fix: allow apns 403 reachability signal

2026-05-06 06:40:44 +00:00 · 2026-05-04 18:25:49 +10:00
parent 7a02ac5928
commit 57f7f4faca
2 changed files with 27 additions and 3 deletions
--- a/src/infra/net/proxy/proxy-validation.test.ts
+++ b/src/infra/net/proxy/proxy-validation.test.ts
@@ -467,7 +467,31 @@ describe("proxy validation", () => {
    });
  });

-  it("fails APNs reachability when response has no apns-id (proxy intercept)", async () => {
+  it("accepts APNs 403 reachability even when apns-id is unavailable", async () => {
+    const result = await runProxyValidation({
+      config: {
+        enabled: true,
+        proxyUrl: "http://127.0.0.1:3128",
+      },
+      env: {},
+      allowedUrls: [],
+      deniedUrls: [],
+      apnsReachability: true,
+      apnsCheck: vi.fn().mockResolvedValue({ status: 403 }),
+    });
+
+    expect(result.ok).toBe(true);
+    expect(result.checks).toEqual([
+      {
+        kind: "apns",
+        url: "https://api.sandbox.push.apple.com",
+        ok: true,
+        status: 403,
+      },
+    ]);
+  });
+
+  it("fails APNs reachability when non-403 response has no apns-id (proxy intercept)", async () => {
    const result = await runProxyValidation({
      config: {
        enabled: true,
--- a/src/infra/net/proxy/proxy-validation.ts
+++ b/src/infra/net/proxy/proxy-validation.ts
@@ -422,13 +422,13 @@ async function runApnsReachabilityCheck(params: {
      authority: params.authority,
      timeoutMs: params.timeoutMs,
    });
-    if (!result.apnsId) {
+    if (!result.apnsId && result.status !== 403) {
      return {
        kind: "apns",
        url: params.authority,
        ok: false,
        error:
-          "APNs reachability check failed: response did not include an apns-id header. " +
+          "APNs reachability check failed: response was not a 403 and did not include an apns-id header. " +
          "The proxy may be intercepting the connection instead of tunneling it.",
      };
    }