Fix editing an existing OAuth device#28012
Merged
andig merged 9 commits intoevcc-io:masterfrom Apr 12, 2026
Merged
Conversation
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- The
storedDeviceOtherfunction duplicates the sameByName(...).Config().Otherpattern for each class; consider extracting a common helper or interface to reduce repetition and make it easier to extend with new device classes. - When building the
config/authURL incheckAuth, wrapdeviceTypeandidwithencodeURIComponentto avoid issues if these values ever contain characters that need URL encoding.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The `storedDeviceOther` function duplicates the same `ByName(...).Config().Other` pattern for each class; consider extracting a common helper or interface to reduce repetition and make it easier to extend with new device classes.
- When building the `config/auth` URL in `checkAuth`, wrap `deviceType` and `id` with `encodeURIComponent` to avoid issues if these values ever contain characters that need URL encoding.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Member
|
@naltatis is this an issue with masked vs private? Afair we did have merging implemented? |
Member
Yes, we already have this logic and should reuse it. See |
lehmanju
force-pushed
the
oauth-masked-values
branch
from
37f8103 to
29371d2
Compare
lehmanju
force-pushed
the
oauth-masked-values
branch
from
29371d2 to
149e309
Compare
This comment was marked as outdated.
This comment was marked as outdated.
andig
reviewed
Mar 13, 2026
lehmanju
force-pushed
the
oauth-masked-values
branch
from
149e309 to
bc3c33b
Compare
Contributor
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- The new
auth/{class}/merge/{id}route uses the regex[0-9.]+foridbutauthHandlerparses it withstrconv.Atoi, so requests containing a dot will match the route but fail parsing; consider changing the pattern to[0-9]+to align with the integer parsing. - In
checkAuthon the frontend,deviceTypeis interpolated into the URL segment used as{class:[a-z]+}; double‑check that all possibleDeviceTypevalues are lowercase and match the backendtemplates.Classstrings, otherwise the merge path may not be hit for some device types.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The new `auth/{class}/merge/{id}` route uses the regex `[0-9.]+` for `id` but `authHandler` parses it with `strconv.Atoi`, so requests containing a dot will match the route but fail parsing; consider changing the pattern to `[0-9]+` to align with the integer parsing.
- In `checkAuth` on the frontend, `deviceType` is interpolated into the URL segment used as `{class:[a-z]+}`; double‑check that all possible `DeviceType` values are lowercase and match the backend `templates.Class` strings, otherwise the merge path may not be hit for some device types.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
naltatis
approved these changes
Mar 14, 2026
Member
naltatis
left a comment
naltatis
left a comment
There was a problem hiding this comment.
Works. Added e2e to guard against regressions.
andig
reviewed
Mar 15, 2026
andig
reviewed
Mar 15, 2026
andig
reviewed
Mar 15, 2026
andig
changed the title
Contributor
There was a problem hiding this comment.
Hey - I've found 2 issues, and left some high level feedback:
- The new auth route pattern uses
{id:[0-9.]+}butauthHandlerparsesidwithstrconv.Atoi, so IDs containing dots will match the route but fail at runtime; consider tightening the regex to[0-9]+to align with the parsing logic. - The change to
plugin/auth/demo.gomakes the demo auth flow depend on a hard-codedsecret == "topsecret", which alters behavior outside the tests; consider scoping this check to tests (e.g., via a build tag, env flag, or test-only helper) so existing demo usage is not unintentionally broken.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The new auth route pattern uses `{id:[0-9.]+}` but `authHandler` parses `id` with `strconv.Atoi`, so IDs containing dots will match the route but fail at runtime; consider tightening the regex to `[0-9]+` to align with the parsing logic.
- The change to `plugin/auth/demo.go` makes the demo auth flow depend on a hard-coded `secret == "topsecret"`, which alters behavior outside the tests; consider scoping this check to tests (e.g., via a build tag, env flag, or test-only helper) so existing demo usage is not unintentionally broken.
## Individual Comments
### Comment 1
<location path="server/http_config_metadata_handler.go" line_range="46-48" />
<code_context>
return
}
+ // when editing existing device, merge masked values with stored config
+ if vars := mux.Vars(r); vars["class"] != "" && vars["id"] != "" {
+ id, err := strconv.Atoi(vars["id"])
+ if err != nil {
+ jsonError(w, http.StatusBadRequest, err)
</code_context>
<issue_to_address>
**issue (bug_risk):** Route regex allows non-integer IDs but handler enforces strict int parsing
The route pattern `/auth/{class:[a-z]+}/merge/{id:[0-9.]+}` permits values like `1.0`, but `id` is parsed with `strconv.Atoi`, so those requests will fail with a 400 instead of a 404. Align the route with the actual expectations (e.g. change to `[0-9]+`) or update parsing if non-integer IDs are desired.
</issue_to_address>
### Comment 2
<location path="server/http_config_helper.go" line_range="185-194" />
<code_context>
+func mergedMaskedConfig(class templates.Class, id int, conf map[string]any) (map[string]any, error) {
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Handling nil `conf` before cloning and indexing would avoid potential panics
If `conf` is `nil`, `maps.Clone(conf)` will produce a `nil` map and the subsequent `mergeReq[typeTemplate]` access will panic. Normalizing `conf` up front (e.g. `if conf == nil { conf = map[string]any{} }`) would ensure `mergeReq` is never `nil`.
Suggested implementation:
```golang
// mergedMaskedConfig merges a new configuration with an existing one, replacing masked values with their original counterparts
func mergedMaskedConfig(class templates.Class, id int, conf map[string]any) (map[string]any, error) {
if conf == nil {
conf = map[string]any{}
}
var (
old map[string]any
err error
)
```
If `mergedMaskedConfig` is ever called with a `nil` map and the caller relies on that to detect "no input config", this behavior change should be verified. Otherwise, no additional changes should be needed: after this normalization, `maps.Clone(conf)` will safely return a non-nil map and `mergeReq[typeTemplate]` indexing will no longer panic due to a nil map.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
andig
reviewed
Apr 7, 2026
andig
reviewed
Apr 7, 2026
Co-authored-by: andig <cpuidle@gmail.com>
Member
|
@sourcery-ai dismiss |
Member
|
Thank you @lehmanju great PR! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When editing an existing oauth device, the UI says it is unauthorized even though the authorization is active. The reason is the wrong use of masked values, which are not merged with the original config. As a consequence evcc thinks it is a new device config.
This has been created with Claude, but the gist is:
I wouldn't merge this as is as I am sure this should be further optimized but it serves as basis for solving the issue.