chore: optional serviceApiKey

Author: arcoraven

.changeset/good-swans-bet.md

@@ -0,0 +1,5 @@
+---
+"@thirdweb-dev/service-utils": patch
+---
+
+fix: make service api key optional to allow services to pass through auth

packages/service-utils/src/core/api.ts

@@ -20,7 +20,8 @@ export type CoreServiceConfig = {
   // if EXPLICITLY set to null, service will not be checked for authorization
   // this is meant for services that are not possible to be turned off by users, such as "social" and "analytics"
   serviceScope: ServiceName | null;
-  serviceApiKey: string;
+  // Optional. Some services pass through user-provided authentication (e.g. analytics) and should not have any authed access on their own.
+  serviceApiKey?: string;
   serviceAction?: string;
   useWalletAuth?: boolean;
   /**

packages/service-utils/src/core/get-auth-headers.test.ts

@@ -111,4 +111,14 @@ describe("getAuthHeaders", () => {
       Authorization: "Bearer test-jwt",
     });
   });
+
+  it("should return empty headers if no auth method and no serviceApiKey is provided", () => {
+    const headers = getAuthHeaders(defaultAuthData);
+    expect(headers).toEqual({});
+  });
+
+  it("should return empty headers if serviceApiKey is undefined and no other auth method is provided", () => {
+    const headers = getAuthHeaders(defaultAuthData, undefined);
+    expect(headers).toEqual({});
+  });
 });

packages/service-utils/src/core/get-auth-headers.ts

@@ -9,35 +9,40 @@ import type { AuthorizationInput } from "./authorize/index.js";
  */
 export function getAuthHeaders(
   authData: AuthorizationInput,
-  serviceApiKey: string,
-): Record<string, string> {
+  serviceApiKey?: string,
+): HeadersInit {
   const { teamId, clientId, jwt, secretKey, incomingServiceApiKey } = authData;
 
   switch (true) {
     // 1. if we have a secret key, we'll use it
     case !!secretKey:
       return {
         "x-secret-key": secretKey,
-      } as Record<string, string>;
+      };
 
     // 2. if we have a JWT AND either a teamId or clientId, we'll use the JWT for auth
     case !!(jwt && (teamId || clientId)):
       return {
         Authorization: `Bearer ${jwt}`,
-      } as Record<string, string>;
+      };
 
     // 3. if we have an incoming service api key, we'll use it
     case !!incomingServiceApiKey: {
       return {
         "x-service-api-key": incomingServiceApiKey,
-      } as Record<string, string>;
+      };
     }
 
-    // 4. if nothing else is present, we'll use the service api key
-    default: {
+    // 4. if we have a service api key provided by the service, use it
+    case !!serviceApiKey: {
       return {
         "x-service-api-key": serviceApiKey,
       };
     }
+
+    // 5. otherwise leave auth headers empty
+    default: {
+      return {};
+    }
   }
 }