refactor(deps): replace url-parse with native URL API

package.json

@@ -30,6 +30,7 @@
     "fix:prettier": "prettier --config .prettierrc \"src/**/*.{ts,css,less,scss,js}\" --write",
     "fix:lint": "eslint src --ext .ts --fix",
     "test": "run-s test:*",
+    "test:unit": "run-s build && ava --verbose build/tests/enforcer.spec.js",
     "test:integration": "run-s build && ava --verbose build/tests/endpoints/**/*.spec.js",
     "test:module-imports": "run-s build && ava --verbose build/tests/module-imports/**/*.spec.js",
     "test:e2e:rbac": "run-s build && ava --verbose build/tests/e2e/rbac.e2e.spec.js",
@@ -63,8 +64,7 @@
     "path-to-regexp": "^6.2.1",
     "pino": "8.11.0",
     "pino-pretty": "10.2.0",
-    "require-in-the-middle": "^5.1.0",
-    "url-parse": "^1.5.10"
+    "require-in-the-middle": "^5.1.0"
   },
   "devDependencies": {
     "@ava/typescript": "^1.1.1",
@@ -74,7 +74,6 @@
     "@types/express": "^4.17.9",
     "@types/lodash": "^4.14.166",
     "@types/node": "^14.14.14",
-    "@types/url-parse": "^1.4.11",
     "@typescript-eslint/eslint-plugin": "^4.0.1",
     "@typescript-eslint/parser": "^4.0.1",
     "ava": "^3.12.1",

src/enforcement/enforcer.ts

@@ -1,6 +1,5 @@
 import axios, { AxiosInstance } from 'axios';
 import { Logger } from 'pino';
-import URL from 'url-parse';
 
 import { IPermitConfig } from '../config';
 import { CheckConfig, Context, ContextStore } from '../utils/context';
@@ -118,6 +117,21 @@ export interface IEnforcer {
   ): Promise<TenantDetails[]>;
 }
 
+/**
+ * Builds the OPA client base URL from the configured PDP URL by forcing the OPA
+ * port (8181) and appending the OPA data path. Uses the native WHATWG `URL`
+ * (Node >= 10), replacing the previous `url-parse` dependency (#106).
+ *
+ * @param pdp - The configured PDP base URL (e.g. `http://localhost:7766`).
+ * @returns The OPA base URL string (e.g. `http://localhost:8181/v1/data/permit/`).
+ */
+export function buildOpaBaseUrl(pdp: string): string {
+  const opaBaseUrl = new URL(pdp);
+  opaBaseUrl.port = '8181';
+  opaBaseUrl.pathname = `${opaBaseUrl.pathname}v1/data/permit/`;
+  return opaBaseUrl.toString();
+}
+
 /**
  * The {@link Enforcer} class is responsible for performing permission checks against the PDP.
  * It implements the {@link IEnforcer} interface.
@@ -133,9 +147,7 @@ export class Enforcer implements IEnforcer {
    * @param logger - The logger instance for logging.
    */
   constructor(private config: IPermitConfig, private logger: Logger) {
-    const opaBaseUrl = new URL(this.config.pdp);
-    opaBaseUrl.set('port', '8181');
-    opaBaseUrl.set('pathname', `${opaBaseUrl.pathname}v1/data/permit/`);
+    const opaBaseUrl = buildOpaBaseUrl(this.config.pdp);
     const version = process.env.npm_package_version ?? 'unknown';
     if (config.axiosInstance) {
       this.client = config.axiosInstance;
@@ -151,11 +163,11 @@ export class Enforcer implements IEnforcer {
     }
     if (config.opaAxiosInstance) {
       this.opaClient = config.opaAxiosInstance;
-      this.opaClient.defaults.baseURL = opaBaseUrl.toString();
+      this.opaClient.defaults.baseURL = opaBaseUrl;
       this.opaClient.defaults.headers.common['X-Permit-SDK-Version'] = `node:${version}`;
     } else {
       this.opaClient = axios.create({
-        baseURL: opaBaseUrl.toString(),
+        baseURL: opaBaseUrl,
         headers: {
           'X-Permit-SDK-Version': `node:${version}`,
         },

src/tests/enforcer.spec.ts

@@ -0,0 +1,42 @@
+import test from 'ava';
+
+import { buildOpaBaseUrl } from '../enforcement/enforcer';
+
+// The OPA client base URL is derived from the configured PDP URL by forcing the
+// OPA port (8181) and appending the OPA data path. This was previously built
+// with the `url-parse` package and is now built with the native WHATWG `URL`
+// (#106). These assertions lock the produced string so the refactor is proven
+// behaviour-equivalent and any regression in the construction logic fails here.
+
+test('buildOpaBaseUrl: default PDP', (t) => {
+  t.is(buildOpaBaseUrl('http://localhost:7766'), 'http://localhost:8181/v1/data/permit/');
+});
+
+test('buildOpaBaseUrl: trailing slash yields the same URL as no trailing slash', (t) => {
+  t.is(buildOpaBaseUrl('http://localhost:7766/'), 'http://localhost:8181/v1/data/permit/');
+});
+
+test('buildOpaBaseUrl: https host without an explicit port', (t) => {
+  t.is(buildOpaBaseUrl('https://pdp.example.com'), 'https://pdp.example.com:8181/v1/data/permit/');
+});
+
+test('buildOpaBaseUrl: an existing port is overridden with 8181', (t) => {
+  t.is(
+    buildOpaBaseUrl('https://pdp.example.com:1234'),
+    'https://pdp.example.com:8181/v1/data/permit/',
+  );
+});
+
+test('buildOpaBaseUrl: a path-prefixed PDP preserves the pre-existing concatenation behaviour', (t) => {
+  // A path without a trailing slash yields `.../prefixv1/data/permit/`. This
+  // quirk predates this change and is shared by the old url-parse implementation;
+  // it is intentionally preserved here (tracked as a separate follow-up on #106).
+  t.is(
+    buildOpaBaseUrl('http://localhost:7766/prefix'),
+    'http://localhost:8181/prefixv1/data/permit/',
+  );
+  t.is(
+    buildOpaBaseUrl('http://localhost:7766/prefix/'),
+    'http://localhost:8181/prefix/v1/data/permit/',
+  );
+});