Skip to content

feat: add AUTH_INTERCEPTOR_BYPASS token for per-request bypass#786

Closed
yogeshchoudhary147 wants to merge 1 commit intomainfrom
feature/auth-interceptor-bypass
Closed

feat: add AUTH_INTERCEPTOR_BYPASS token for per-request bypass#786
yogeshchoudhary147 wants to merge 1 commit intomainfrom
feature/auth-interceptor-bypass

Conversation

@yogeshchoudhary147
Copy link
Copy Markdown
Contributor

@yogeshchoudhary147 yogeshchoudhary147 commented Jan 24, 2026

Description

Adds support for bypassing the AuthHttpInterceptor on a per-request basis using Angular's HttpContextToken pattern. This provides developers with dynamic, runtime control over token attachment without relying solely on
URL-based configuration.

Changes

  • New export: AUTH_INTERCEPTOR_BYPASS - An HttpContextToken<boolean> for controlling interceptor behavior per-request
  • Interceptor enhancement: Early bypass check in intercept() method that takes precedence over allowedList configuration
  • Comprehensive tests: 9 new test cases covering all bypass scenarios and HTTP methods
  • Documentation: Added new section in EXAMPLES.md with usage examples and common scenarios

Usage

import { HttpClient, HttpContext } from '@angular/common/http';                                                                                                                                                                        
import { AUTH_INTERCEPTOR_BYPASS } from '@auth0/auth0-angular';                                                                                                                                                                        
                                                                                                                                                                                                                                       
// Make a request without attaching an access token                                                                                                                                                                                    
this.http.get('/api/public', {                                                                                                                                                                                                         
  context: new HttpContext().set(AUTH_INTERCEPTOR_BYPASS, true)                                                                                                                                                                        
}).subscribe(data => {                                                                                                                                                                                                                 
  // Handle response                                                                                                                                                                                                                   
});

Use Cases

  • Public endpoints: Skip authentication for public APIs even when URL matches allowedList
  • Dynamic control: Conditionally bypass based on runtime logic or application state
  • Per-request override: Override global allowedList configuration for specific requests

Testing

  • ✅ All existing tests pass (131 total)
  • ✅ 9 new test cases covering bypass functionality
  • ✅ Tested with GET, POST, PUT, DELETE, PATCH methods
  • ✅ Verified interaction with allowAnonymous configuration
  • ✅ Build verification confirms token is exported in public API

Breaking Changes

None. This is a completely additive feature that maintains full backward compatibility.

Checklist

  • Code follows the project's coding standards
  • Tests have been added/updated
  • Documentation has been updated
  • All tests pass locally
  • No breaking changes

Fixes #658

@yogeshchoudhary147 yogeshchoudhary147 requested a review from a team as a code owner January 24, 2026 11:47
@yogeshchoudhary147
feat: add HttpContextToken for per-request AuthHttpInterceptor bypass
86c7763 
Introduces AUTH_INTERCEPTOR_BYPASS, an HttpContextToken that allows
developers to bypass the AuthHttpInterceptor on a per-request basis.
This provides dynamic control over token attachment, complementing
the existing URL-based allowedList configuration.

Key features:
- AUTH_INTERCEPTOR_BYPASS token for use with HttpContext
- Early bypass check in interceptor for optimal performance
- Takes precedence over allowedList configuration
- Fully backward compatible with existing functionality
- Comprehensive test coverage with 9 new test cases
- Documentation and usage examples in EXAMPLES.md

Use cases:
- Bypass authentication for public endpoints
- Dynamic control based on runtime logic
- Per-request override of global configuration
@yogeshchoudhary147 yogeshchoudhary147 force-pushed the feature/auth-interceptor-bypass branch from 4982116 to 86c7763 Compare January 24, 2026 12:20
@yogeshchoudhary147 yogeshchoudhary147 deleted the feature/auth-interceptor-bypass branch January 28, 2026 10:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Ability to bypass the AuthHttpInterceptor on a per-request basis

1 participant

@yogeshchoudhary147