Skip to content

Change from username/password to token authentication #326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 30, 2025
Merged

Change from username/password to token authentication #326

merged 2 commits into from
Jun 30, 2025

Conversation

ludeeus
Copy link
Owner

@ludeeus ludeeus commented Jun 30, 2025

No description provided.

@Copilot Copilot AI review requested due to automatic review settings June 30, 2025 14:02
@ludeeus ludeeus added the breaking-change For things that will require consumers of the project to adjust the implementation label Jun 30, 2025
Copilot
Copilot AI reviewed Jun 30, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR replaces basic username/password authentication with token-based authentication across the client, tests, and example, and updates helper logic to handle query-based fixture filenames.

  • Replace all username/password parameters with a single token parameter
  • Refactor ApiClient to send a Bearer token and adjust the session/subscriber flows
  • Update tests, fixtures loader, example script, and devcontainer config for token usage

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
tests/test_subscription.py Updated expected error messages to match the new generic messages
tests/test_client.py Swapped username/password for token in client init
tests/conftest.py Replaced fixture credentials with token
tests/common.py Made load_response strip query strings before loading JSON
pytraccar/client.py Removed BasicAuth, added Bearer token header, adjusted session calls and WS subscription
example.py Swapped env vars to use TRACCAR_TOKEN
.devcontainer.json Updated Poetry feature reference
Comments suppressed due to low confidence (2)

tests/test_subscription.py:160

  • [nitpick] The new generic message drops the original exception detail, which can hinder debugging. Consider restoring the exception text (e.g., Unexpected error - {exception}) or logging it.
            "Unexpected error",

tests/test_client.py:14

  • There aren’t tests verifying that the Authorization: Bearer <token> header is sent in API calls—consider adding one to confirm token injection.
        "token": "test",

@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Jun 30, 2025

📝 Walkthrough

Walkthrough

The changes refactor authentication throughout the codebase from username/password-based to token-based authentication. This involves updating the API client, related test fixtures, and test cases to use a token parameter. Additionally, error messages in subscription tests were simplified, and the devcontainer configuration was updated to use a different Poetry feature source.

Changes

File(s) Change Summary
.devcontainer.json Updated Poetry feature source in devcontainer configuration.
example.py Switched ApiClient instantiation from username/password to token-based authentication using environment variable.
pytraccar/client.py Refactored authentication from username/password to token; updated HTTP and WebSocket auth flow accordingly.
tests/common.py Modified load_response to ignore query parameters when determining JSON filename to load.
tests/conftest.py Changed ApiClient fixture to use token instead of username/password.
tests/test_client.py Updated test client initialization to use token instead of username/password.
tests/test_subscription.py Simplified expected error messages in subscription exception tests.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant ApiClient
    participant TraccarServer

    User->>ApiClient: Instantiate with host, token, session
    ApiClient->>TraccarServer: HTTP request with Authorization: Bearer <token>
    TraccarServer-->>ApiClient: Responds to API request
    ApiClient-->>User: Returns API response

    User->>ApiClient: Subscribe to events
    ApiClient->>TraccarServer: WebSocket connect with token (query param)
    TraccarServer-->>ApiClient: WebSocket event stream
    ApiClient-->>User: Forwards events
Loading
✨ Finishing Touches
  • 📝 Generate Docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

coderabbitai[bot]
coderabbitai bot requested changes Jun 30, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
.devcontainer.json (1)

44-48: Consider pinning exact digests for deterministic builds

Relying on the floating :2 tag (and likewise the floating Python 3.13 image) means any rebuild can silently pick up a different Poetry or Python toolchain. This breaks the “works on my machine” guarantee the dev-container is meant to provide.

Diff example (replace with the actual digest produced by docker pull):

-"ghcr.io/devcontainers-extra/features/poetry:2": {}
+"ghcr.io/devcontainers-extra/features/poetry@sha256:<digest>": {}

Same idea for the base image or switch to an LTS Python (3.12) until 3.13 is GA.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 2547f41 and e79810c.

📒 Files selected for processing (7)
  • .devcontainer.json (1 hunks)
  • example.py (1 hunks)
  • pytraccar/client.py (5 hunks)
  • tests/common.py (1 hunks)
  • tests/conftest.py (1 hunks)
  • tests/test_client.py (1 hunks)
  • tests/test_subscription.py (2 hunks)
🧰 Additional context used
🧬 Code Graph Analysis (1)
pytraccar/client.py (1)
pytraccar/exceptions.py (1)
  • TraccarException (4-5)
🪛 Ruff (0.11.9)
tests/conftest.py

80-80: Possible hardcoded password assigned to argument: "token"

(S106)

🔇 Additional comments (9)
pytraccar/client.py (4)

42-56: LGTM! Clean refactor to token-based authentication.

The constructor change from username/password to token authentication is well-implemented and follows best practices for API authentication.

83-88: Proper implementation of Bearer token authentication.

The Authorization header with Bearer token is correctly implemented, and the header merging logic ensures custom headers can still be passed.

226-228: Error message simplification looks good.

The simplified error messages provide cleaner output, though consider logging the full exception details for debugging purposes.

205-212: Review session API call implementation

  • The Content-Type: application/x-www-form-urlencoded header is unnecessary on a GET request (no request body to describe).
  • The comment above the call still points to the POST /session endpoint, yet the code is issuing a GET. Confirm whether Traccar supports GET for authentication or if this should remain a POST.
  • Embedding the token in the URL query string risks exposure in server logs. Consider using a POST with the token in the request body or an Authorization header for better security.

Please verify the correct HTTP method in Traccar’s API documentation and adjust accordingly.

tests/common.py (1)

28-28: Good fix for handling filenames with query parameters.

The logic correctly handles test data filenames that may include query strings, which is necessary for the new token-based authentication tests.

example.py (1)

27-27: Example correctly updated for token authentication.

The change properly demonstrates the new token-based authentication usage.

tests/test_client.py (1)

14-14: Test correctly updated for token authentication.

The test properly validates the new ApiClient constructor signature.

tests/test_subscription.py (1)

160-160: Test expectations correctly updated.

The simplified error message expectations properly match the changes in the client's error handling.

Also applies to: 170-170

tests/conftest.py (1)

80-80: LGTM! Token authentication update is correctly implemented.

The change appropriately updates the test fixture to use token-based authentication, aligning with the PR objectives. The hardcoded "test" value is suitable for test fixtures as it's clearly mock data for testing purposes.

Note: The static analysis warning about a "hardcoded password" is a false positive in this context since this is test configuration code with intentionally hardcoded mock values.

@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Jun 30, 2025

📝 Walkthrough

Walkthrough

The authentication mechanism for the API client was changed from username/password-based to token-based across the codebase, including the client implementation, example usage, and tests. Related error messages were simplified, and the test utilities were updated to handle filenames with query parameters. The Poetry feature source in the devcontainer configuration was also updated.

Changes

File(s) Change Summary
.devcontainer.json Updated Poetry feature source from devcontainers-contrib to devcontainers-extra.
example.py Changed ApiClient instantiation from username/password to token-based authentication.
pytraccar/client.py Switched authentication to token-based; updated constructor, API calls, WebSocket logic, and error messages.
tests/common.py Modified load_response to ignore query parameters in filenames before appending ".json".
tests/conftest.py Updated api_client fixture to use token instead of username/password.
tests/test_client.py Changed test client initialization to use token authentication.
tests/test_subscription.py Updated expected exception messages to match simplified error messages.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant ApiClient
    participant TraccarAPI

    User->>ApiClient: Initialize(token, ...)
    User->>ApiClient: Make API request
    ApiClient->>TraccarAPI: HTTP request with Authorization: Bearer <token>
    TraccarAPI-->>ApiClient: API response
    ApiClient-->>User: Return data
Loading 
sequenceDiagram
    participant User
    participant ApiClient
    participant TraccarAPI

    User->>ApiClient: Subscribe via WebSocket
    ApiClient->>TraccarAPI: GET /api/session?token=<token>
    TraccarAPI-->>ApiClient: Session established
    ApiClient->>TraccarAPI: WebSocket connection
    TraccarAPI-->>ApiClient: WebSocket events
    ApiClient-->>User: Deliver events
Loading
📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 2547f41 and e79810c.

📒 Files selected for processing (7)
  • .devcontainer.json (1 hunks)
  • example.py (1 hunks)
  • pytraccar/client.py (5 hunks)
  • tests/common.py (1 hunks)
  • tests/conftest.py (1 hunks)
  • tests/test_client.py (1 hunks)
  • tests/test_subscription.py (2 hunks)
🧰 Additional context used
🧬 Code Graph Analysis (1)
pytraccar/client.py (1)
pytraccar/exceptions.py (1)
  • TraccarException (4-5)
🪛 Ruff (0.11.9)
tests/conftest.py

80-80: Possible hardcoded password assigned to argument: "token"

(S106)

🔇 Additional comments (12)
tests/common.py (1)

28-28: LGTM! Improved handling of filenames with query parameters.

This change correctly prevents query parameters from being included in the filename when loading JSON responses, which aligns well with the token-based authentication changes that may include query parameters in API calls.

pytraccar/client.py (5)

45-45: LGTM! Constructor signature updated for token authentication.

The change from username/password parameters to a single token parameter is clean and follows standard token-based authentication patterns.

56-56: LGTM! Token storage implementation is correct.

Storing the token in _token attribute maintains consistency with the new authentication approach.

83-88: LGTM! Standard bearer token authentication implementation.

The Authorization header with bearer token follows RFC 6750 standards. The header merging logic correctly allows additional headers while ensuring authentication and content-type headers are always present.

226-228: LGTM! Simplified error messages improve security.

Removing detailed exception information from error messages prevents potential information disclosure while maintaining meaningful error categories.

207-212: Confirm Session endpoint GET usage matches API docs

Please verify that the Traccar API supports a GET on /session?token=…, since the inline comment still references the POST endpoint. If GET is correct, update the comment to point at the /session GET path and remove the unnecessary Content-Type header; otherwise revert to POST with form data.

• File: pytraccar/client.py
• Lines: 207–212

tests/test_client.py (1)

14-14: LGTM! Test parameters updated for token authentication.

The test correctly uses the new token parameter instead of username/password, maintaining test coverage for the ApiClient constructor.

example.py (1)

27-27: LGTM! Example updated to demonstrate token authentication.

The change to use TRACCAR_TOKEN environment variable correctly demonstrates the new authentication method and maintains good security practices by using environment variables.

tests/conftest.py (1)

80-80: LGTM! Test fixture updated for token authentication.

The fixture correctly uses the new token parameter. The static analysis hint about a hardcoded password is a false positive - this is a test fixture where hardcoded test values are expected and appropriate.

tests/test_subscription.py (1)

154-178: LGTM! Error message simplification aligns with security best practices.

The updated test parameters correctly reflect the simplified error handling in the ApiClient implementation. The generic error messages ("Unexpected error" and "Could not communicate with Traccar") follow good security practices by not exposing internal exception details to end users.

The test coverage remains comprehensive, covering various exception scenarios including KeyError, asyncio.TimeoutError, aiohttp.ClientError, and TraccarConnectionException.

.devcontainer.json (2)

44-44: Verify Poetry feature tag availability

The anonymous manifest check did not return a digest, so please confirm that the new Poetry feature tag is published and pull-able to avoid dev-container build failures.

• File: .devcontainer.json
Line 44

"ghcr.io/devcontainers-extra/features/poetry:2": {},

• Ensure ghcr.io/devcontainers-extra/features/poetry:2 exists and is accessible (e.g., via docker pull ghcr.io/devcontainers-extra/features/poetry:2 or checking the GitHub Container Registry web UI).

45-48: Verify Python 3.13 support in the devcontainer feature

I wasn’t able to locate src/python/metadata.json or feature.json in the devcontainers/features repo, so there’s no evidence that version 3.13 is published. Pinning to an unavailable version will break the container build.

Locations to review:

  • .devcontainer.json (lines 45–48): 
    "ghcr.io/devcontainers/features/python:1": {
  "installTools": false,
  "version": "3.13"
}

Next steps:

  • Manually confirm that ghcr.io/devcontainers/features/python:1 supports "version": "3.13" (e.g. inspect registry tags via crane ls or similar).
  • If 3.13 isn’t available, roll back the pin to the latest stable (e.g. 3.12) until images are released.
✨ Finishing Touches
  • 📝 Generate Docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@ludeeus ludeeus merged commit de52cfa into main Jun 30, 2025
7 checks passed
@ludeeus ludeeus deleted the token branch June 30, 2025 14:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees
No one assigned
Labels
breaking-change For things that will require consumers of the project to adjust the implementation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ludeeus