feat: Add FDv2 streaming source factories and query-parameter authentication#306
Merged
kinyoklion merged 1 commit intoJun 15, 2026
Conversation
kinyoklion
commented
Jun 12, 2026
Member
Author
There was a problem hiding this comment.
After some discussion and consideration I decided that the auth for the browser may as well always use the query parameter. This reduces the risk of a cors problem.
kinyoklion
force-pushed
the
rlamb/sdk-2186/fdv2-streaming-source
branch
2 times, most recently
from
f171045 to
1ae2779
Compare
kinyoklion
commented
Jun 12, 2026
kinyoklion
force-pushed
the
rlamb/sdk-2186/fdv2-streaming-source
branch
3 times, most recently
from
563d243 to
53f8ce2
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
joker23
reviewed
Jun 15, 2026
kinyoklion
force-pushed
the
rlamb/sdk-2186/fdv2-streaming-source
branch
from
53f8ce2 to
5d95350
Compare
kinyoklion
changed the base branch from
main
to
rlamb/sdk-2186/fdv2-source-translation
joker23
approved these changes
Jun 15, 2026
kinyoklion
force-pushed
the
rlamb/sdk-2186/fdv2-streaming-source
branch
from
b4f1251 to
651a7ad
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 651a7ad. Configure here.
tanderson-ld
approved these changes
Jun 15, 2026
…ication Adds the streaming half of the FDv2 source factories and the shared authentication plumbing. The streaming synchronizer is built with a per-attempt uriProvider so the basis query parameter tracks the current selector across reconnects. additionalQueryParameters (the auth query parameter on web, empty on mobile) is applied to every request URL by both transports. Both transports build request URLs through one shared buildFDv2Uri helper, so query-parameter merging is identical -- including preserving repeated keys on a custom (relay-style) base URL, which the streaming builder previously collapsed.
kinyoklion
force-pushed
the
rlamb/sdk-2186/fdv2-streaming-source
branch
from
651a7ad to
187332d
Compare
kinyoklion
merged commit a42f5ce
into
rlamb/sdk-2186/fdv2-source-translation
5 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this adds
The streaming half of the FDv2 source factories, plus the authentication plumbing both source kinds share. Nothing constructs these factories in production yet (the orchestrator consumes them in a later PR), so behavior is unchanged.
Streaming factories
createSynchronizerFactoryFromEntrynow buildsFDv2StreamingSynchronizers instead of throwingUnsupportedError. The SSE client is constructed with auriProviderthat is re-invoked on every connection attempt, so thebasisquery parameter always reflects the current selector — a reconnect after payloads have been applied resumes with a delta request rather than refetching the full payload. The URI builder composes against the configured base URI the same way the polling requestor does (path joining without clobbering existing query parameters).Query-parameter authentication
SourceFactoryContextgainsadditionalQueryParameters, applied to every data acquisition request by both FDv2 transports — streaming through theuriProvider, and polling throughFDv2Requestor, which merges them into each poll URL. The transports are agnostic about what the parameters carry; authentication enters at the single population site, whereSourceFactoryContext.fromClientConfigsupplies the platformCredentialConfig.authQueryParameters: empty on io (every io transport authenticates with the authorization header in the base headers) andauth=<client-side-id>on web.The web platform authenticates with the query parameter at all times rather than the authorization header: a browser only delivers that header when the target service's CORS pre-flight allows it, the browser's native
EventSourcecannot send custom headers at all, and the FDv2 endpoint paths do not embed the credential the way the FDv1 client-side paths do. (Requirement 3.1.3 of the client-side FDv2 spec, added in launchdarkly/sdk-specs#233, permits this.) Verified against the live service: the FDv2 polling endpoint returns 200 with?auth=<credential>and 400 without.Testing
Factory tests cover the streaming construction path and pin the URI contract: the streaming URI carries the auth query parameters and picks up the current selector's
basison each provider invocation, and the polling request URL carries the auth parameters through the factory wiring. Requestor tests assert the additional query parameters appear on every poll URL alongsidebasis, and that the requestor adds no authorization header (authentication comes from base headers or query parameters, never per-request). Full package suite passes.SDK-2186
Note
Medium Risk
Touches authentication query parameters and streaming connection/error handling; production behavior is unchanged until the orchestrator wires these factories, but mistakes could break web auth or fallback when enabled.
Overview
Adds FDv2 streaming synchronizer factory wiring so
StreamingSynchronizerentries buildFDv2StreamingSynchronizerwith an SSE client whoseuriProvideris rebuilt on each connect, keepingbasisaligned with the current selector for delta resumes after reconnect.Introduces shared
buildFDv2Urifor polling and streaming so paths,withReasons,basis, relay-style base query strings (including duplicate keys), and extra params merge the same way.SourceFactoryContextnow carriescredentialandadditionalQueryParameters(fromCredentialConfig.authQueryParameters, e.g. webauth=), applied on every poll and stream URL viaFDv2Requestorand the streaming URI builder.FDv2StreamingBasegains optionaldefaultEnvironmentIdwhen headers are unavailable, and treatsUnrecoverableStatusErroras a terminal failure (with optionalx-ld-fd-fd-fallback). Factory and requestor tests cover auth query params, basis on reconnect, and repeated relay query keys.Reviewed by Cursor Bugbot for commit 187332d. Bugbot is set up for automated code reviews on this repo. Configure here.