Skip to content

fix(link): refresh masked-password URLs on re-link #117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tonychang04 merged 1 commit into from
May 12, 2026
Merged

fix(link): refresh masked-password URLs on re-link #117

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions src/auth-providers/apply.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,23 @@ describe('refreshStaleEnvDefaults', () => {
expect(updated).toBe(existing);
});

it('refreshes a masked-password URL even if it differs from the manifest default', () => {
// Pre-0.1.72 cloud links wrote `postgresql://postgres:********@...`
// (placeholder password) to .env.local. Re-linking under 0.1.72+ should
// replace that with the real spliced password from /database-password.
const existing = 'DATABASE_URL=postgresql://postgres:********@m8s5kmam.us-east.database.insforge.app:5432/insforge?sslmode=require\n';
const defaults = new Map([
['DATABASE_URL', 'postgresql://postgres:postgres@127.0.0.1:5432/insforge'],
]);
const platform = new Map([
['DATABASE_URL', 'postgresql://postgres:realsecret@m8s5kmam.us-east.database.insforge.app:5432/insforge?sslmode=require'],
]);
const { updated, refreshed } = refreshStaleEnvDefaults(existing, defaults, platform);
expect(refreshed).toEqual(['DATABASE_URL']);
expect(updated).toContain('postgres:realsecret@');
expect(updated).not.toContain('********');
});

it('handles multiple keys, refreshing only the stale ones', () => {
const existing = [
'DATABASE_URL=postgresql://postgres:postgres@127.0.0.1:5432/insforge',
Expand Down
14 changes: 13 additions & 1 deletion src/auth-providers/apply.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,16 @@ export function extractEnvPairs(content: string): Map<string, string> {
// value matches the manifest's literal default AND the platform now has a
// real value (e.g., cloud DATABASE_URL), overwrite the line. User-customized
// values (anything that differs from the manifest default) are preserved.
//
// One extra case beyond "matches the default": the cloud's
// `database-connection-string` endpoint used to return a placeholder URL
// like `postgresql://postgres:********@host/db?sslmode=require` before
// 0.1.72 spliced the real password in. Users linked under that older CLI
// still have the masked URL in their .env.local. The masked value can
// never authenticate to Postgres, so it's clearly stale — detect any
// `:****@` (one or more `*`) password and refresh from the platform.
// Exported for unit testing.
const MASKED_PASSWORD_PATTERN = /:\*+@/;
export function refreshStaleEnvDefaults(
existing: string,
manifestDefaults: Map<string, string>,
Expand All @@ -127,7 +136,10 @@ export function refreshStaleEnvDefaults(
const userValue = m[2];
const def = manifestDefaults.get(key);
const real = platformValues.get(key);
if (def !== undefined && real !== undefined && userValue === def && real !== def) {
if (def === undefined || real === undefined || real === def) return line;
const matchesDefault = userValue === def;
const isMaskedPassword = MASKED_PASSWORD_PATTERN.test(userValue);
if (matchesDefault || isMaskedPassword) {
refreshed.push(key);
return `${key}=${real}`;
}
Comment on lines +141 to 145
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Avoid reporting a refresh when the value is unchanged.

At Line 141–145, masked values are marked refreshed even when real === userValue, which causes no-op rewrites and misleading envKeysRefreshed.

Proposed fix 
-    if (matchesDefault || isMaskedPassword) {
+    if ((matchesDefault || isMaskedPassword) && real !== userValue) {
       refreshed.push(key);
       return `${key}=${real}`;
     }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const isMaskedPassword = MASKED_PASSWORD_PATTERN.test(userValue);
if (matchesDefault || isMaskedPassword) {
refreshed.push(key);
return `${key}=${real}`;
}
const isMaskedPassword = MASKED_PASSWORD_PATTERN.test(userValue);
if ((matchesDefault || isMaskedPassword) && real !== userValue) {
refreshed.push(key);
return `${key}=${real}`;
}
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/auth-providers/apply.ts` around lines 141 - 145, The code marks keys as
refreshed whenever matchesDefault or isMaskedPassword is true, even if the
actual value hasn't changed; update the logic so you only push to refreshed and
return the updated `${key}=${real}` when real !== userValue. In the block using
MASKED_PASSWORD_PATTERN, check the equality of real and userValue (and only
treat it as refreshed when different); if they are the same, do not push key
into refreshed and return the original `${key}=${userValue}` (or leave it
unchanged). Reference symbols: MASKED_PASSWORD_PATTERN, refreshed array, key,
userValue, real, matchesDefault, isMaskedPassword.

Expand Down
Loading