fix: remove hallucinated auth_method field, use real API auth_type

Tests were asserting against destConfig["auth_method"] which is not a
real API field. All assertions silently passed because they used if-ok
guards — the field was never present, so the checks never ran.

- Replace auth_method assertions with auth_type (the actual API field)
- Fix upsert update path to clear stale auth_type before setting new one
- Remove phantom auth_method delete in upsert config merge

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: leggetter

pkg/cmd/connection_upsert.go

@@ -599,12 +599,24 @@ func (cu *connectionUpsertCmd) buildDestinationInputForUpdate(existingDest *hook
 
 	// Apply authentication config if provided
 	if cu.DestinationAuthMethod != "" {
+		// Clear any existing auth fields before setting new ones
+		delete(destConfig, "auth_type")
+		delete(destConfig, "auth")
+
 		authConfig, err := cu.buildAuthConfig()
 		if err != nil {
 			return nil, err
 		}
 		if len(authConfig) > 0 {
-			destConfig["auth_method"] = authConfig
+			// Use the correct API format: auth_type + auth as separate fields
+			destConfig["auth_type"] = authConfig["type"]
+			auth := make(map[string]interface{})
+			for k, v := range authConfig {
+				if k != "type" {
+					auth[k] = v
+				}
+			}
+			destConfig["auth"] = auth
 		}
 	}
 

test/acceptance/connection_test.go

@@ -746,12 +746,7 @@ func TestConnectionAuthenticationTypes(t *testing.T) {
 		destConfig, ok := dest["config"].(map[string]interface{})
 		require.True(t, ok, "Expected destination config object")
 
-		if authMethod, ok := destConfig["auth_method"].(map[string]interface{}); ok {
-			assert.Equal(t, "API_KEY", authMethod["type"], "Auth type should be API_KEY")
-			assert.Equal(t, "X-API-Key", authMethod["key"], "Auth key should be X-API-Key")
-			assert.Equal(t, "header", authMethod["to"], "Auth location should be header")
-			// API key itself should not be returned for security
-		}
+		assert.Equal(t, "API_KEY", destConfig["auth_type"], "Auth type should be API_KEY")
 
 		// Cleanup
 		t.Cleanup(func() {
@@ -804,11 +799,7 @@ func TestConnectionAuthenticationTypes(t *testing.T) {
 		destConfig, ok := dest["config"].(map[string]interface{})
 		require.True(t, ok, "Expected destination config object")
 
-		if authMethod, ok := destConfig["auth_method"].(map[string]interface{}); ok {
-			assert.Equal(t, "API_KEY", authMethod["type"], "Auth type should be API_KEY")
-			assert.Equal(t, "api_key", authMethod["key"], "Auth key should be api_key")
-			assert.Equal(t, "query", authMethod["to"], "Auth location should be query")
-		}
+		assert.Equal(t, "API_KEY", destConfig["auth_type"], "Auth type should be API_KEY")
 
 		// Cleanup
 		t.Cleanup(func() {
@@ -859,11 +850,7 @@ func TestConnectionAuthenticationTypes(t *testing.T) {
 		destConfig, ok := dest["config"].(map[string]interface{})
 		require.True(t, ok, "Expected destination config object")
 
-		if authMethod, ok := destConfig["auth_method"].(map[string]interface{}); ok {
-			assert.Equal(t, "CUSTOM_SIGNATURE", authMethod["type"], "Auth type should be CUSTOM_SIGNATURE")
-			assert.Equal(t, "X-Signature", authMethod["key"], "Auth key should be X-Signature")
-			// Signing secret should not be returned for security
-		}
+		assert.Equal(t, "CUSTOM_SIGNATURE", destConfig["auth_type"], "Auth type should be CUSTOM_SIGNATURE")
 
 		// Cleanup
 		t.Cleanup(func() {
@@ -913,9 +900,7 @@ func TestConnectionAuthenticationTypes(t *testing.T) {
 		require.True(t, ok, "Expected destination config object")
 
 		// Hookdeck signature should be set as the auth type
-		if authMethod, ok := destConfig["auth_method"].(map[string]interface{}); ok {
-			assert.Equal(t, "HOOKDECK_SIGNATURE", authMethod["type"], "Auth type should be HOOKDECK_SIGNATURE")
-		}
+		assert.Equal(t, "HOOKDECK_SIGNATURE", destConfig["auth_type"], "Auth type should be HOOKDECK_SIGNATURE")
 
 		// Cleanup
 		t.Cleanup(func() {
@@ -983,10 +968,7 @@ func TestConnectionAuthenticationTypes(t *testing.T) {
 		updateDestConfig, ok := updateDest["config"].(map[string]interface{})
 		require.True(t, ok, "Expected destination config object in update response")
 
-		if authMethod, ok := updateDestConfig["auth_method"].(map[string]interface{}); ok {
-			assert.Equal(t, "API_KEY", authMethod["type"], "Auth type should be updated to API_KEY")
-			assert.Equal(t, "X-API-Key", authMethod["key"], "Auth key should be X-API-Key")
-		}
+		assert.Equal(t, "API_KEY", updateDestConfig["auth_type"], "Auth type should be updated to API_KEY")
 
 		// Update to Hookdeck signature (reset to default)
 		stdout, stderr, err = cli.Run("connection", "upsert", connName,
@@ -1007,9 +989,7 @@ func TestConnectionAuthenticationTypes(t *testing.T) {
 		resetDestConfig, ok := resetDest["config"].(map[string]interface{})
 		require.True(t, ok, "Expected destination config object in reset response")
 
-		if authMethod, ok := resetDestConfig["auth_method"].(map[string]interface{}); ok {
-			assert.Equal(t, "HOOKDECK_SIGNATURE", authMethod["type"], "Auth type should be reset to HOOKDECK_SIGNATURE")
-		}
+		assert.Equal(t, "HOOKDECK_SIGNATURE", resetDestConfig["auth_type"], "Auth type should be reset to HOOKDECK_SIGNATURE")
 
 		t.Logf("Successfully tested changing authentication methods via upsert: %s", connID)
 	})

test/acceptance/connection_upsert_test.go

@@ -181,9 +181,7 @@ func TestConnectionUpsertPartialUpdates(t *testing.T) {
 		updatedDestConfig, ok := updatedDest["config"].(map[string]interface{})
 		require.True(t, ok, "Expected destination config")
 
-		if authMethod, ok := updatedDestConfig["auth_method"].(map[string]interface{}); ok {
-			assert.Equal(t, "BEARER", authMethod["type"], "Auth type should be BEARER")
-		}
+		assert.Equal(t, "BEARER_TOKEN", updatedDestConfig["auth_type"], "Auth type should be BEARER_TOKEN")
 
 		t.Logf("Successfully updated connection %s auth method to bearer", connID)
 	})