[PROF-13798] ✨ Use DD-CLIENT-TOKEN header and per-site base URL in checkProfilingQuota

Move client token from dd-api-key query param to DD-CLIENT-TOKEN header
to avoid leaking it in URL logs. Add getQuotaBaseURL() to resolve the
correct base per site (datad0g.com uses dd.datad0g.com, others use
app.<site>). Add credentials: 'omit' to suppress cookie sending.

Author: thomasbertet

packages/rum/src/domain/profiling/quotaCheck.spec.ts

@@ -47,11 +47,19 @@ describe('checkProfilingQuota', () => {
     expect(result).toBe('quota-ok')
   })
 
-  it('builds the URL with site, session_id and dd-api-key', async () => {
+  it('builds the URL with site and session_id', async () => {
     interceptor.withFetch(DEFAULT_FETCH_MOCK)
     await checkProfilingQuota(mockRumConfiguration({ site: 'datadoghq.com', clientToken: 'my-token' }), 'session-abc')
     expect(interceptor.requests[0].url).toBe(
-      'https://api.datadoghq.com/api/unstable/profiling/admission?session_id=session-abc&dd-api-key=my-token'
+      'https://app.datadoghq.com/api/unstable/profiling/admission?session_id=session-abc'
+    )
+  })
+
+  it('uses the dd.datad0g.com base URL for datad0g.com site', async () => {
+    interceptor.withFetch(DEFAULT_FETCH_MOCK)
+    await checkProfilingQuota(mockRumConfiguration({ site: 'datad0g.com', clientToken: 'my-token' }), 'session-abc')
+    expect(interceptor.requests[0].url).toBe(
+      'https://dd.datad0g.com/api/unstable/profiling/admission?session_id=session-abc'
     )
   })
 })

packages/rum/src/domain/profiling/quotaCheck.ts

@@ -1,17 +1,32 @@
 import { fetch, setTimeout, clearTimeout } from '@datadog/browser-core'
 import type { RumConfiguration } from '@datadog/browser-rum-core'
 
+const getQuotaBaseURL = (site: string) => {
+  switch (site) {
+    case 'datad0g.com':
+      return `https://dd.${site}`
+    default:
+      return `https://app.${site}`
+  }
+}
+
 export function checkProfilingQuota(
   configuration: RumConfiguration,
   sessionId: string,
   timeoutMs = 5000
 ): Promise<'quota-ok' | 'quota-exceeded'> {
-  const url = `https://api.${configuration.site}/api/unstable/profiling/admission?session_id=${sessionId}&dd-api-key=${configuration.clientToken}`
+  const url = `${getQuotaBaseURL(configuration.site)}/api/unstable/profiling/admission?session_id=${sessionId}`
   const controller = new AbortController()
 
   let timeoutId: ReturnType<typeof setTimeout>
 
-  const fetchPromise = fetch(url, { signal: controller.signal })
+  const fetchPromise = fetch(url, {
+    credentials: 'omit',
+    signal: controller.signal,
+    headers: new Headers({
+      'DD-CLIENT-TOKEN': configuration.clientToken,
+    }),
+  })
     .then((response): 'quota-ok' | 'quota-exceeded' => {
       clearTimeout(timeoutId)
       return response.status === 429 ? 'quota-exceeded' : 'quota-ok'