Skip to content

fix: correct destination auth config and add --include-destination-auth flag #208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
leggetter merged 2 commits into from
Feb 10, 2026
Merged

fix: correct destination auth config and add --include-destination-auth flag #208

leggetter merged 2 commits into from
Feb 10, 2026

Conversation

@leggetter
Copy link
Collaborator

@leggetter leggetter commented Feb 10, 2026

Summary

  • Fix destination auth config structure: The CLI was sending destination authentication credentials under an auth_method key, but the API expects auth_type (string) and auth (credentials map) as separate fields inside destination.config. This affected all auth types (OAuth2, AWS Signature, GCP Service Account).
  • Add --include-destination-auth flag to connection get: The connections API does not support include=config.auth, so this flag fetches the destination directly via GET /destinations/{id}?include=config.auth and merges the enriched config back into the connection response.
  • Strengthen acceptance tests: Tests now verify credentials are actually stored by doing a connection get --include-destination-auth after creation, asserting specific credential values for all four auth types.

Details

Auth config fix (buildDestinationConfig)

The buildDestinationConfig() function was wrapping all auth fields under config.auth_method, but the API expects:

  • config.auth_type — the auth type string (e.g. AWS_SIGNATURE)
  • config.auth — a map of the credential values

--include-destination-auth flag

The include=config.auth query parameter is only supported on GET /destinations/{id} and GET /sources/{id} (confirmed via OpenAPI spec). It is not supported on any /connections endpoint. The CLI works around this by making a supplementary GET /destinations/{id}?include=config.auth call when the flag is set.

Note: POST /connections response redaction

When creating a connection with inline destination auth, POST /connections correctly stores the credentials but redacts them in the response (returns auth: {}). A standalone POST /destinations returns them in full. This is a separate API inconsistency — a repro script (test/repro-connection-auth-bug.sh, not committed) was used to verify this.

Test plan

  • All unit tests pass (go test ./pkg/...)
  • All four acceptance tests pass (TestConnectionOAuth2AWSAuthentication): OAuth2 Client Credentials, OAuth2 Authorization Code, AWS Signature, GCP Service Account
  • Each test creates a connection, verifies auth_type in the create response, then does connection get --include-destination-auth to verify credentials were stored
  • Manual verification: hookdeck connection get <id> --include-destination-auth --output json returns full auth credentials

Made with Cursor

leggetter and others added 2 commits February 10, 2026 00:22
@leggetter @cursoragent
fix: correct destination auth config structure and add --include-dest…
4ba1f0b 
…ination-auth flag

The CLI was sending destination authentication credentials under an
`auth_method` key, but the API expects `auth_type` (string) and `auth`
(credentials map) as separate fields inside `destination.config`.

Changes:
- Fix buildDestinationConfig() to split auth into auth_type and auth fields
- Add GetDestination API client method for fetching destinations directly
- Add --include-destination-auth flag to `connection get` that fetches
  destination credentials via GET /destinations/{id}?include=config.auth
  (the connections API does not support this parameter)
- Update acceptance tests to verify credentials are stored correctly by
  doing a `connection get --include-destination-auth` after creation
- Update README.md and REFERENCE.md with new flag documentation

Co-authored-by: Cursor <cursoragent@cursor.com>
@leggetter @cursoragent
fix: remove hallucinated auth_method field, use real API auth_type
f3ddba6 
Tests were asserting against destConfig["auth_method"] which is not a
real API field. All assertions silently passed because they used if-ok
guards — the field was never present, so the checks never ran.

- Replace auth_method assertions with auth_type (the actual API field)
- Fix upsert update path to clear stale auth_type before setting new one
- Remove phantom auth_method delete in upsert config merge

Co-authored-by: Cursor <cursoragent@cursor.com>
@leggetter leggetter merged commit f0cfda1 into main Feb 10, 2026
7 checks passed
@leggetter leggetter deleted the fix/destination-auth-config branch February 10, 2026 02:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@leggetter