getbrevo
Bug in v2.0.7: updateContact method passes UpdateContact object instead of identifier to URL path
Bug Description
In version 2.0.7, the updateContact method is broken due to a parameter mix-up in the updateContactRequest method. The method is passing the UpdateContact object instead of the contact identifier to ObjectSerializer::toPathValue(), causing the entire object to be serialized and URL-encoded into the API endpoint path.
Expected Behavior
The API should call:
PUT https://api.brevo.com/v3/contacts/[email protected]
Actual Behavior
The API is calling:
PUT https://api.brevo.com/v3/contacts/%7B%0A%20%20%20%20%22attributes%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22PRODUCT%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%20%20%20%20%22Ultiself%22%0A%20%20%20%20%20%20%20%20%5D%0A%20%20%20%20%7D%2C%0A%20%20%20%2
0%22listIds%22%3A%20%5B%0A%20%20%20%20%20%20%20%2010%0A%20%20%20%20%5D%0A%7D
When URL-decoded, this becomes the entire UpdateContact object JSON instead of the email address.
Root Cause
File: lib/Api/ContactsApi.phpLine: 8189
Commit: https://github.com/getbrevo/brevo-php/commit/5f2fa9c548402839a2bf1ec66d79a3511ab0b27f#diff-5d012404021893b1b156cc7f6683906f3fc6a4bb030a314806af5cb589678c0a
Problem code:
Error Messages
This results in 400 Bad Request errors like:
[400] Client error: `PUT https://api.brevo.com/v3/contacts/%7B...` resulted in a `400 Bad Request` response:
{"message":"Unexpected token in JSON at position 0"}
Reproduction
use Brevo\Client\Api\ContactsApi;
use Brevo\Client\Configuration;
use Brevo\Client\Model\UpdateContact;
$config = Configuration::getDefaultConfiguration()->setApiKey('api-key', 'YOUR_API_KEY');
$contactsApi = new ContactsApi(new \GuzzleHttp\Client(), $config);
$updateContact = new UpdateContact();
$updateContact->setAttributes((object)['TEST' => 'value']);
// This will fail with URL encoding error
$contactsApi->updateContact('[email protected]', $updateContact);
Affected Versions
- v2.0.7 (broken)
- v2.0.6 and earlier (working)
Workaround
Downgrade to v2.0.6: composer require getbrevo/brevo-php:2.0.6
Changes to parameter order must be treated as a major release. We experienced a critical outage today due to this update (2.0.6 to 2.0.7, https://github.com/getbrevo/brevo-php/blob/5f2fa9c548402839a2bf1ec66d79a3511ab0b27f/docs/Api/ContactsApi.md). The issue was resolved by swapping the identifier and body parameters.
There are several other methods where the parameter order was also changed — fortunately, we haven’t used those yet.
If you plan to revert these changes, please make sure to document it clearly. Otherwise, we risk facing another incident.
Oh come on, are you serious? This crashed my webhooks and even my AI that found this issue in the brevo-php files expressed that it was shocked...
The response from their support
I have spoken to the technical team and they advised that 4XX errors indicate a coding error on your side. To confirm this, can you please use our API to update the contact instead of SDK? You can use this documentation:
It's stratospheric
Meanwhile the test
/**
* Test "UpdateContact"
*/
public function testUpdateContact()
{
}
So yeah, basically everyone following semver on their composer has this surprise since it has been tagged as "patch"
Still broken as of v2.0.10...
@simonhammes From my perspective, that's a good thing because I updated all my code already and reverting it would break it again... I just hope they learn from this and won't do something like that again in the future but since nobody reacted from them I guess that won't be the case.
Still broken as of v2.0.10...
@simonhammes From my perspective, that's a good thing because I updated all my code already and reverting it would break it again... I just hope they learn from this and won't do something like that again in the future but since nobody reacted from them I guess that won't be the case.
agree with that. We now check every Brevo update. We also have the feeling that the issues here actually matter to someone.