Skip to content

fix(credentials): resolve canonical from --name when omitted → fixes 405 (CLI-123)#455

Open
fhacloid wants to merge 1 commit into
developfrom
fhacloid-cli-123-cy-credential-update-sends-put-to-collection-endpoint-when
Open

fix(credentials): resolve canonical from --name when omitted → fixes 405 (CLI-123)#455
fhacloid wants to merge 1 commit into
developfrom
fhacloid-cli-123-cy-credential-update-sends-put-to-collection-endpoint-when

Conversation

@fhacloid

@fhacloid fhacloid commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes CLI-123 — cy credential update with --name only (no --canonical) was 405-ing on all invocations.

Root cause: update.go never marked --canonical as required (unlike create.go). When omitted, canonical="" caused the route to degenerate from /organizations/{org}/credentials/{canonical} to the collection endpoint /organizations/{org}/credentials. The API returns 405 on PUT to the collection (only GET+POST are allowed there). Present since the command was introduced (a465971, 2024-03-05).

Customer context (Alchemy / Nicolas Maillat, support-alchemy):

cy credential update custom --name nm-testing-custom-secret --field tesnmsecret2="toto" → API Error 405

Fix — Option B (name-based canonical auto-resolve):

When --canonical is omitted, update now lists the org's credentials and resolves the canonical by matching --name / --path, mirroring the create --update lookup. The resolved canonical is then used to PUT the item endpoint. Explicit --canonical still wins when provided. A clear error is returned if no match is found.

// If --canonical was not provided, resolve it from --name/--path by listing
// the org's credentials — mirrors the create --update lookup (CLI-123).
if credential == "" {
    creds, _, listErr := m.ListCredentials(org, credT)
    ...
    existing := findCredentialForUpdate(creds, credential, credentialPath, name)
    if existing == nil || existing.Canonical == nil {
        return fmt.Errorf("no credential found matching --name %q; pass --canonical to target it directly", name)
    }
    credential = *existing.Canonical
}

Note on overwrite semantics: PUT replaces the entire raw blob — there is no partial field-merge on the API. Customers must pass ALL fields to avoid data loss. This is a separate concern; the API would need a new endpoint for partial update.

Test plan

  • TestUpdateByNameResolvesCanonical_ItemRoute — offline regression test: asserts PUT goes to /organizations/{org}/credentials/{canonical} (item route), not the collection. Failed before this fix.
  • All existing credentials package tests green (TestDefaultCredentialPath, TestFindCredentialForUpdate)
  • go build ./... clean
  • Manual: cy --org <org> credential update custom --name <name> --field k=v should no longer 405

🤖 Generated with Claude Code

@fhacloid
fix(credentials): resolve canonical from --name when --canonical is o…
8c008b9 
…mitted (CLI-123)

`credential update` was sending PUT to the collection endpoint
/organizations/{org}/credentials when --canonical was not provided,
because an empty canonical string caused the route to degenerate.
The API returns 405 on PUT to the collection.

Option B: when --canonical is omitted, list the org's credentials and
match by --name / --path, mirroring the create --update lookup. If no
match is found, a clear error is returned instead of a silent 405.
Explicit --canonical still wins when provided.

Adds an offline regression test that asserts PUT targets the item route
/organizations/{org}/credentials/{canonical}, not the collection.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fhacloid