Skip to content

Fix: raise clear error when signing without api_secret#442

Merged
const-cloudinary merged 3 commits into
masterfrom
fix/api-secret-validation
Jun 29, 2026
Merged

Fix: raise clear error when signing without api_secret#442
const-cloudinary merged 3 commits into
masterfrom
fix/api-secret-validation

Conversation

@const-cloudinary

Copy link
Copy Markdown
Member

Summary

Add guards to cloudinary_url() and api_sign_request() to raise ValueError("Must supply api_secret") instead of opaque TypeError when attempting to sign without a configured secret.

This matches the behavior of other signing paths (sign_request, Search.to_url, etc.) and provides clear guidance to OAuth-only configurations.

Changes

  • cloudinary/utils.py: Guard signing block in cloudinary_url() to validate api_secret before computing signature
  • cloudinary/utils.py: Guard function entry in api_sign_request() to validate api_secret parameter
  • test/test_utils.py: Add 7 comprehensive test cases covering:
    • Signing without secret raises ValueError
    • Unsigned URL works without secret (common case)
    • Signing with secret works normally
    • Per-call api_secret override works
    • api_sign_request with None/empty string raises
    • api_sign_request with valid secret works

Test Results

  • All 134 existing tests pass
  • 7 new test cases pass
  • No regressions

Related

Implements spec: cloudinary-url-sign-without-secret.md

🤖 Generated with Claude Code

const-cloudinary and others added 3 commits June 30, 2026 01:54
Add guards to cloudinary_url() and api_sign_request() to raise
ValueError("Must supply api_secret") instead of opaque TypeError when
attempting to sign without a configured secret. This matches the behavior
of other signing paths (sign_request, Search.to_url, etc.) and provides
clear guidance to OAuth-only configurations.

Changes:
- cloudinary_url(): Guard signing block to validate api_secret before use
- api_sign_request(): Guard function entry to validate api_secret parameter
- Add 7 comprehensive test cases covering all scenarios

Fixes spec: cloudinary-url-sign-without-secret.md

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Prevent workflow from running twice (once on push, once on PR) by adding
a condition that skips push events when they have an associated PR.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
The previous condition (github.event.pull_request == null) did not work:
github.event.pull_request is always null on push events regardless of whether
a PR exists, so the redundant run was never skipped.

Correct condition keeps on: [push, pull_request] and runs tests on every
branch push while avoiding the duplicate when a same-repo PR exists:

- push event: always runs (push to any branch, PR or not). On a push event
  github.event.pull_request.head.repo.fork dereferences to an empty string
  (falsy, no error), so the negation is true.
- same-repo PR: skipped, since that push already triggered a run.
- fork PR: runs via pull_request, since forks can't trigger a push here.

Verified against GitHub docs: dereferencing a missing context property
yields an empty string rather than an error.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
@const-cloudinary const-cloudinary merged commit cdc3d08 into master Jun 29, 2026
28 of 29 checks passed
@const-cloudinary const-cloudinary deleted the fix/api-secret-validation branch June 29, 2026 23:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant