Don't add apiKey to basic auth in CommCare Credential
Closed this issue · 3 comments
When using the CommCare adaptor, users have two authentication options: API Key or Basic Authentication. Basic auth requires a username and password while API key auth requires the API key and user name.
We found a bug that adds the apiKey in the config even when the user has not specified it in the form. apiKey should only be in the config IF the user has specified it in the form otherwise, we should use the basic auth (username and password) for authenticating.
We should also be blocking users from specifying apiKey and password when setting up a credential. When this happens show a message saying "You cannot specify apiKey and password in one CommCare credential)
lightning uses the schema spec in order to build out the forms, and so it'll get messy very fast to start handling these kind of situations directly in the code, without a spec.
If only we could have a way to specify a one_of validation in the adaptor config schema 🤔 .
@josephjclark how does the runtime know which one to use? Does it prefer apiKey over basic auth?
@midigofrank each adaptor will choose what to do (there's no generic runtime logic on this). I think usually they prefer the API key or access token.
one_of probably feels like the right way to go, but might be complex. And requires many schema changes.
Another option here is to add logic in the adaptor to warn or error for conflicting config rules. But again, that's a lot of adaptor changes and its kinda rote.
We generally have a similar situation with oauth, where an adaptor might take oauth OR some kind of basic Auth. I don't know how lightning handles this, if at all, but conditional logic in the schema could be the answer.