[v5] Strict matching default for MSAL Interceptor

[jo-arroyo]

This PR makes strictMatching the default for the MSAL Angular interceptor.

[Copilot]

Pull request overview

This PR updates @azure/msal-angular v5 to use strict URL component matching by default when evaluating protectedResourceMap entries, and relocates the legacy matching helper away from msal-common.

Changes:

• Default MsalInterceptor behavior now uses strict, anchored, component-aware wildcard matching unless strictMatching === false.
• Removes StringUtils.matchPattern from @azure/msal-common and migrates matching tests to msal-angular.
• Adds/updates v5 docs describing strict matching semantics and the opt-out path.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
lib/msal-angular/src/msal.interceptor.ts	Enables strict matching by default and introduces matchPatternStrict while retaining legacy matching behind strictMatching: false.
lib/msal-angular/src/msal.interceptor.config.ts	Documents and exposes the new strictMatching?: boolean configuration option (default true in v5).
lib/msal-angular/src/msal.interceptor.spec.ts	Adds extensive unit + integration coverage for strict matching and preserves legacy coverage by setting strictMatching: false in existing tests.
lib/msal-angular/docs/msal-interceptor.md	Documents strict matching behavior, defaults, and opt-out guidance.
lib/msal-angular/docs/v4-v5-upgrade-guide.md	Adds a breaking-change note for strict matching in v5.
lib/msal-common/src/utils/StringUtils.ts	Removes matchPattern from StringUtils.
lib/msal-common/test/utils/StringUtils.spec.ts	Removes matchPattern tests now that the helper is removed.
lib/msal-common/apiReview/msal-common.api.md	Updates the API review surface to reflect removal of matchPattern.
change/@azure-msal-common-8da2a968-6ae2-4495-8ca6-e327ce3f5bd1.json	Adds a changefile for the msal-common API change.
change/@azure-msal-angular-0e4576d0-f88b-40f7-9d46-acfeca4f1bad.json	Adds a changefile for the msal-angular default-behavior change.

[Wendelstein7]

Note: This comment was (partly) written with AI-assistance.

⚠️ Warning: strictMatching as default is a breaking change

Making strictMatching default in v5.1.0 silently breaks existing apps. The official MS Learn Angular tutorial configures the interceptor as:

protectedResourceMap.set('https://graph.microsoft.com/v1.0/me', ['user.read']);

Other tutorials and online resources just set the basic origin uri without path.

Without wildcards, this worked before because the interceptor matched any URL starting with the map key. After updating to v5.1.0, the interceptor silently stops attaching Authorization headers, causing 401 errors at runtime — no build-time warning, no migration note.

The fix is appending /* to map keys, but:

• There is no compile-time signal that anything is wrong - the app loads fine, just fails to authenticate
• Some (but not all) published Microsoft documentation uses the non-wildcard pattern and hasn't been updated for this change
• Changing a default that silently breaks existing configurations is a breaking change and belongs in a major version, not a minor one

I'd suggest a console warning when strictMatching isn't explicitly set and map keys don't contain wildcards, or updating the official docs with an explicit warning / update note alongside this release.