Load From Azure Front Door

package.json

@@ -55,7 +55,7 @@
     "uuid": "^9.0.1"
   },
   "dependencies": {
-    "@azure/app-configuration": "^1.6.1",
+    "@azure/app-configuration": "^1.9.0",
     "@azure/identity": "^4.2.1",
     "@azure/keyvault-secrets": "^4.7.0"
   }

src/azureFrontDoor/cdnRequestPipelinePolicy.ts

@@ -0,0 +1,72 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+import { PipelinePolicy } from "@azure/core-rest-pipeline";
+import { getCryptoModule } from "../common/utils.js";
+
+const CDN_TOKEN_QUERY_PARAMETER = "_";
+const RESOURCE_DELETED_PREFIX = "ResourceDeleted";
+
+export const CDN_TOKEN_LOOKUP_HEADER = "cdn-token-lookup";
+
+/**
+ * The pipeline policy that retrieves the CDN token from the request header and appends it to the request URL. After that the lookup header is removed from the request.
+ * @remarks
+ * The policy position should be perCall.
+ * The App Configuration service will not recognize the CDN token query parameter in the url, but this can help to break the CDN cache as the cache entry is based on the URL.
+ */
+export class CdnTokenPipelinePolicy implements PipelinePolicy {
+    name: string = "AppConfigurationCdnTokenPolicy";
+
+    async sendRequest(request, next) {
+        if (request.headers.has(CDN_TOKEN_LOOKUP_HEADER)) {
+            const token = request.headers.get(CDN_TOKEN_LOOKUP_HEADER);
+            request.headers.delete(CDN_TOKEN_LOOKUP_HEADER);
+
+            const url = new URL(request.url);
+            url.searchParams.append(CDN_TOKEN_QUERY_PARAMETER, token); // _ is a dummy query parameter to break the CDN cache
+            request.url = url.toString();
+        }
+
+        return next(request);
+    }
+}
+
+/**
+ * Calculates a cache consistency token for a deleted resource based on its previous ETag.
+ * @param etag - The previous ETag of the deleted resource.
+ */
+export async function calculateResourceDeletedCacheConsistencyToken(etag: string): Promise<string> {
+    const crypto = getCryptoModule();
+    const rawString = `${RESOURCE_DELETED_PREFIX}\n${etag}`;
+    const payload = new TextEncoder().encode(rawString);
+    // In the browser or Node.js 18+, use crypto.subtle.digest
+    if (crypto.subtle) {
+        const hashBuffer = await crypto.subtle.digest("SHA-256", payload);
+        const hashArray = new Uint8Array(hashBuffer);
+        const base64String = btoa(String.fromCharCode(...hashArray));
+        const base64urlString = base64String.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+        return base64urlString;
+    }
+    // Use the crypto module's hash function
+    else {
+        const hash = crypto.createHash("sha256").update(payload).digest();
+        return hash.toString("base64url");
+    }
+}
+
+/**
+ * The pipeline policy that remove the authorization header from the request to allow anonymous access to the Azure Front Door.
+ * @remarks
+ * The policy position should be perRetry, since it should be executed after the "Sign" phase: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/core/core-client/src/serviceClient.ts
+ */
+export class AnonymousRequestPipelinePolicy implements PipelinePolicy {
+    name: string = "AppConfigurationAnonymousRequestPolicy";
+
+    async sendRequest(request, next) {
+        if (request.headers.has("authorization")) {
+            request.headers.delete("authorization");
+        }
+        return next(request);
+    }
+}

src/common/utils.ts

@@ -1,6 +1,29 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 
+export function getCryptoModule(): any {
+    let crypto;
+
+    // Check for browser environment
+    if (typeof window !== "undefined" && window.crypto && window.crypto.subtle) {
+        crypto = window.crypto;
+    }
+    // Check for Node.js environment
+    else if (typeof global !== "undefined" && global.crypto) {
+        crypto = global.crypto;
+    }
+    // Fallback to native Node.js crypto module
+    else {
+        try {
+            crypto = require("crypto");
+        } catch (error) {
+            console.error("Failed to load the crypto module:", error.message);
+            throw error;
+        }
+    }
+    return crypto;
+}
+
 export function base64Helper(str: string): string {
     const bytes = new TextEncoder().encode(str); // UTF-8 encoding
     let chars = "";

src/index.ts

@@ -3,6 +3,6 @@
 
 export { AzureAppConfiguration } from "./AzureAppConfiguration.js";
 export { Disposable } from "./common/disposable.js";
-export { load } from "./load.js";
+export { load, loadFromAzureFrontDoor } from "./load.js";
 export { KeyFilter, LabelFilter } from "./types.js";
 export { VERSION } from "./version.js";

src/load.ts

@@ -6,10 +6,17 @@ import { AzureAppConfiguration } from "./AzureAppConfiguration.js";
 import { AzureAppConfigurationImpl } from "./AzureAppConfigurationImpl.js";
 import { AzureAppConfigurationOptions } from "./AzureAppConfigurationOptions.js";
 import { ConfigurationClientManager } from "./ConfigurationClientManager.js";
+import { CdnTokenPipelinePolicy, AnonymousRequestPipelinePolicy } from "./azureFrontDoor/cdnRequestPipelinePolicy.js";
 import { instanceOfTokenCredential } from "./common/utils.js";
+import { ArgumentError } from "./common/error.js";
 
 const MIN_DELAY_FOR_UNHANDLED_ERROR: number = 5_000; // 5 seconds
 
+// Empty token credential to be used when loading from Azure Front Door
+const emptyTokenCredential: TokenCredential = {
+    getToken: async () => ({ token: "", expiresOnTimestamp: Number.MAX_SAFE_INTEGER })
+};
+
 /**
  * Loads the data from Azure App Configuration service and returns an instance of AzureAppConfiguration.
  * @param connectionString  The connection string for the App Configuration store.
@@ -42,7 +49,8 @@ export async function load(
     }
 
     try {
-        const appConfiguration = new AzureAppConfigurationImpl(clientManager, options);
+        const isCdnUsed: boolean = credentialOrOptions === emptyTokenCredential;
+        const appConfiguration = new AzureAppConfigurationImpl(clientManager, options, isCdnUsed);
         await appConfiguration.load();
         return appConfiguration;
     } catch (error) {
@@ -56,3 +64,38 @@ export async function load(
         throw error;
     }
 }
+
+/**
+ * Loads the data from Azure Front Door (CDN) and returns an instance of AzureAppConfiguration.
+ * @param endpoint  The URL to the Azure Front Door.
+ * @param appConfigOptions  Optional parameters.
+ */
+export async function loadFromAzureFrontDoor(endpoint: URL | string, options?: AzureAppConfigurationOptions): Promise<AzureAppConfiguration>;
+
+export async function loadFromAzureFrontDoor(
+    endpoint: string | URL,
+    appConfigOptions?: AzureAppConfigurationOptions
+): Promise<AzureAppConfiguration> {
+    if (!appConfigOptions) {
+        appConfigOptions = {};
+    }
+    if (appConfigOptions.replicaDiscoveryEnabled) {
+        throw new ArgumentError("Replica discovery is not supported when loading from Azure Front Door.");
+    }
+    if (appConfigOptions.loadBalancingEnabled) {
+        throw new ArgumentError("Load balancing is not supported when loading from Azure Front Door.");
+    }
+    appConfigOptions.replicaDiscoveryEnabled = false; // Disable replica discovery when loading from Azure Front Door
+
+    appConfigOptions.clientOptions = {
+        ...appConfigOptions.clientOptions,
+        // Add etag url policy to append etag to the request url for breaking CDN cache
+        additionalPolicies: [
+            ...(appConfigOptions.clientOptions?.additionalPolicies || []),
+            { policy: new CdnTokenPipelinePolicy(), position: "perCall" },
+            { policy: new AnonymousRequestPipelinePolicy(), position: "perRetry" }
+        ]
+    };
+
+    return await load(endpoint, emptyTokenCredential, appConfigOptions);
+}

src/requestTracing/constants.ts

@@ -49,6 +49,7 @@ export const REPLICA_COUNT_KEY = "ReplicaCount";
 
 // Tag names
 export const KEY_VAULT_CONFIGURED_TAG = "UsesKeyVault";
+export const CDN_USED_TAG = "CDN";
 export const FAILOVER_REQUEST_TAG = "Failover";
 
 // Compact feature tags

src/requestTracing/utils.ts

@@ -19,6 +19,7 @@ import {
     HOST_TYPE_KEY,
     HostType,
     KEY_VAULT_CONFIGURED_TAG,
+    CDN_USED_TAG,
     KUBERNETES_ENV_VAR,
     NODEJS_DEV_ENV_VAL,
     NODEJS_ENV_VAR,
@@ -42,6 +43,7 @@ export interface RequestTracingOptions {
     initialLoadCompleted: boolean;
     replicaCount: number;
     isFailoverRequest: boolean;
+    isCdnUsed: boolean;
     featureFlagTracing: FeatureFlagTracingOptions | undefined;
     fmVersion: string | undefined;
     aiConfigurationTracing: AIConfigurationTracingOptions | undefined;
@@ -91,7 +93,9 @@ function applyRequestTracing<T extends OperationOptions>(requestTracingOptions:
     const actualOptions = { ...operationOptions };
     if (requestTracingOptions.enabled) {
         actualOptions.requestOptions = {
+            ...actualOptions.requestOptions,
             customHeaders: {
+                ...actualOptions.requestOptions?.customHeaders,
                 [CORRELATION_CONTEXT_HEADER_NAME]: createCorrelationContextHeader(requestTracingOptions)
             }
         };
@@ -111,6 +115,7 @@ function createCorrelationContextHeader(requestTracingOptions: RequestTracingOpt
     FFFeatures: Seed+Telemetry
     UsersKeyVault
     Failover
+    CDN
     */
     const keyValues = new Map<string, string | undefined>();
     const tags: string[] = [];
@@ -139,6 +144,9 @@ function createCorrelationContextHeader(requestTracingOptions: RequestTracingOpt
     if (requestTracingOptions.isFailoverRequest) {
         tags.push(FAILOVER_REQUEST_TAG);
     }
+    if (requestTracingOptions.isCdnUsed) {
+        tags.push(CDN_USED_TAG);
+    }
     if (requestTracingOptions.replicaCount > 0) {
         keyValues.set(REPLICA_COUNT_KEY, requestTracingOptions.replicaCount.toString());
     }

test/exportedApi.ts

@@ -1,4 +1,5 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 
-export { load } from "../src";
+export { load, loadFromAzureFrontDoor } from "../src";
+export { CDN_TOKEN_LOOKUP_HEADER } from "../src/azureFrontDoor/cdnRequestPipelinePolicy.js";

test/loadBalance.test.ts

@@ -6,10 +6,15 @@ import * as chaiAsPromised from "chai-as-promised";
 chai.use(chaiAsPromised);
 const expect = chai.expect;
 import { load } from "./exportedApi.js";
-import { MAX_TIME_OUT, restoreMocks, createMockedConnectionString, sleepInMs, createMockedEndpoint, mockConfigurationManagerGetClients, mockAppConfigurationClientLoadBalanceMode } from "./utils/testHelper.js";
+import { MAX_TIME_OUT, restoreMocks, createMockedConnectionString, createMockedKeyValue, sleepInMs, createMockedEndpoint, mockConfigurationManagerGetClients, mockAppConfigurationClientLoadBalanceMode } from "./utils/testHelper.js";
 import { AppConfigurationClient } from "@azure/app-configuration";
 import { ConfigurationClientWrapper } from "../src/ConfigurationClientWrapper.js";
 
+const mockedKVs = [
+    { value: "red", key: "app.settings.fontColor" },
+    { value: "40", key: "app.settings.fontSize" },
+    { value: "30", key: "app.settings.fontSize", label: "prod" }
+].map(createMockedKeyValue);
 const fakeEndpoint_1 = createMockedEndpoint("fake_1");
 const fakeEndpoint_2 = createMockedEndpoint("fake_2");
 const fakeClientWrapper_1 = new ConfigurationClientWrapper(fakeEndpoint_1, new AppConfigurationClient(createMockedConnectionString(fakeEndpoint_1)));
@@ -29,8 +34,8 @@ describe("load balance", function () {
 
     it("should load balance the request when loadBalancingEnabled", async () => {
         mockConfigurationManagerGetClients([fakeClientWrapper_1, fakeClientWrapper_2], false);
-        mockAppConfigurationClientLoadBalanceMode(fakeClientWrapper_1, clientRequestCounter_1);
-        mockAppConfigurationClientLoadBalanceMode(fakeClientWrapper_2, clientRequestCounter_2);
+        mockAppConfigurationClientLoadBalanceMode([mockedKVs], fakeClientWrapper_1, clientRequestCounter_1);
+        mockAppConfigurationClientLoadBalanceMode([mockedKVs], fakeClientWrapper_2, clientRequestCounter_2);
 
         const connectionString = createMockedConnectionString();
         const settings = await load(connectionString, {
@@ -66,8 +71,8 @@ describe("load balance", function () {
         clientRequestCounter_1.count = 0;
         clientRequestCounter_2.count = 0;
         mockConfigurationManagerGetClients([fakeClientWrapper_1, fakeClientWrapper_2], false);
-        mockAppConfigurationClientLoadBalanceMode(fakeClientWrapper_1, clientRequestCounter_1);
-        mockAppConfigurationClientLoadBalanceMode(fakeClientWrapper_2, clientRequestCounter_2);
+        mockAppConfigurationClientLoadBalanceMode([mockedKVs], fakeClientWrapper_1, clientRequestCounter_1);
+        mockAppConfigurationClientLoadBalanceMode([mockedKVs], fakeClientWrapper_2, clientRequestCounter_2);
 
         const connectionString = createMockedConnectionString();
         // loadBalancingEnabled is default to false