Skip to content

fix(api): sync public key tags on update#6340

Merged
gustavosbarreto merged 1 commit into
masterfrom
fix/api/public-key-update-tags-many-to-many
May 20, 2026
Merged

fix(api): sync public key tags on update#6340
gustavosbarreto merged 1 commit into
masterfrom
fix/api/public-key-update-tags-many-to-many

Conversation

@luizhf42
Copy link
Copy Markdown
Member

@luizhf42 luizhf42 commented May 19, 2026

What

Fixes public key updates silently keeping stale tag filters. Editing a key to remove or replace its tags now correctly drops the old tag relationships.

Why

PublicKeyUpdate in the Postgres store only updated the public_keys row. Tags are a many-to-many relationship stored in the public_key_tags junction table, which was never touched on update — only on create. As a result, removed tags persisted and reappeared on the next read.

Observed reproduction:

  • Create a public key with a tags filter.
  • Edit it to use a hostname filter instead → key ends up with hostname AND tags (invalid state).
  • Edit it to clear all filters → hostname resets, but tags remain.

The hostname field reset correctly because it is a plain column on public_keys; only the junction-table relationships were orphaned.

Changes

  • api/store/pg: PublicKeyUpdate now re-syncs the public_key_tags junction table — it deletes the existing entries for the key and re-inserts the current set, mirroring the tag-handling already done in PublicKeyCreate.
  • api/store/pg: The row update and junction-table sync are wrapped in WithTransaction so a partial failure cannot leave the key with mismatched filters.

Testing

Verify with a key that has a tags filter: edit it to a hostname filter and confirm the tags are gone, then edit it to clear all filters and confirm both hostname resets to .* and the tags array is empty.

@luizhf42
fix(api): sync public key tags on update
46f71ed 
PublicKeyUpdate only updated the public_keys row, leaving the
public_key_tags junction table untouched. Editing a key to drop or
replace its tags left the stale relationships in place, so removed
tags reappeared on the next read. Re-sync the junction entries within
a transaction so the persisted filter matches the request.
@luizhf42 luizhf42 requested a review from a team as a code owner May 19, 2026 20:16
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 19, 2026
edited
Loading

Claude finished @luizhf42's task in 3m 11s —— View job

Code Review Complete

Reviewed 1 file across code quality, security, testing, Go patterns, and architecture — no issues found. The code looks good as-is.

Summary: The delete-then-reinsert approach for syncing junction table rows is correct and mirrors the existing PublicKeyCreate pattern. The WithTransaction wrapper ensures atomicity, the delete is properly scoped by (fingerprint, namespace_id), and the ON CONFLICT DO NOTHING guard handles edge cases. No interface or API contract changes, no cross-repo impact on cloud/.

If you push additional changes and want a new review, tag @shellhub-io/admin and a team member can trigger it.

@luizhf42 luizhf42 self-assigned this May 20, 2026
@luizhf42 luizhf42 added kind/bug Something isn't working area/api labels May 20, 2026
@gustavosbarreto gustavosbarreto merged commit d6a02d0 into master May 20, 2026
22 checks passed
@gustavosbarreto gustavosbarreto deleted the fix/api/public-key-update-tags-many-to-many branch May 20, 2026 15:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@luizhf42 luizhf42

Labels

area/api kind/bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@luizhf42 @gustavosbarreto