diff --git a/src/infra/net/proxy/proxy-validation.test.ts b/src/infra/net/proxy/proxy-validation.test.ts index 52ec04c0a5a..df383dafe94 100644 --- a/src/infra/net/proxy/proxy-validation.test.ts +++ b/src/infra/net/proxy/proxy-validation.test.ts @@ -467,7 +467,31 @@ describe("proxy validation", () => { }); }); - it("fails APNs reachability when response has no apns-id (proxy intercept)", async () => { + it("accepts APNs 403 reachability even when apns-id is unavailable", async () => { + const result = await runProxyValidation({ + config: { + enabled: true, + proxyUrl: "http://127.0.0.1:3128", + }, + env: {}, + allowedUrls: [], + deniedUrls: [], + apnsReachability: true, + apnsCheck: vi.fn().mockResolvedValue({ status: 403 }), + }); + + expect(result.ok).toBe(true); + expect(result.checks).toEqual([ + { + kind: "apns", + url: "https://api.sandbox.push.apple.com", + ok: true, + status: 403, + }, + ]); + }); + + it("fails APNs reachability when non-403 response has no apns-id (proxy intercept)", async () => { const result = await runProxyValidation({ config: { enabled: true, diff --git a/src/infra/net/proxy/proxy-validation.ts b/src/infra/net/proxy/proxy-validation.ts index 39f43c0754c..4710df46086 100644 --- a/src/infra/net/proxy/proxy-validation.ts +++ b/src/infra/net/proxy/proxy-validation.ts @@ -422,13 +422,13 @@ async function runApnsReachabilityCheck(params: { authority: params.authority, timeoutMs: params.timeoutMs, }); - if (!result.apnsId) { + if (!result.apnsId && result.status !== 403) { return { kind: "apns", url: params.authority, ok: false, error: - "APNs reachability check failed: response did not include an apns-id header. " + + "APNs reachability check failed: response was not a 403 and did not include an apns-id header. " + "The proxy may be intercepting the connection instead of tunneling it.", }; }