CRED-2148: Add PAT auth support to TypeScript v2 API client

tausman · tausman · commit f49fd4c024b1 · 2026-03-10T20:50:39.000Z
diff --git a/jest.config.ts b/jest.config.ts
@@ -0,0 +1,5 @@
+export default {
+  preset: "ts-jest",
+  testEnvironment: "node",
+  roots: ["<rootDir>/tests"],
+};
diff --git a/package.json b/package.json
@@ -37,8 +37,11 @@
     "bdd-test:profile:built": "yarn workspace bdd-runner run start:profile --working-dir \"$(pwd)\" --built-packages \"features/v*/*.feature\""
   },
   "devDependencies": {
+    "@types/jest": "^30.0.0",
     "eslint": "^9.23.0",
+    "jest": "^30.3.0",
     "prettier": "^3.5.3",
+    "ts-jest": "^29.4.6",
     "typescript": "^5.8.2",
     "typescript-eslint": "^8.29.0"
   },
diff --git a/packages/datadog-api-client/src/auth.ts b/packages/datadog-api-client/src/auth.ts
@@ -81,10 +81,26 @@ export class AppKeyAuthAuthentication implements SecurityAuthentication {
   }
 }
 
+/**
+ * Applies bearer token authentication to the request context.
+ */
+export class BearerAuthAuthentication implements SecurityAuthentication {
+  public constructor(private token: string) {}
+
+  public getName(): string {
+    return "bearerAuth";
+  }
+
+  public applySecurityAuthentication(context: RequestContext): void {
+    context.setHeaderParam("Authorization", "Bearer " + this.token);
+  }
+}
+
 export type AuthMethods = {
   AuthZ?: SecurityAuthentication;
   apiKeyAuth?: SecurityAuthentication;
   appKeyAuth?: SecurityAuthentication;
+  bearerAuth?: SecurityAuthentication;
 };
 
 export type ApiKeyConfiguration = string;
@@ -96,6 +112,7 @@ export type AuthMethodsConfiguration = {
   AuthZ?: OAuth2Configuration;
   apiKeyAuth?: ApiKeyConfiguration;
   appKeyAuth?: ApiKeyConfiguration;
+  bearerAuth?: ApiKeyConfiguration;
 };
 
 /**
@@ -129,5 +146,11 @@ export function configureAuthMethods(
     );
   }
 
+  if (config["bearerAuth"]) {
+    authMethods["bearerAuth"] = new BearerAuthAuthentication(
+      config["bearerAuth"],
+    );
+  }
+
   return authMethods;
 }
diff --git a/packages/datadog-api-client/src/configuration.ts b/packages/datadog-api-client/src/configuration.ts
@@ -218,6 +218,14 @@ export function createConfiguration(
   ) {
     authMethods["appKeyAuth"] = process.env.DD_APP_KEY;
   }
+  if (
+    !("bearerAuth" in authMethods) &&
+    typeof process !== "undefined" &&
+    process.env &&
+    process.env.DD_BEARER_TOKEN
+  ) {
+    authMethods["bearerAuth"] = process.env.DD_BEARER_TOKEN;
+  }
 
   const configuration = new Configuration(
     conf.baseServer,
@@ -254,6 +262,10 @@ export function applySecurityAuthentication<
   requestContext: RequestContext,
   authMethods: AuthMethodKey[],
 ): void {
+  if (conf.authMethods["bearerAuth"]) {
+    conf.authMethods["bearerAuth"].applySecurityAuthentication(requestContext);
+  }
+
   for (const authMethodName of authMethods) {
     const authMethod = conf.authMethods[authMethodName];
     if (authMethod) {
diff --git a/packages/datadog-api-client/src/http/isomorphic-fetch.ts b/packages/datadog-api-client/src/http/isomorphic-fetch.ts
@@ -180,6 +180,9 @@ export class IsomorphicFetchHttpLibrary implements HttpLibrary {
         "x",
       );
     }
+    if (headers["Authorization"]) {
+      headers["Authorization"] = headers["Authorization"].replace(/./g, "x");
+    }
 
     const headersJSON = JSON.stringify(headers, null, 2).replace(/\n/g, "\n\t");
     const method = request.getHttpMethod().toString();
diff --git a/tests/api/auth.test.ts b/tests/api/auth.test.ts
@@ -0,0 +1,149 @@
+import {
+  RequestContext,
+  HttpMethod,
+} from "../../packages/datadog-api-client/src";
+import {
+  BearerAuthAuthentication,
+  configureAuthMethods,
+} from "../../packages/datadog-api-client/src/auth";
+import {
+  createConfiguration,
+  applySecurityAuthentication,
+} from "../../packages/datadog-api-client/src/configuration";
+
+describe("BearerAuthAuthentication", () => {
+  it("should set Authorization Bearer header", () => {
+    const auth = new BearerAuthAuthentication("ddpat_test_token_123");
+    const ctx = new RequestContext("https://example.com", HttpMethod.GET);
+    auth.applySecurityAuthentication(ctx);
+    expect(ctx.getHeaders()["Authorization"]).toBe(
+      "Bearer ddpat_test_token_123",
+    );
+  });
+
+  it("should return correct name", () => {
+    const auth = new BearerAuthAuthentication("token");
+    expect(auth.getName()).toBe("bearerAuth");
+  });
+});
+
+describe("configureAuthMethods", () => {
+  it("should configure bearerAuth when provided", () => {
+    const methods = configureAuthMethods({
+      bearerAuth: "ddpat_my_pat",
+    });
+    expect(methods.bearerAuth).toBeDefined();
+    expect(methods.bearerAuth!.getName()).toBe("bearerAuth");
+  });
+
+  it("should configure all auth methods together", () => {
+    const methods = configureAuthMethods({
+      apiKeyAuth: "api_key",
+      appKeyAuth: "app_key",
+      bearerAuth: "ddpat_pat",
+    });
+    expect(methods.apiKeyAuth).toBeDefined();
+    expect(methods.appKeyAuth).toBeDefined();
+    expect(methods.bearerAuth).toBeDefined();
+  });
+});
+
+describe("createConfiguration with bearer auth", () => {
+  const originalEnv = process.env;
+
+  beforeEach(() => {
+    process.env = { ...originalEnv };
+  });
+
+  afterEach(() => {
+    process.env = originalEnv;
+  });
+
+  it("should read DD_BEARER_TOKEN env var", () => {
+    process.env.DD_BEARER_TOKEN = "ddpat_env_pat";
+    const config = createConfiguration();
+    expect(config.authMethods.bearerAuth).toBeDefined();
+  });
+
+  it("should not override explicit bearerAuth config", () => {
+    process.env.DD_BEARER_TOKEN = "ddpat_env_pat";
+    const config = createConfiguration({
+      authMethods: {
+        bearerAuth: "ddpat_explicit_pat",
+      },
+    });
+    const ctx = new RequestContext("https://example.com", HttpMethod.GET);
+    config.authMethods.bearerAuth!.applySecurityAuthentication(ctx);
+    expect(ctx.getHeaders()["Authorization"]).toBe(
+      "Bearer ddpat_explicit_pat",
+    );
+  });
+});
+
+describe("applySecurityAuthentication with bearer auth", () => {
+  it("should send Bearer header when only bearerAuth is configured", () => {
+    const config = createConfiguration({
+      authMethods: {
+        bearerAuth: "ddpat_test_pat",
+      },
+    });
+    const ctx = new RequestContext("https://example.com", HttpMethod.GET);
+    applySecurityAuthentication(config, ctx, [
+      "apiKeyAuth",
+      "appKeyAuth",
+      "AuthZ",
+    ]);
+    expect(ctx.getHeaders()["Authorization"]).toBe("Bearer ddpat_test_pat");
+    expect(ctx.getHeaders()["DD-API-KEY"]).toBeUndefined();
+    expect(ctx.getHeaders()["DD-APPLICATION-KEY"]).toBeUndefined();
+  });
+
+  it("should send all auth headers when all are configured", () => {
+    const config = createConfiguration({
+      authMethods: {
+        apiKeyAuth: "test_api_key",
+        appKeyAuth: "test_app_key",
+        bearerAuth: "ddpat_test_pat",
+      },
+    });
+    const ctx = new RequestContext("https://example.com", HttpMethod.GET);
+    applySecurityAuthentication(config, ctx, [
+      "apiKeyAuth",
+      "appKeyAuth",
+      "AuthZ",
+    ]);
+    expect(ctx.getHeaders()["Authorization"]).toBe("Bearer ddpat_test_pat");
+    expect(ctx.getHeaders()["DD-API-KEY"]).toBe("test_api_key");
+    expect(ctx.getHeaders()["DD-APPLICATION-KEY"]).toBe("test_app_key");
+  });
+
+  it("should use API key + app key when bearerAuth is not configured", () => {
+    const config = createConfiguration({
+      authMethods: {
+        apiKeyAuth: "test_api_key",
+        appKeyAuth: "test_app_key",
+      },
+    });
+    const ctx = new RequestContext("https://example.com", HttpMethod.GET);
+    applySecurityAuthentication(config, ctx, [
+      "apiKeyAuth",
+      "appKeyAuth",
+      "AuthZ",
+    ]);
+    expect(ctx.getHeaders()["DD-API-KEY"]).toBe("test_api_key");
+    expect(ctx.getHeaders()["DD-APPLICATION-KEY"]).toBe("test_app_key");
+    expect(ctx.getHeaders()["Authorization"]).toBeUndefined();
+  });
+
+  it("should use only API key when only apiKeyAuth is required and no bearer auth", () => {
+    const config = createConfiguration({
+      authMethods: {
+        apiKeyAuth: "test_api_key",
+      },
+    });
+    const ctx = new RequestContext("https://example.com", HttpMethod.GET);
+    applySecurityAuthentication(config, ctx, ["apiKeyAuth"]);
+    expect(ctx.getHeaders()["DD-API-KEY"]).toBe("test_api_key");
+    expect(ctx.getHeaders()["Authorization"]).toBeUndefined();
+  });
+});
diff --git a/yarn.lock b/yarn.lock

Original file line number	Diff line number	Diff line change
`@@ -180,6 +180,9 @@ export class IsomorphicFetchHttpLibrary implements HttpLibrary {`
`180`	`180`	`"x",`
`181`	`181`	`);`
`182`	`182`	`}`
	`183`	`+ if (headers["Authorization"]) {`
	`184`	`+ headers["Authorization"] = headers["Authorization"].replace(/./g, "x");`
	`185`	`+ }`
`183`	`186`
`184`	`187`	`const headersJSON = JSON.stringify(headers, null, 2).replace(/\n/g, "\n\t");`
`185`	`188`	`const method = request.getHttpMethod().toString();`