How to update a secret using the API?

Hello everyone.

I’ve managed to login and read secrets using the API, but I’m stuck when trying to update one. The docs read the following:

“If the password you are updating has been shared with 7 users, the “secrets” key will need to be an array of 7 objects: You must encrypt and sign the new plaintext passwords using the recipient public key and the current user secret key”.

But, how do I retrieve the list of users that have access to a secret so that I can use their public keys? I’ve found no info about this.

Furthermore, I’ve tried to update a secret just accesible by me, and although the response seems to be correct, the secret does not change:

{“header”:{“id”:"", “status”:“success”, “servertime”:1574754486, “title”:“app_resources_update_success”, “action”:"",“message”:“The resource has been updated successfully.”,“url”:"\/resources\/.json?api-version=v2",“code”:200}

Is there any example on how to update a secret? Can anyone help me?

Hi @pmadrid,

You can take a look at the /permissions/resource/{resourceId}.json endpoint in Swagger UI

Note that if you are using /resources/{resourceId}.json, you should have a Permission serialized object in the body of the API response.

If you need an example, here is one : https://github.com/xwikisas/passbolt-toolbox/blob/248b5d3a0c17865f0c1fff3d01f242d0afc979f5/toolbox/renew.py#L89

Indeed, I also had that issue a while ago, note that the data structure that you get when retrieving a password is different from the one that you need to send in order to update the password. Here is a sample of code that does the password update : https://github.com/xwikisas/passbolt-toolbox/blob/248b5d3a0c17865f0c1fff3d01f242d0afc979f5/toolbox/passbolt.py#L144

… and if you wonder how secretsPayload is made, please look at https://github.com/xwikisas/passbolt-toolbox/blob/248b5d3a0c17865f0c1fff3d01f242d0afc979f5/toolbox/renew.py#L114

Cheers,
Clément

Hi CAubin.

Thanks a lot for your answer, with your help I have indeed gone forward but I’m still unable to update a secret :frowning:

I’m stuck in the very last step. I’ve got a secret just for myself (no sharing, just my user) and I’m not able to change it’s password. Following your example I’m sending PUT the following json:

{“name”: “”, “description”: “”, “secrets”: [{“user_id”: “<user_uuid>”, “data”: “<GPG_encrypted_password>”}]}

The server answers with a “200 OK” code, but in the body it’s the (encrypted) old password that the server sends to me instead of the new one.

On the other hand, documentation says the following:
You must encrypt and sign the new plaintext passwords using the recipient public key and the current user secret key.

Should I then sign the password, too? I’ve already tried but doesn’t work either.

Thanks in advance.

Hi @pmadrid ; sorry for the late answer.

The json that you provided seems fine to me … I don’t think that you need to mention the name of the password to update (unless you’re changing it).

Hello @CAubin,

Thanks a lot for your help, finally I sorted out what was the problem. It was not that the JSON was incorrectly formed, but just a pure Python problem: I had constructed the JSON as a string instead of a Python dictionary/list.

At the moment I did it correctly it started to work.

Thanks!