[NOT READY] Add OAuth support to remaining 6 commands#342
Closed
srosenthal-dd wants to merge 1 commit into
Closed
Conversation
Six command files only supported API key auth via make_dd_config. Update them to also check for an OAuth bearer token using make_bearer_client, matching the pattern used by all other commands. Affected commands: authn_mappings, data_deletion, datasets, logs_restriction, obs_pipelines, workflows. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
srosenthal-dd
changed the title
platinummonkey
approved these changes
Apr 10, 2026
Jansen-w
added a commit
to Jansen-w/pup
that referenced
this pull request
May 20, 2026
The `make_api!` macro sends the OAuth bearer token when one is available and falls back to API-key headers otherwise. Previously the OP commands used `make_api_no_auth!`, which suppressed the bearer header outright because the OP routes did not accept `ValidOAuthAccessToken` on the server side. Server-side support for OAuth on the OP public routes is in flight (DataDog/dd-source#426541 covers the Rapid-side authn list on obs-pipelines-crud; DataDog/dd-go#238110 covers the Route Manager allowlist on rc-api-proxy across staging/prod/gov). Once those land and pup's OAuth client gets the OP scopes added, this change unblocks `pup obs-pipelines` via OAuth without further client work. Pattern copied from the prior attempt in PR DataDog#342, adapted to the current `make_api!` macro (which subsumed the older `make_bearer_client` helper used in that PR).
5 tasks
Jansen-w
added a commit
to Jansen-w/pup
that referenced
this pull request
May 22, 2026
The `make_api!` macro sends the OAuth bearer token when one is available and falls back to API-key headers otherwise. Previously the OP commands used `make_api_no_auth!`, which suppressed the bearer header outright because the OP routes did not accept `ValidOAuthAccessToken` on the server side. Server-side support for OAuth on the OP public routes is in flight (DataDog/dd-source#426541 covers the Rapid-side authn list on obs-pipelines-crud; DataDog/dd-go#238110 covers the Route Manager allowlist on rc-api-proxy across staging/prod/gov). Once those land and pup's OAuth client gets the OP scopes added, this change unblocks `pup obs-pipelines` via OAuth without further client work. Pattern copied from the prior attempt in PR DataDog#342, adapted to the current `make_api!` macro (which subsumed the older `make_bearer_client` helper used in that PR).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
authn_mappings,data_deletion,datasets,logs_restriction,obs_pipelines, andworkflowsmake_bearer_clientpattern used everywhere else in the codebase, so these commands use OAuth when the user authenticates viapup auth logincost.rsNote: some of these API endpoints do not yet support
ValidOAuthAccessTokenon the server side. The client-side change is still correct -- pup should always prefer OAuth and fall back to API key auth. As the server-side routes are updated to accept OAuth, these commands will automatically work without further client changes.Test plan
cargo checkpassescargo testpasses (744 tests)cargo fmtproduces no changesdatasets: OAuth token sent and accepted by server (auth succeeded), confirming the client-side plumbing works end-to-endauthn_mappings,data_deletion,logs_restriction,obs_pipelines: OAuth token sent correctly (confirmed via server logs), but these routes don't yet acceptValidOAuthAccessTokenserver-side -- will need server-side route updatesworkflows: has a client-side check that blocks OAuth -- will need a separate change to remove that restriction🤖 Generated with Claude Code