[GH-ISSUE #251] Sandbox testers: align create/delete with OpenAPI (v2) #79

New issue

Closed

opened 2026-02-26 21:33:13 +03:00 by kerem · 2 comments

kerem commented

2026-02-26 21:33:13 +03:00

Owner

Originally created by @rudrankriyam on GitHub (Jan 28, 2026).
Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/251

Originally assigned to: @swiftlysingh on GitHub.

Overview

CreateSandboxTester and DeleteSandboxTester currently call v1 endpoints, while the OpenAPI snapshot only documents v2 sandbox tester endpoints. This is a spec mismatch and likely fails on accounts where v1 is retired.

Current behavior

Create: POST /v1/sandboxTesters
Delete: DELETE /v1/sandboxTesters/{id}
List/Update: GET /v2/sandboxTesters, PATCH /v2/sandboxTesters/{id}

Scope (OpenAPI endpoints)

GET /v2/sandboxTesters
PATCH /v2/sandboxTesters/{id}
POST /v2/sandboxTestersClearPurchaseHistoryRequest
No v1 create/delete endpoints in docs/openapi/paths.txt

Proposed fix

Verify whether v1 create/delete endpoints still exist in ASC API.
If v1 is deprecated/removed: migrate create/delete to v2 or remove these commands with a clear error.
If v1 is still valid: update OpenAPI snapshot or add explicit doc note.

Acceptance criteria

Create/delete behavior aligns with OpenAPI (or is explicitly documented as unsupported)
Tests assert correct path versioning
User-facing errors are clear if create/delete is not supported

Tests

HTTP client tests for create/delete endpoint paths
Command tests for asc sandbox create/delete

Implementation notes

Update internal/asc/sandbox.go and sandbox tests
Review cmd/sandbox_create.go and cmd/sandbox_manage.go for error messaging

Originally created by @rudrankriyam on GitHub (Jan 28, 2026). Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/251 Originally assigned to: @swiftlysingh on GitHub. # Overview `CreateSandboxTester` and `DeleteSandboxTester` currently call v1 endpoints, while the OpenAPI snapshot only documents v2 sandbox tester endpoints. This is a spec mismatch and likely fails on accounts where v1 is retired. # Current behavior - Create: `POST /v1/sandboxTesters` - Delete: `DELETE /v1/sandboxTesters/{id}` - List/Update: `GET /v2/sandboxTesters`, `PATCH /v2/sandboxTesters/{id}` # Scope (OpenAPI endpoints) - `GET /v2/sandboxTesters` - `PATCH /v2/sandboxTesters/{id}` - `POST /v2/sandboxTestersClearPurchaseHistoryRequest` - No v1 create/delete endpoints in `docs/openapi/paths.txt` # Proposed fix - Verify whether v1 create/delete endpoints still exist in ASC API. - If v1 is deprecated/removed: migrate create/delete to v2 or remove these commands with a clear error. - If v1 is still valid: update OpenAPI snapshot or add explicit doc note. # Acceptance criteria - [ ] Create/delete behavior aligns with OpenAPI (or is explicitly documented as unsupported) - [ ] Tests assert correct path versioning - [ ] User-facing errors are clear if create/delete is not supported # Tests - HTTP client tests for create/delete endpoint paths - Command tests for `asc sandbox create/delete` # Implementation notes - Update `internal/asc/sandbox.go` and sandbox tests - Review `cmd/sandbox_create.go` and `cmd/sandbox_manage.go` for error messaging

kerem closed this issue

2026-02-26 21:33:13 +03:00

kerem commented

2026-02-26 21:33:14 +03:00

Author

Owner

@swiftlysingh commented on GitHub (Jan 28, 2026):

Update: I ran thorough v1/v2 HTTP probes with configured ASC credentials. Results:

GET /v2/sandboxTesters?limit=1 -> 200
POST /v2/sandboxTesters -> 403 (CREATE not allowed; allowed: GET_COLLECTION, UPDATE)
DELETE /v2/sandboxTesters/{id} -> 403 (DELETE not allowed; allowed: GET_COLLECTION, UPDATE)
GET /v1/sandboxTesters?limit=1 -> 404 (resource does not exist)
POST /v1/sandboxTesters -> 404 (resource does not exist)
DELETE /v1/sandboxTesters/{id} -> 404 (resource does not exist)

I mistakenly opened PR #262 before finishing the verification, and have closed it. Based on the probes, v1 endpoints are gone and v2 explicitly disallows create/delete. Happy to open a new PR if you want the CLI to keep create/delete as explicit “unsupported” commands with help text + tests, or to remove them entirely.

@swiftlysingh commented on GitHub (Jan 28, 2026): Update: I ran thorough v1/v2 HTTP probes with configured ASC credentials. Results: - GET /v2/sandboxTesters?limit=1 -> 200 - POST /v2/sandboxTesters -> 403 (CREATE not allowed; allowed: GET_COLLECTION, UPDATE) - DELETE /v2/sandboxTesters/{id} -> 403 (DELETE not allowed; allowed: GET_COLLECTION, UPDATE) - GET /v1/sandboxTesters?limit=1 -> 404 (resource does not exist) - POST /v1/sandboxTesters -> 404 (resource does not exist) - DELETE /v1/sandboxTesters/{id} -> 404 (resource does not exist) I mistakenly opened PR #262 before finishing the verification, and have closed it. Based on the probes, v1 endpoints are gone and v2 explicitly disallows create/delete. Happy to open a new PR if you want the CLI to keep create/delete as explicit “unsupported” commands with help text + tests, or to remove them entirely.

kerem commented

2026-02-26 21:33:14 +03:00

Author

Owner

@rudrankriyam commented on GitHub (Jan 28, 2026):

If it is gone, we need to remove them entirely

@rudrankriyam commented on GitHub (Jan 28, 2026): If it is gone, we need to remove them entirely

kerem referenced this issue

2026-02-26 21:34:22 +03:00

[PR #79] [MERGED] Asc financial reports support #268