fix: 🐛 don't load credentials when config does not match the discovered environment (#122)

* feat: improve compatibility with Python 3.14

`httpcore` that is dependency of the `httpx` causes `AttributeError` for `httpcore<1.0.8`.
(https://github.com/encode/httpcore/blob/master/CHANGELOG.md#version-108-april-11th-2025)

Support for `httpcore>=1.0` was added in `httpc==0.25.1`.
(https://github.com/encode/httpx/blob/master/CHANGELOG.md#0251-3rd-november-2023)

Constraining  httpx for python 3.14  allows to use resolve httpx to versions can use `httpcore` that fixes the issue for python 3.14

* fix: 🐛 don't load credentials when config does not match the discovered environment

This can happen when the discovery endpoint is set explicitly or via env variables.
Such credentials do not work with the target environment anyway.

Author: zoido

src/h2o_discovery/__init__.py

@@ -60,10 +60,7 @@ def discover(
     discovery = load.load_discovery(
         client.Client(uri=uri, timeout=http_timeout, ssl_context=ssl_context)
     )
-    credentials = load.load_credentials(
-        clients=discovery.clients, config_tokens=cfg.tokens
-    )
-
+    credentials = load.load_credentials(discovery=discovery, cfg=cfg)
     return dataclasses.replace(discovery, credentials=credentials)
 
 
@@ -110,10 +107,7 @@ async def discover_async(
     discovery = await load.load_discovery_async(
         client.AsyncClient(uri=uri, timeout=http_timeout, ssl_context=ssl_context)
     )
-    credentials = load.load_credentials(
-        clients=discovery.clients, config_tokens=cfg.tokens
-    )
-
+    credentials = load.load_credentials(discovery=discovery, cfg=cfg)
     return dataclasses.replace(discovery, credentials=credentials)
 
 

src/h2o_discovery/_internal/load.py

@@ -5,13 +5,13 @@
 from typing import Iterable
 from typing import List
 from typing import Mapping
-from typing import Optional
 
 import httpx
 
 from h2o_discovery import error
 from h2o_discovery import model
 from h2o_discovery._internal import client
+from h2o_discovery._internal import config
 
 
 def load_discovery(cl: client.Client) -> model.Discovery:
@@ -112,17 +112,20 @@ async def _list_components_async(cl: client.AsyncClient) -> List[model.Component
 
 
 def load_credentials(
-    clients: Mapping[str, model.Client], config_tokens: Optional[Mapping[str, str]]
+    discovery: model.Discovery, cfg: config.Config
 ) -> Mapping[str, model.Credentials]:
     """Loads client credentials from the environment or tokens loaded from the
     config.
     """
+    h2o_cloud_environment = discovery.environment.h2o_cloud_environment.rstrip("/")
+    config_matches = cfg.endpoint and h2o_cloud_environment == cfg.endpoint.rstrip("/")
     tokens: Mapping[str, str] = {}
-    if config_tokens is not None:
-        tokens = config_tokens
+    if config_matches and cfg.tokens is not None:
+        # Load tokens from the config only when the environments match.
+        tokens = cfg.tokens
 
     out = {}
-    for name, cl in clients.items():
+    for name, cl in discovery.clients.items():
         env_name = f"H2O_CLOUD_CLIENT_{name.upper()}_TOKEN"
         token = os.environ.get(env_name) or tokens.get(cl.oauth2_client_id)
         if token:

tests/_internal/load/test_load_credentials.py

@@ -1,6 +1,13 @@
 from h2o_discovery import model
+from h2o_discovery._internal import config
 from h2o_discovery._internal import load
 
+_ENVIRONMENT = model.Environment(
+    h2o_cloud_environment="https://example.com",
+    issuer_url="https://example.com",
+    h2o_cloud_platform_oauth2_scope=["scope1", "scope2"],
+)
+
 
 def test_load_credentials(monkeypatch):
     # Given
@@ -24,8 +31,11 @@ def test_load_credentials(monkeypatch):
     tokens = {"config-client-id": "config-token"}
     monkeypatch.setenv("H2O_CLOUD_CLIENT_ENV_CLIENT_TOKEN", "env-token")
 
+    discovery = model.Discovery(clients=clients, environment=_ENVIRONMENT, services={})
+    cfg = config.Config(tokens=tokens, endpoint=_ENVIRONMENT.h2o_cloud_environment)
+
     # When
-    result = load.load_credentials(clients=clients, config_tokens=tokens)
+    result = load.load_credentials(discovery=discovery, cfg=cfg)
 
     # Then
     assert result == {
@@ -34,3 +44,32 @@ def test_load_credentials(monkeypatch):
             client="config_client", refresh_token="config-token"
         ),
     }
+
+
+def test_load_credentials_not_loaded_from_config_for_different_environment(monkeypatch):
+    # Given
+    clients = {
+        "env_client": model.Client(
+            name="clients/env_client",
+            display_name="Env Client",
+            oauth2_client_id="env-client-id",
+        ),
+        "config_client": model.Client(
+            name="clients/config_client",
+            display_name="Config Client",
+            oauth2_client_id="config-client-id",
+        ),
+    }
+    tokens = {"config-client-id": "config-token"}
+    monkeypatch.setenv("H2O_CLOUD_CLIENT_ENV_CLIENT_TOKEN", "env-token")
+
+    discovery = model.Discovery(clients=clients, environment=_ENVIRONMENT, services={})
+    cfg = config.Config(tokens=tokens, endpoint="https://other.com")
+
+    # When
+    result = load.load_credentials(discovery=discovery, cfg=cfg)
+
+    # Then
+    assert result == {
+        "env_client": model.Credentials(client="env_client", refresh_token="env-token")
+    }