Skip to content

Fix: Use correct API token for /v0/purl requests #918

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jdalton merged 2 commits into from
Nov 18, 2025
Merged

Fix: Use correct API token for /v0/purl requests #918

jdalton merged 2 commits into from
Nov 18, 2025

Conversation

@jdalton
Copy link
Contributor

@jdalton jdalton commented Nov 18, 2025
edited by cursor bot
Loading

Summary

Fixed token selection in getAlertsMapFromPurls() to respect SOCKET_CLI_API_TOKEN instead of defaulting to public token.

Changes

  • Remove getPublicApiToken() default, let setupSdk() handle token resolution
  • Add unit tests for token selection behavior

Note

Stop defaulting to a public token in getAlertsMapFromPurls, letting setupSdk resolve the token; add unit tests for token passing and PURL processing.

  • Utils:
    • getAlertsMapFromPurls: remove getPublicApiToken default and pass through apiToken to setupSdk.
  • Tests:
    • Add src/utils/alerts-map.test.mts covering token passing (undefined vs provided), empty PURLs, processing flow, and filter options.

Written by Cursor Bugbot for commit 221d423. Configure here.

@jdalton
Fix incorrect token usage in /v0/purl requests
ba4e16a 
When getAlertsMapFromPurls is called without an explicit apiToken option,
it was defaulting to getPublicApiToken() which always returns the public
token as a fallback. This caused /v0/purl API requests to use the public
token even when SOCKET_CLI_API_TOKEN was set in the environment.

The fix removes the default value and lets setupSdk handle token
resolution through getDefaultApiToken(), which properly respects
SOCKET_CLI_API_TOKEN and other token sources.
@jdalton
Add unit tests for token selection behavior
221d423 
Created dedicated test file src/utils/alerts-map.test.mts to verify
the token selection fix in getAlertsMapFromPurls().

Tests verify:
- setupSdk receives undefined when no apiToken provided, allowing proper
  token resolution through getDefaultApiToken()
- setupSdk receives custom token when explicitly provided
- Empty purls array returns empty map without calling setupSdk
- PURLs are processed and alerts map is returned
- Filter options are handled correctly

These tests ensure the public token is never incorrectly used when a
user-provided token is available in the environment.
@jdalton jdalton merged commit 52112f2 into v1.x Nov 18, 2025
8 of 11 checks passed
@jdalton jdalton deleted the jdalton/purl-auth branch November 18, 2025 17:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@billxinli billxinli billxinli approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jdalton @billxinli