fix: correct destination auth config and add --include-destination-auth flag#208
Merged
fix: correct destination auth config and add --include-destination-auth flag#208
Conversation
…ination-auth flag
The CLI was sending destination authentication credentials under an
`auth_method` key, but the API expects `auth_type` (string) and `auth`
(credentials map) as separate fields inside `destination.config`.
Changes:
- Fix buildDestinationConfig() to split auth into auth_type and auth fields
- Add GetDestination API client method for fetching destinations directly
- Add --include-destination-auth flag to `connection get` that fetches
destination credentials via GET /destinations/{id}?include=config.auth
(the connections API does not support this parameter)
- Update acceptance tests to verify credentials are stored correctly by
doing a `connection get --include-destination-auth` after creation
- Update README.md and REFERENCE.md with new flag documentation
Co-authored-by: Cursor <cursoragent@cursor.com>
Tests were asserting against destConfig["auth_method"] which is not a real API field. All assertions silently passed because they used if-ok guards — the field was never present, so the checks never ran. - Replace auth_method assertions with auth_type (the actual API field) - Fix upsert update path to clear stale auth_type before setting new one - Remove phantom auth_method delete in upsert config merge Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
auth_methodkey, but the API expectsauth_type(string) andauth(credentials map) as separate fields insidedestination.config. This affected all auth types (OAuth2, AWS Signature, GCP Service Account).--include-destination-authflag toconnection get: The connections API does not supportinclude=config.auth, so this flag fetches the destination directly viaGET /destinations/{id}?include=config.authand merges the enriched config back into the connection response.connection get --include-destination-authafter creation, asserting specific credential values for all four auth types.Details
Auth config fix (
buildDestinationConfig)The
buildDestinationConfig()function was wrapping all auth fields underconfig.auth_method, but the API expects:config.auth_type— the auth type string (e.g.AWS_SIGNATURE)config.auth— a map of the credential values--include-destination-authflagThe
include=config.authquery parameter is only supported onGET /destinations/{id}andGET /sources/{id}(confirmed via OpenAPI spec). It is not supported on any/connectionsendpoint. The CLI works around this by making a supplementaryGET /destinations/{id}?include=config.authcall when the flag is set.Note: POST /connections response redaction
When creating a connection with inline destination auth,
POST /connectionscorrectly stores the credentials but redacts them in the response (returnsauth: {}). A standalonePOST /destinationsreturns them in full. This is a separate API inconsistency — a repro script (test/repro-connection-auth-bug.sh, not committed) was used to verify this.Test plan
go test ./pkg/...)TestConnectionOAuth2AWSAuthentication): OAuth2 Client Credentials, OAuth2 Authorization Code, AWS Signature, GCP Service Accountauth_typein the create response, then doesconnection get --include-destination-authto verify credentials were storedhookdeck connection get <id> --include-destination-auth --output jsonreturns full auth credentialsMade with Cursor