[BUG] Updates to secret notes clobbers ALL notes with the same secret name

[jamrok]

Describe the bug The v3/configs/config/secrets/note API endpoint seems to have a bug/feature where it is overwriting the Secret Note for all secrets across different configs that share the same Secret Name.

I checked the code in your public repos and all references pointed to your API and provided the required project and config parameters, however, the config parameter is being ignored at the API level.

I found one place in your documentation that says that "Notes are scoped at the project level" and that does match the behavior that I am seeing, hence it might be an "old feature" and not a bug, since it was also demoed. However, it seems that the expectation for at least 2 years is that both the project and config fields should be respected.

To Reproduce This issue occurs via the Doppler CLI command and via the Web UI since it is a problem with the API Server.

Below is the command to reproduce using the CLI

$ doppler --debug secrets notes set -p test_project -c dev USERNAME "Test Note"

Debug: Reading config file
Debug: Retrieving token from system keyring
Debug: Sending anonymous analytics payload: '{"command":"doppler.secrets.notes.set"}'
Debug: Performing HTTP POST to https://cli.doppler.com/v1/analytics
Debug: Performing HTTP POST to https://api.doppler.com/v3/configs/config/secrets/note?config=dev&project=test_project
┌──────────┬────────────┐
│ NAME     │ NOTE       │
├──────────┼────────────┤
│ USERNAME │ Test Note  │
└──────────┴────────────┘

When the above command is run, all secrets with the name USERNAME in all other configs have their note overwritten with the note that was set above.

The same happens when editing secret notes in the Web UI.

If I don't specify the config parameter, I get this error:

Unable to set secret note
Doppler Error: You must specify a config

If I specify a non-existing config (eg: -c anything), I get the following:

Unable to set secret note
Doppler Error: Could not find requested config 'anything'

This suggests that the config field should be significant.

Expected behavior

• If we provide a config, then Secret Notes should be set only for the secret in the specified project AND config.
• If we don't provide a config, only then should Secret Note changes be applied to all secrets with the same Secret Name in the specified project.
• The config parameter should be optional to facilitate the above, but if it remains a required field, then it should scope the changes down to the config level and actually use the config parameter.

Thanks!

Screenshots N/A

Desktop:

• OS: Any
• Version Any

CLI Version: Version 3.66.5

Additional context

• I could understand if you initially synced the note across all configs when it was first created, but you should give us the option, similar to what you do for passwords, where we can optionally set the password to be the same across all configs when we save them.
• We should have the same option for secret notes, and so they should not always be set to the same value.

[watsonian]

@jamrok Thanks for reporting this! Unfortunately, this is due to an idiosyncrasy of how the API works right now. Notes are project-level and apply to every secret with the same name across all configs. However, to access the secret, a config is required initially based on the backend API right now. We know this is confusing and it's something we hope to change in a future version of the API. For now, I'm afraid there's not much we'll be able to do here until the next version of the API. We'll see what we can do about updating the documentation to better communicate this though!