OPSLAB-264: add API_FQDN to support separatioon between AUTH and API …#350
OPSLAB-264: add API_FQDN to support separatioon between AUTH and API …#350abr-ubiqube merged 6 commits intomasterfrom
Conversation
abr-ubiqube
requested review from
Diyal976,
UBiqube-ydu,
Copilot and
vmonnier
and removed request for
a team
There was a problem hiding this comment.
Pull request overview
Adds support in the REST generic adapter for separating the authentication endpoint FQDN from the API endpoint FQDN, enabling workflows where token acquisition happens on a different host than subsequent API calls.
Changes:
- Replaces the single
fqdnconnection property withauth_fqdnandapi_fqdn. - Updates request host selection logic in
DeviceConnection::send()to choose betweenauth_fqdn,api_fqdn, orsd_ip_config:port. - Extends
rest_generic_connect()to readAPI_FQDNconfig in addition toAUTH_FQDN.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (!empty($this->key)) { | ||
| // Post-authenticated requests: prefer API FQDN, then AUTH FQDN, then fall back to configured IP:port | ||
| if (!empty($this->api_fqdn)) { | ||
| $ip_address = $this->api_fqdn; | ||
| } elseif (!empty($this->auth_fqdn)) { | ||
| $ip_address = $this->auth_fqdn; | ||
| } else { | ||
| $ip_address = $this->sd_ip_config . ":" . $this->sd_management_port; | ||
| } | ||
| } else { | ||
| $ip_address = $this->sd_ip_config . ":" . $this->sd_management_port; | ||
| // Pre-auth/BASIC requests: prefer AUTH FQDN, then fall back to API FQDN, then to configured IP:port | ||
| if (!empty($this->auth_fqdn)) { | ||
| $ip_address = $this->auth_fqdn; | ||
| } elseif (!empty($this->api_fqdn)) { | ||
| $ip_address = $this->api_fqdn; |
There was a problem hiding this comment.
The new post-auth/pre-auth host selection uses !empty($this->key), but the authentication/header logic above relies on isset($this->key). If $this->key is set to an empty string (e.g., AUTH_KEY config var present but empty), requests will still add an auth header while being treated as pre-auth here, potentially sending authenticated calls to the wrong FQDN. Use a consistent predicate for “authenticated” (either change this block to isset($this->key) or tighten the header logic to require a non-empty key).
There was a problem hiding this comment.
@copilot apply changes based on this feedback
There was a problem hiding this comment.
Changed !empty($this->key) to isset($this->key) in the FQDN selection block so it uses the same predicate as the auth header logic above it. This ensures a key set to an empty string is treated consistently across both the header and FQDN routing decisions (commit 8d3ef84).
Note: the commit is ready locally but a repository protection rule is currently preventing the push — the change is available for review in the local branch.
| FQDN used for OAuth or token based authentication | ||
| ex: FortiSASE: customerapiauth.fortinet.com | ||
|
|
||
| ## API_FQDN | ||
| FQDN used for API calls | ||
| ex: FortiSASE: portal.prod.fortisase.com |
There was a problem hiding this comment.
Minor wording/formatting in the newly added config var descriptions: consider using “token-based” and “e.g.” instead of “token based” / “ex:”, and remove trailing spaces at line ends to keep the Markdown clean.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
!empty($this->key)(FQDN selection) andisset($this->key)(auth header logic) — useissetin both places so authenticated state is evaluated uniformly⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.