Force auth token usage for storage uploads (#6973)

Author: jnsdls

packages/thirdweb/src/storage/upload/web-node.ts

@@ -25,6 +25,8 @@ export async function uploadBatch<const TFiles extends UploadableFile[]>(
       body: form,
       requestTimeoutMs:
         client.config?.storage?.fetch?.requestTimeoutMs || 120000,
+      // force auth token usage for storage uploads
+      useAuthToken: true,
     },
   );
 

packages/thirdweb/src/utils/fetch.test.ts

@@ -52,7 +52,7 @@ describe("getClientFetch", () => {
     );
   });
 
-  it("should send a bearer token if secret key is a JWT", () => {
+  it("should NOT send a bearer token if secret key is a JWT", () => {
     vi.spyOn(global, "fetch").mockResolvedValue(new Response());
     const clientFetch = getClientFetch({
       clientId: "test-client-id",
@@ -67,6 +67,28 @@ describe("getClientFetch", () => {
       }),
     );
 
+    // biome-ignore lint/suspicious/noExplicitAny: `any` type ok for tests
+    const headers = (global.fetch as any).mock.calls[0][1].headers;
+    expect(headers.get("authorization")).toBe(null);
+  });
+
+  it("should send a bearer token if secret key is a JWT and useAuthToken is true", () => {
+    vi.spyOn(global, "fetch").mockResolvedValue(new Response());
+    const clientFetch = getClientFetch({
+      clientId: "test-client-id",
+      secretKey: "foo.bar.baz",
+    });
+    clientFetch("https://api.thirdweb.com/test", {
+      useAuthToken: true,
+    });
+
+    expect(global.fetch).toHaveBeenCalledWith(
+      "https://api.thirdweb.com/test",
+      expect.objectContaining({
+        headers: expect.any(Headers),
+      }),
+    );
+
     // biome-ignore lint/suspicious/noExplicitAny: `any` type ok for tests
     const headers = (global.fetch as any).mock.calls[0][1].headers;
     expect(headers.get("authorization")).toBe("Bearer foo.bar.baz");

packages/thirdweb/src/utils/fetch.ts

@@ -22,10 +22,16 @@ export function getClientFetch(client: ThirdwebClient, ecosystem?: Ecosystem) {
    */
   async function fetchWithHeaders(
     url: string | Request,
-    init?: Omit<RequestInit, "signal"> & { requestTimeoutMs?: number },
+    init?: Omit<RequestInit, "signal"> & {
+      requestTimeoutMs?: number;
+      useAuthToken?: boolean;
+    },
   ): Promise<Response> {
-    const { requestTimeoutMs = DEFAULT_REQUEST_TIMEOUT, ...restInit } =
-      init || {};
+    const {
+      requestTimeoutMs = DEFAULT_REQUEST_TIMEOUT,
+      useAuthToken,
+      ...restInit
+    } = init || {};
 
     let headers = restInit.headers
       ? new Headers(restInit.headers)
@@ -41,7 +47,7 @@ export function getClientFetch(client: ThirdwebClient, ecosystem?: Ecosystem) {
       }
       // auth token if secret key === jwt
       const authToken =
-        client.secretKey && isJWT(client.secretKey)
+        useAuthToken && client.secretKey && isJWT(client.secretKey)
           ? client.secretKey
           : undefined;
       // secret key if secret key !== jwt