Merge pull request 'fix: base64-encode Patchmon Basic auth credentials server-side' (#74 ) from fix/patchmon-sync-basic-auth into dev

Reviewed-on: #74
chore: bump to version 1.7.1
2026-05-30 18:54:53 -04:00 · 2026-05-30 18:51:27 -04:00 · 2026-05-30 18:33:41 -04:00 · 2026-05-29 16:03:44 -04:00 · 2026-05-29 15:57:58 -04:00
6 changed files with 30 additions and 6 deletions
@@ -539,6 +539,7 @@ function _renderJobConfigFields(key, cfg) {
    </div>`;
  if (key === 'patchmon_sync' || key === 'semaphore_sync') {
    const label = key === 'semaphore_sync' ? 'API Token (Bearer)' : 'API Token (Basic)';
+    const tokenPlaceholder = key === 'patchmon_sync' ? 'token_key:token_secret' : '';
    return `
    <div class="form-group">
      <label class="form-label" for="job-cfg-api-url">API URL</label>
@@ -548,6 +549,7 @@ function _renderJobConfigFields(key, cfg) {
    <div class="form-group">
      <label class="form-label" for="job-cfg-api-token">${label}</label>
      <input class="form-input" id="job-cfg-api-token" type="password"
+        placeholder="${tokenPlaceholder}"
        value="${esc(cfg.api_token ?? '')}">
    </div>`;
  }
@@ -1 +1 @@
-const VERSION = "1.5.0";
+const VERSION = "1.7.1";
@@ -1,6 +1,6 @@
 {
  "name": "catalyst",
-  "version": "1.7.0",
+  "version": "1.7.1",
  "type": "module",
  "scripts": {
    "start": "node server/server.js",
@@ -41,8 +41,14 @@ async function patchmonSyncHandler(cfg) {
  const { api_url, api_token } = cfg;
  if (!api_url || !api_token) throw new Error('Patchmon not configured — set API URL and token');

+  // Accept raw "key:secret" (recommended) or a pre-encoded base64 string.
+  // ":" cannot appear in a valid base64 string, so it's a reliable discriminator.
+  const credential = api_token.includes(':')
+    ? Buffer.from(api_token).toString('base64')
+    : api_token;
+
  const res = await fetch(api_url, {
-    headers: { Authorization: `Basic ${api_token}` },
+    headers: { Authorization: `Basic ${credential}` },
  });
  if (!res.ok) throw new Error(`Patchmon API ${res.status}`);

@@ -112,13 +112,17 @@ router.post('/instances', (req, res) => {
 router.put('/instances/:vmid', (req, res) => {
  const vmid = parseInt(req.params.vmid, 10);
  if (!vmid) return res.status(400).json({ error: 'invalid vmid' });
-  if (!getInstance(vmid)) return res.status(404).json({ error: 'instance not found' });

-  const errors = validate(req.body);
+  const existing = getInstance(vmid);
+  if (!existing) return res.status(404).json({ error: 'instance not found' });
+
+  const merged = { ...existing, ...(req.body ?? {}) };
+
+  const errors = validate(merged);
  if (errors.length) return res.status(400).json({ errors });

  try {
-    const data = normalise(req.body);
+    const data = normalise(merged);
    updateInstance(vmid, data);
    res.json(getInstance(data.vmid));
  } catch (e) {
@@ -257,6 +257,18 @@ describe('PUT /api/instances/:vmid', () => {
    const res = await request(app).put('/api/instances/100').send({ ...base, vmid: 200 })
    expect(res.status).toBe(409)
  })
+
+  it('accepts a partial body and preserves unspecified fields', async () => {
+    await request(app).post('/api/instances').send({ ...base, atlas: 1, tailscale_ip: '100.64.0.1' })
+    const res = await request(app).put('/api/instances/100').send({ state: 'degraded' })
+    expect(res.status).toBe(200)
+    expect(res.body.state).toBe('degraded')
+    expect(res.body.name).toBe(base.name)
+    expect(res.body.vmid).toBe(100)
+    expect(res.body.stack).toBe(base.stack)
+    expect(res.body.atlas).toBe(1)
+    expect(res.body.tailscale_ip).toBe('100.64.0.1')
+  })
 })

 // ── DELETE /api/instances/:vmid ───────────────────────────────────────────────
Author	SHA1	Message	Date
josh	a28867b398	Merge pull request 'fix: base64-encode Patchmon Basic auth credentials server-side' (#74 ) from fix/patchmon-sync-basic-auth into dev CI / test (push) Successful in 9s Details CI / build-dev (push) Successful in 23s Details CI / test (pull_request) Successful in 18s Details CI / build-dev (pull_request) Has been skipped Details Reviewed-on: #74	2026-05-30 18:54:53 -04:00
josh	ac71ea2c49	chore: bump to version 1.7.1 CI / test (pull_request) Successful in 19s Details CI / build-dev (pull_request) Has been skipped Details Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-30 18:51:27 -04:00
josh	efa1750cac	fix: base64-encode Patchmon Basic auth credentials server-side Patchmon's API uses standard RFC 7617 Basic auth — `Basic base64(token_key:token_secret)`. The handler was sending the api_token field verbatim, so it only worked if the user had manually base64-encoded the credential. After a Patchmon upgrade, the sync started returning HTML (the SPA, served when auth is rejected) and failing with "Unexpected token '<'" on JSON.parse. Now: if the token contains ':' (raw key:secret), encode it server-side; otherwise pass through unchanged for backward compatibility. UI gets a placeholder hint showing the expected format. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-30 18:33:41 -04:00
josh	64eacb28d2	Merge pull request 'feat: accept partial bodies on PUT /api/instances/:vmid' (#70 ) from feat/partial-instance-updates into dev CI / test (push) Successful in 11s Details CI / build-dev (push) Successful in 38s Details CI / test (pull_request) Successful in 18s Details CI / build-dev (pull_request) Has been skipped Details Reviewed-on: #70	2026-05-29 16:03:44 -04:00
josh	ea671535fc	feat: accept partial bodies on PUT /api/instances/:vmid CI / test (pull_request) Successful in 10s Details CI / build-dev (pull_request) Has been skipped Details Merge the request body onto the existing instance row before validating, so external callers (n8n, scripts) can send only the fields they want to change instead of GET-then-splat-then-PUT the full record. Mirrors the partial-update pattern already used by PUT /api/jobs/:id. Full-body PUTs (today's frontend) are unaffected.	2026-05-29 15:57:58 -04:00