Merge pull request 'fix: base64-encode Patchmon Basic auth credentials server-side' (#77 ) from dev into main

Reviewed-on: #77
Merge pull request 'Merge pull request 'test: add failing tests for sort/order on GET /api/instances' (#71 ) from dev into main' (#76 ) from merge/main-into-dev-v1.7.1 into dev
2026-05-30 19:04:27 -04:00 · 2026-05-30 19:03:24 -04:00 · 2026-05-30 19:00:49 -04:00 · 2026-05-30 18:54:53 -04:00 · 2026-05-30 18:51:27 -04:00 · 2026-05-30 18:33:41 -04:00
6 changed files with 30 additions and 6 deletions
@@ -539,6 +539,7 @@ function _renderJobConfigFields(key, cfg) {
    </div>`;
  if (key === 'patchmon_sync' || key === 'semaphore_sync') {
    const label = key === 'semaphore_sync' ? 'API Token (Bearer)' : 'API Token (Basic)';
+    const tokenPlaceholder = key === 'patchmon_sync' ? 'token_key:token_secret' : '';
    return `
    <div class="form-group">
      <label class="form-label" for="job-cfg-api-url">API URL</label>
@@ -548,6 +549,7 @@ function _renderJobConfigFields(key, cfg) {
    <div class="form-group">
      <label class="form-label" for="job-cfg-api-token">${label}</label>
      <input class="form-input" id="job-cfg-api-token" type="password"
+        placeholder="${tokenPlaceholder}"
        value="${esc(cfg.api_token ?? '')}">
    </div>`;
  }
@@ -1 +1 @@
-const VERSION = "1.5.0";
+const VERSION = "1.7.1";
@@ -1,6 +1,6 @@
 {
  "name": "catalyst",
-  "version": "1.7.0",
+  "version": "1.7.1",
  "type": "module",
  "scripts": {
    "start": "node server/server.js",
@@ -41,8 +41,14 @@ async function patchmonSyncHandler(cfg) {
  const { api_url, api_token } = cfg;
  if (!api_url || !api_token) throw new Error('Patchmon not configured — set API URL and token');

+  // Accept raw "key:secret" (recommended) or a pre-encoded base64 string.
+  // ":" cannot appear in a valid base64 string, so it's a reliable discriminator.
+  const credential = api_token.includes(':')
+    ? Buffer.from(api_token).toString('base64')
+    : api_token;
+
  const res = await fetch(api_url, {
-    headers: { Authorization: `Basic ${api_token}` },
+    headers: { Authorization: `Basic ${credential}` },
  });
  if (!res.ok) throw new Error(`Patchmon API ${res.status}`);

@@ -112,13 +112,17 @@ router.post('/instances', (req, res) => {
 router.put('/instances/:vmid', (req, res) => {
  const vmid = parseInt(req.params.vmid, 10);
  if (!vmid) return res.status(400).json({ error: 'invalid vmid' });
-  if (!getInstance(vmid)) return res.status(404).json({ error: 'instance not found' });

-  const errors = validate(req.body);
+  const existing = getInstance(vmid);
+  if (!existing) return res.status(404).json({ error: 'instance not found' });
+
+  const merged = { ...existing, ...(req.body ?? {}) };
+
+  const errors = validate(merged);
  if (errors.length) return res.status(400).json({ errors });

  try {
-    const data = normalise(req.body);
+    const data = normalise(merged);
    updateInstance(vmid, data);
    res.json(getInstance(data.vmid));
  } catch (e) {
@@ -257,6 +257,18 @@ describe('PUT /api/instances/:vmid', () => {
    const res = await request(app).put('/api/instances/100').send({ ...base, vmid: 200 })
    expect(res.status).toBe(409)
  })
+
+  it('accepts a partial body and preserves unspecified fields', async () => {
+    await request(app).post('/api/instances').send({ ...base, atlas: 1, tailscale_ip: '100.64.0.1' })
+    const res = await request(app).put('/api/instances/100').send({ state: 'degraded' })
+    expect(res.status).toBe(200)
+    expect(res.body.state).toBe('degraded')
+    expect(res.body.name).toBe(base.name)
+    expect(res.body.vmid).toBe(100)
+    expect(res.body.stack).toBe(base.stack)
+    expect(res.body.atlas).toBe(1)
+    expect(res.body.tailscale_ip).toBe('100.64.0.1')
+  })
 })

 // ── DELETE /api/instances/:vmid ───────────────────────────────────────────────
Author	SHA1	Message	Date
josh	194cd3c175	Merge pull request 'fix: base64-encode Patchmon Basic auth credentials server-side' (#77 ) from dev into main CI / test (push) Successful in 10s Details Release / release (push) Successful in 23s Details CI / build-dev (push) Has been skipped Details Reviewed-on: #77	2026-05-30 19:04:27 -04:00
josh	72b8d60985	Merge pull request 'Merge pull request 'test: add failing tests for sort/order on GET /api/instances' (#71 ) from dev into main' (#76 ) from merge/main-into-dev-v1.7.1 into dev CI / test (push) Successful in 12s Details CI / test (pull_request) Successful in 15s Details CI / build-dev (push) Successful in 15s Details CI / build-dev (pull_request) Has been skipped Details Reviewed-on: #76	2026-05-30 19:03:24 -04:00
josh	917fb26e05	Merge branch 'main' into dev — resolve 1.7.0/1.7.1 version overlap, keep 1.7.1 CI / test (pull_request) Successful in 11s Details CI / build-dev (pull_request) Has been skipped Details # Conflicts: # package.json	2026-05-30 19:00:49 -04:00
josh	a28867b398	Merge pull request 'fix: base64-encode Patchmon Basic auth credentials server-side' (#74 ) from fix/patchmon-sync-basic-auth into dev CI / test (push) Successful in 9s Details CI / build-dev (push) Successful in 23s Details CI / test (pull_request) Successful in 18s Details CI / build-dev (pull_request) Has been skipped Details Reviewed-on: #74	2026-05-30 18:54:53 -04:00
josh	ac71ea2c49	chore: bump to version 1.7.1 CI / test (pull_request) Successful in 19s Details CI / build-dev (pull_request) Has been skipped Details Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-30 18:51:27 -04:00
josh	efa1750cac	fix: base64-encode Patchmon Basic auth credentials server-side Patchmon's API uses standard RFC 7617 Basic auth — `Basic base64(token_key:token_secret)`. The handler was sending the api_token field verbatim, so it only worked if the user had manually base64-encoded the credential. After a Patchmon upgrade, the sync started returning HTML (the SPA, served when auth is rejected) and failing with "Unexpected token '<'" on JSON.parse. Now: if the token contains ':' (raw key:secret), encode it server-side; otherwise pass through unchanged for backward compatibility. UI gets a placeholder hint showing the expected format. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-30 18:33:41 -04:00
josh	aa6e28d818	Merge pull request 'chore: bump to version 1.7.0' (#72 ) from chore/bump-v1.7.0 into main CI / test (push) Successful in 13s Details Release / release (push) Successful in 30s Details CI / build-dev (push) Has been skipped Details Reviewed-on: #72	2026-05-29 16:10:56 -04:00
josh	a0381b12cc	Merge pull request 'test: add failing tests for sort/order on GET /api/instances' (#71 ) from dev into main CI / test (push) Successful in 16s Details Release / release (push) Failing after 11s Details CI / build-dev (push) Has been skipped Details Reviewed-on: #71	2026-05-29 16:05:54 -04:00
josh	64eacb28d2	Merge pull request 'feat: accept partial bodies on PUT /api/instances/:vmid' (#70 ) from feat/partial-instance-updates into dev CI / test (push) Successful in 11s Details CI / build-dev (push) Successful in 38s Details CI / test (pull_request) Successful in 18s Details CI / build-dev (pull_request) Has been skipped Details Reviewed-on: #70	2026-05-29 16:03:44 -04:00
josh	ea671535fc	feat: accept partial bodies on PUT /api/instances/:vmid CI / test (pull_request) Successful in 10s Details CI / build-dev (pull_request) Has been skipped Details Merge the request body onto the existing instance row before validating, so external callers (n8n, scripts) can send only the fields they want to change instead of GET-then-splat-then-PUT the full record. Mirrors the partial-update pattern already used by PUT /api/jobs/:id. Full-body PUTs (today's frontend) are unaffected.	2026-05-29 15:57:58 -04:00