
 };
 
+const isBackendPreviewMode = () => isBackend && process.env.TACORE_APPSERVER_PREVIEW_MODE === "true";
+
 /**
  * Apps SDK 基类
  * 封装通用的配置管理、Header构建、HTTP请求逻辑
@@ -178,6 +181,13 @@ export class BaseAppsClient {
 
     if (isBackend && this.config.tacoreServerInteropAppServerApiKey) {
       headers["x-tacore-server-interop-app-server-api-key"] = this.config.tacoreServerInteropAppServerApiKey;
+    } else if (
+      isBackendPreviewMode() &&
+      !token &&
+      this.config.previewAppServerApiKey &&
+      !headers[PREVIEW_APPSERVER_API_KEY_HEADER]
+    ) {
+      headers[PREVIEW_APPSERVER_API_KEY_HEADER] = this.config.previewAppServerApiKey;
     }
 
     return headers;
@@ -190,6 +200,14 @@ export class BaseAppsClient {
     const url = `${this.config.apiBaseUrl}${endpoint}`;
     const headers = this._getRequestHeaders(options.headers);
 
+    if (isBackendPreviewMode()) {
+      console.log(`[BaseAppsClient Debug][${this.appId}] endpoint="${endpoint}"`, {
+        hasAuthorization: Boolean(headers.Authorization || headers.authorization),
+        hasInteropHeader: Boolean(headers["x-tacore-server-interop-app-server-api-key"]),
+        hasPreviewAppServerApiKeyHeader: Boolean(headers[PREVIEW_APPSERVER_API_KEY_HEADER]),
+      });
+    }
+
     const response = await fetch(url, {
       ...options,
       headers,
@@ -276,6 +294,7 @@ export class BaseAppsClient {
   getConfig() {
     const config = { ...this.config };
     delete config.accessToken;
+    delete config.previewAppServerApiKey;
     return config;
   }
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@tacoreai/web-sdk",
   "description": "This file is for app server package, not the real npm package",
-  "version": "1.10.0",
+  "version": "1.11.0",
   "type": "module",
   "publishConfig": {
     "access": "public",