DHIS2: Schema should not require username/password when using a PAT#1689
Conversation
…me/password optional in schema
| expect(headers).to.eql(makeBasicAuthHeader('admin', 'district')); | ||
| }); | ||
|
|
||
| it('should throw if pat is empty', () => { |
There was a problem hiding this comment.
I think on the unit test for configureAuth could be summarised into
it('should throw if no valid credentials are provided', () => {
expect(() => util.configureAuth({})).to.throw('Invalid authorization...');
});
it('should throw if username is provided without a password', () => {
expect(() => util.configureAuth({ username: 'admin', password: '' })).to.throw('Invalid authorization...');
});
I think the description should be very specific and tidy @PiusKariuki
There was a problem hiding this comment.
@PiusKariuki where i am getting at is for example this description is not accurate
"should throw if pat is empty" because it will only throw if pat is empty and username and password is not provided
There was a problem hiding this comment.
Yeah these tests are a little peculiar.
They look thorough at first glance but:
- in the test
should throw if pat is empty, user name and password are all empty - you're testing "empty" but not null or undefined. Why is "empty" so significant?
They're not very tight, accurate, controlled tests. And they're actually quite misleading: should throw if pat is empty is simply not a reflection of the spec. I agree with Mtuchi's approach
There was a problem hiding this comment.
You might also test for example that pat is preferred to username and password - that feels like an important thing to a) document in a test and b) preserve in a regression test
There was a problem hiding this comment.
- "should prioritize
patoverusername/passwordwhen both are present" - "should set Authorization header with ApiToken when
patis provided" - "should set Basic Auth header when
username and passwordare provided (no pat)"
mtuchi
left a comment
There was a problem hiding this comment.
@PiusKariuki can you update the pr checklist notes and title, also since you updated the util we should have a changeset
|
@mtuchi You would like less tests? I think that would reduce our coverage in testing what was written in the spec. See link See below for things we would miss out on:
I have added a changeset file as requested and the PR checklist notes and title |
|
@josephjclark @mtuchi Got it. Thank you both for clarifying those issues on the tests. Key changes I have made:
|
* bump sdk (#1708) * DHIS2: Schema should not require username/password when using a PAT (#1689) * fix(auth): check credential values not just key presence, make username/password optional in schema * changeset file * Revised the auth tests to be more descriptive * build(deps): bump undici from 7.24.7 to 7.28.0 (#1694) * build(deps): bump undici from 7.24.7 to 7.28.0 Bumps [undici](https://github.com/nodejs/undici) from 7.24.7 to 7.28.0. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.24.7...v7.28.0) --- updated-dependencies: - dependency-name: undici dependency-version: 7.28.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * changeset --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Joe Clark <joe@openfn.org> * build(deps): bump esbuild from 0.27.4 to 0.28.1 (#1693) Bumps [esbuild](https://github.com/evanw/esbuild) from 0.27.4 to 0.28.1. - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](evanw/esbuild@v0.27.4...v0.28.1) --- updated-dependencies: - dependency-name: esbuild dependency-version: 0.28.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * dhis2: Add paging examples and default `async:false` in `tracker.import` (#1681) * feat: allow async value change Signed-off-by: Hunter Achieng <achienghunter@gmail.com> * feat: update tests Signed-off-by: Hunter Achieng <achienghunter@gmail.com> * feat: add changeset Signed-off-by: Hunter Achieng <achienghunter@gmail.com> * add integration tests for tracker.export * add pagination example * update example * update integration test * improve format * remove async and add pagination docs * update tracker unit tests * update changeset * fix typo * fix: update chngeset and tracker pagination examples Signed-off-by: Hunter Achieng <achienghunter@gmail.com> * fix: update docs Signed-off-by: Hunter Achieng <achienghunter@gmail.com> --------- Signed-off-by: Hunter Achieng <achienghunter@gmail.com> Co-authored-by: Emmanuel Evance <mtuchidev@gmail.com> * fhir: map primitive elements (#1678) * feat: implement primitive mappings Signed-off-by: Hunter Achieng <achienghunter@gmail.com> * feat: update comments Signed-off-by: Hunter Achieng <achienghunter@gmail.com> * fix tests Signed-off-by: Hunter Achieng <achienghunter@gmail.com> * feat: update fhir-eswatini Signed-off-by: Hunter Achieng <achienghunter@gmail.com> * fix: remove skipped tests Signed-off-by: Hunter Achieng <achienghunter@gmail.com> * feat: fix primp value renaming Signed-off-by: Hunter Achieng <achienghunter@gmail.com> * fix: package.json Signed-off-by: Hunter Achieng <achienghunter@gmail.com> * feat: rebuild fhir-eswatini Signed-off-by: Hunter Achieng <achienghunter@gmail.com> * fix: remove nested `_birthTime` Signed-off-by: Hunter Achieng <achienghunter@gmail.com> * fix: add tests Signed-off-by: Hunter Achieng <achienghunter@gmail.com> * clean up tests * remove comment * fix: add tests and update docs Signed-off-by: Hunter Achieng <achienghunter@gmail.com> * bump fhir-gen tool * fhir-eswatini: update build meta * changeset --------- Signed-off-by: Hunter Achieng <achienghunter@gmail.com> Co-authored-by: Joe Clark <joe@openfn.org> * versions --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Hunter Achieng <achienghunter@gmail.com> Co-authored-by: Pius Kariuki <39379012+PiusKariuki@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: hunterachieng <79210550+hunterachieng@users.noreply.github.com> Co-authored-by: Emmanuel Evance <mtuchidev@gmail.com>
Summary
The configuration schema requires username and password even when authenticating with a PAT, forcing users to provide credentials that are silently ignored.
The schema currently has:
And configureAuth uses a priority chain — PAT wins over password:
The password branch doesn't check that username is also present, so CLI users (where the schema isn't enforced) can end up with silent auth failures.
Fixes #1547
Details
The schema currently has:
And
configureAuthuses a priority chain — PAT wins over password:The
passwordbranch doesn't check thatusernameis also present, so CLI users (where the schema isn't enforced) can end up with silent auth failures.Expected behaviour
pat, or bothusername+password— not all three required. AoneOf/anyOfstructure would work.configureAuthshould validate that bothusernameandpasswordare present and non-empty, and throw a descriptive error if either is missing.AI Usage
Please disclose how you've used AI in this work (it's cool, we just want to
know!):
You can read more details in our
Responsible AI Policy
Review Checklist
Before merging, the reviewer should check the following items:
production? Is it safe to release?
dev only changes don't need a changeset.