fix: keep smtp_pass consistent in auth config.

Author: JEETDESAI25

internal/provider/settings_resource.go

@@ -312,15 +312,19 @@ func readAuthConfig(ctx context.Context, state *SettingsResourceModel, client *a
 		msg := fmt.Sprintf("Unable to read auth settings, got status %d: %s", httpResp.StatusCode(), httpResp.Body)
 		return diag.Diagnostics{diag.NewErrorDiagnostic("Client Error", msg)}
 	}
-	// API treats sensitive fields as write-only
-	var body LocalAuthConfig
+	// API treats sensitive fields as write-only, preserve them from state
+	var stateBody LocalAuthConfig
 	if !state.Auth.IsNull() {
-		if diags := state.Auth.Unmarshal(&body); diags.HasError() {
+		if diags := state.Auth.Unmarshal(&stateBody); diags.HasError() {
 			return diags
 		}
 	}
-	body.overrideSensitiveFields(httpResp.JSON200)
-	if state.Auth, err = parseConfig(state.Auth, *httpResp.JSON200); err != nil {
+	// Convert response to UpdateAuthConfigBody type for consistent marshaling
+	resultBody := convertAuthResponse(ctx, httpResp.JSON200)
+	// Override sensitive fields with values from state
+	copySensitiveFields(stateBody.UpdateAuthConfigBody, &resultBody)
+
+	if state.Auth, err = parseConfig(state.Auth, resultBody); err != nil {
 		msg := fmt.Sprintf("Unable to read auth settings, got error: %s", err)
 		return diag.Diagnostics{diag.NewErrorDiagnostic("Client Error", msg)}
 	}
@@ -342,11 +346,12 @@ func updateAuthConfig(ctx context.Context, plan *SettingsResourceModel, client *
 		msg := fmt.Sprintf("Unable to update auth settings, got status %d: %s", httpResp.StatusCode(), httpResp.Body)
 		return diag.Diagnostics{diag.NewErrorDiagnostic("Client Error", msg)}
 	}
+	// Convert response to UpdateAuthConfigBody type for consistent marshaling
+	resultBody := convertAuthResponse(ctx, httpResp.JSON200)
 	// Copy over sensitive fields from TF plan
-	local := LocalAuthConfig{UpdateAuthConfigBody: body}
-	local.overrideSensitiveFields(httpResp.JSON200)
+	copySensitiveFields(body, &resultBody)
 
-	if plan.Auth, err = parseConfig(plan.Auth, *httpResp.JSON200); err != nil {
+	if plan.Auth, err = parseConfig(plan.Auth, resultBody); err != nil {
 		msg := fmt.Sprintf("Unable to update auth settings, got error: %s", err)
 		return diag.Diagnostics{diag.NewErrorDiagnostic("Client Error", msg)}
 	}
@@ -460,44 +465,69 @@ type LocalAuthConfig struct {
 	api.UpdateAuthConfigBody
 }
 
-func (c LocalAuthConfig) overrideSensitiveFields(resp *api.AuthConfigResponse) {
+// convertAuthResponse converts AuthConfigResponse to UpdateAuthConfigBody using JSON marshaling.
+// This ensures we use consistent JSON tags (with omitempty) for marshaling.
+func convertAuthResponse(ctx context.Context, resp *api.AuthConfigResponse) api.UpdateAuthConfigBody {
+	// Marshal the response to JSON and unmarshal into UpdateAuthConfigBody
+	// This handles field mapping and type conversions automatically
+	data, err := json.Marshal(resp)
+	if err != nil {
+		tflog.Error(ctx, "Failed to marshal auth config response", map[string]interface{}{
+			"error": err.Error(),
+		})
+		return api.UpdateAuthConfigBody{}
+	}
+
+	var body api.UpdateAuthConfigBody
+	if err := json.Unmarshal(data, &body); err != nil {
+		tflog.Error(ctx, "Failed to unmarshal auth config to UpdateAuthConfigBody", map[string]interface{}{
+			"error": err.Error(),
+		})
+		return api.UpdateAuthConfigBody{}
+	}
+
+	return body
+}
+
+// copySensitiveFields copies sensitive field values from source to target.
+func copySensitiveFields(source api.UpdateAuthConfigBody, target *api.UpdateAuthConfigBody) {
 	// Email provider secrets
-	resp.SmtpPass = c.SmtpPass
+	target.SmtpPass = source.SmtpPass
 	// SMS provider secrets
-	resp.SmsTwilioAuthToken = c.SmsTwilioAuthToken
-	resp.SmsTwilioVerifyAuthToken = c.SmsTwilioVerifyAuthToken
-	resp.SmsMessagebirdAccessKey = c.SmsMessagebirdAccessKey
-	resp.SmsTextlocalApiKey = c.SmsTextlocalApiKey
-	resp.SmsVonageApiSecret = c.SmsVonageApiSecret
+	target.SmsTwilioAuthToken = source.SmsTwilioAuthToken
+	target.SmsTwilioVerifyAuthToken = source.SmsTwilioVerifyAuthToken
+	target.SmsMessagebirdAccessKey = source.SmsMessagebirdAccessKey
+	target.SmsTextlocalApiKey = source.SmsTextlocalApiKey
+	target.SmsVonageApiSecret = source.SmsVonageApiSecret
 	// Captcha provider secrets
-	resp.SecurityCaptchaSecret = c.SecurityCaptchaSecret
+	target.SecurityCaptchaSecret = source.SecurityCaptchaSecret
 	// External provider secrets
-	resp.ExternalAppleSecret = c.ExternalAppleSecret
-	resp.ExternalAzureSecret = c.ExternalAzureSecret
-	resp.ExternalBitbucketSecret = c.ExternalBitbucketSecret
-	resp.ExternalDiscordSecret = c.ExternalDiscordSecret
-	resp.ExternalFacebookSecret = c.ExternalFacebookSecret
-	resp.ExternalFigmaSecret = c.ExternalFigmaSecret
-	resp.ExternalGithubSecret = c.ExternalGithubSecret
-	resp.ExternalGitlabSecret = c.ExternalGitlabSecret
-	resp.ExternalGoogleSecret = c.ExternalGoogleSecret
-	resp.ExternalKakaoSecret = c.ExternalKakaoSecret
-	resp.ExternalKeycloakSecret = c.ExternalKeycloakSecret
-	resp.ExternalLinkedinOidcSecret = c.ExternalLinkedinOidcSecret
-	resp.ExternalNotionSecret = c.ExternalNotionSecret
-	resp.ExternalSlackOidcSecret = c.ExternalSlackOidcSecret
-	resp.ExternalSlackSecret = c.ExternalSlackSecret
-	resp.ExternalSpotifySecret = c.ExternalSpotifySecret
-	resp.ExternalTwitchSecret = c.ExternalTwitchSecret
-	resp.ExternalTwitterSecret = c.ExternalTwitterSecret
-	resp.ExternalWorkosSecret = c.ExternalWorkosSecret
-	resp.ExternalZoomSecret = c.ExternalZoomSecret
+	target.ExternalAppleSecret = source.ExternalAppleSecret
+	target.ExternalAzureSecret = source.ExternalAzureSecret
+	target.ExternalBitbucketSecret = source.ExternalBitbucketSecret
+	target.ExternalDiscordSecret = source.ExternalDiscordSecret
+	target.ExternalFacebookSecret = source.ExternalFacebookSecret
+	target.ExternalFigmaSecret = source.ExternalFigmaSecret
+	target.ExternalGithubSecret = source.ExternalGithubSecret
+	target.ExternalGitlabSecret = source.ExternalGitlabSecret
+	target.ExternalGoogleSecret = source.ExternalGoogleSecret
+	target.ExternalKakaoSecret = source.ExternalKakaoSecret
+	target.ExternalKeycloakSecret = source.ExternalKeycloakSecret
+	target.ExternalLinkedinOidcSecret = source.ExternalLinkedinOidcSecret
+	target.ExternalNotionSecret = source.ExternalNotionSecret
+	target.ExternalSlackOidcSecret = source.ExternalSlackOidcSecret
+	target.ExternalSlackSecret = source.ExternalSlackSecret
+	target.ExternalSpotifySecret = source.ExternalSpotifySecret
+	target.ExternalTwitchSecret = source.ExternalTwitchSecret
+	target.ExternalTwitterSecret = source.ExternalTwitterSecret
+	target.ExternalWorkosSecret = source.ExternalWorkosSecret
+	target.ExternalZoomSecret = source.ExternalZoomSecret
 	// Hook provider secrets
-	resp.HookCustomAccessTokenSecrets = c.HookCustomAccessTokenSecrets
-	resp.HookMfaVerificationAttemptSecrets = c.HookMfaVerificationAttemptSecrets
-	resp.HookPasswordVerificationAttemptSecrets = c.HookPasswordVerificationAttemptSecrets
-	resp.HookSendEmailSecrets = c.HookSendEmailSecrets
-	resp.HookSendSmsSecrets = c.HookSendSmsSecrets
+	target.HookCustomAccessTokenSecrets = source.HookCustomAccessTokenSecrets
+	target.HookMfaVerificationAttemptSecrets = source.HookMfaVerificationAttemptSecrets
+	target.HookPasswordVerificationAttemptSecrets = source.HookPasswordVerificationAttemptSecrets
+	target.HookSendEmailSecrets = source.HookSendEmailSecrets
+	target.HookSendSmsSecrets = source.HookSendSmsSecrets
 }
 
 type NetworkConfig struct {

internal/provider/settings_resource_test.go

@@ -4,10 +4,13 @@
 package provider
 
 import (
+	"bytes"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"net/http"
+	"strings"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
@@ -338,6 +341,73 @@ func unmarshalStateAttr(state *terraform.InstanceState, attr string) (map[string
 	return out, nil
 }
 
+func TestAccSettingsResource_SmtpPass(t *testing.T) {
+	// Setup mock api
+	defer gock.OffAll()
+	gock.New("https://api.supabase.com").
+		Get("/v1/projects/mayuaycdtijbctgqbycg/config/auth").
+		Reply(http.StatusOK).
+		JSON(api.AuthConfigResponse{
+			SiteUrl:           nullable.NewNullableWithValue("http://localhost:3000"),
+			MailerOtpExp:      3600,
+			MfaPhoneOtpLength: 6,
+			SmsOtpLength:      6,
+			SmtpAdminEmail:    nullable.NewNullNullable[openapi_types.Email](),
+		})
+	gock.New("https://api.supabase.com").
+		Patch("/v1/projects/mayuaycdtijbctgqbycg/config/auth").
+		AddMatcher(func(req *http.Request, _ *gock.Request) (bool, error) {
+			body, err := io.ReadAll(req.Body)
+			if err != nil {
+				return false, err
+			}
+			req.Body = io.NopCloser(bytes.NewBuffer(body))
+			bodyStr := string(body)
+			return strings.Contains(bodyStr, `"smtp_pass"`) &&
+				strings.Contains(bodyStr, `"secret_password_123"`), nil
+		}).
+		Reply(http.StatusOK).
+		JSON(api.AuthConfigResponse{
+			SiteUrl:           nullable.NewNullableWithValue("http://localhost:3000"),
+			MailerOtpExp:      3600,
+			MfaPhoneOtpLength: 6,
+			SmsOtpLength:      6,
+			SmtpAdminEmail:    nullable.NewNullNullable[openapi_types.Email](),
+		})
+	gock.New("https://api.supabase.com").
+		Get("/v1/projects/mayuaycdtijbctgqbycg/config/auth").
+		Reply(http.StatusOK).
+		JSON(api.AuthConfigResponse{
+			SiteUrl:           nullable.NewNullableWithValue("http://localhost:3000"),
+			MailerOtpExp:      3600,
+			MfaPhoneOtpLength: 6,
+			SmsOtpLength:      6,
+			SmtpAdminEmail:    nullable.NewNullNullable[openapi_types.Email](),
+		})
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: `
+resource "supabase_settings" "test" {
+  project_ref = "mayuaycdtijbctgqbycg"
+
+  auth = jsonencode({
+    site_url = "http://localhost:3000"
+    smtp_pass = "secret_password_123"
+  })
+}
+`,
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("supabase_settings.test", "id", "mayuaycdtijbctgqbycg"),
+				),
+			},
+		},
+	})
+}
+
 const testAccSettingsResourceConfig = `
 resource "supabase_settings" "production" {
   project_ref = "mayuaycdtijbctgqbycg"