Skip to content

Fix ConnectClient crash with empty API key and OIDC auth skip#22

Draft
ian-flores wants to merge 3 commits intomainfrom
beta1-fixes
Draft

Fix ConnectClient crash with empty API key and OIDC auth skip#22
ian-flores wants to merge 3 commits intomainfrom
beta1-fixes

Conversation

@ian-flores
Copy link
Collaborator

@ian-flores ian-flores commented Mar 2, 2026

Summary

Fixes two bugs discovered while running VIP against ganso01-staging for the first time:

  • ConnectClient empty API key crash: When no VIP_CONNECT_API_KEY is set, the client sent Authorization: Key which httpx rejected with LocalProtocolError: Illegal header value. Fixed by making the header conditional.
  • OIDC auth prerequisite failure: The credentials check failed with an assertion instead of skipping when OIDC is configured without --interactive-auth. Now skips with a helpful message.

Test results (ganso01-staging)

Metric Before After
Passed 28 28
Failed 15 12
Skipped 13 16

The 3 former crashes (empty API key) now correctly skip or return proper HTTP errors.

Test plan

  • Selftests pass (47 passed)
  • Prerequisites pass against ganso01-staging (3 pass, 1 skip for OIDC)
  • Connect auth UI test correctly skips for OIDC
  • Connect API tests now fail with proper 401 (not crashes)
  • Package Manager tests unaffected (3 pass, 1 skip)

@ian-flores
Fix ConnectClient crash with empty API key and OIDC auth skip
1023836 
- Make Authorization header conditional on having an actual API key
  (fixes httpx.LocalProtocolError when VIP_CONNECT_API_KEY unset)
- Skip auth prerequisite tests gracefully for OIDC without
  --interactive-auth instead of failing
@github-actions
Copy link

github-actions bot commented Mar 2, 2026
edited
Loading

PR Preview Action v1.8.1

QR code for preview link

🚀 View preview at
https://posit-dev.github.io/vip/pr-preview/pr-22/

Built to branch gh-pages at 2026-03-02 23:09 UTC.
Preview will be ready when the GitHub Pages deployment is complete.

@ian-flores
Fix Workbench tests to skip for OIDC auth without --interactive-auth
a26a4bc 
Move non-password auth check before page navigation so tests skip
immediately instead of timing out against Keycloak redirect URLs
that don't match the sign-in/login URL patterns.
@ian-flores
Handle Workbench OIDC session not shared with Connect
f74e6db 
When --interactive-auth is used, the storage state from Connect
login may not authenticate Workbench (separate OIDC sessions).
Skip Workbench tests gracefully when storage state doesn't cover
the Workbench domain instead of timing out on login selectors.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@statik statik Awaiting requested review from statik statik will be requested when the pull request is marked ready for review statik is a code owner

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ian-flores