onebusaway-api-key-cli: created API keys are non-functional due to empty credentials

[aaronbrethorst]

Summary

API keys created via onebusaway-api-key-cli (v2.7.0) are non-functional. Requests made with CLI-created keys return 401 permission denied.

Root Cause

ApiKeyCliMain.doCreate() passes an empty string "" as the credentials argument to UserService.getOrCreateUserForIndexKey():

// Current behavior (decompiled bytecode at offset 146 in doCreate):
userService.getOrCreateUserForIndexKey(indexKey, "", true);  // credentials = ""

// Expected behavior:
userService.getOrCreateUserForIndexKey(indexKey, keyValue, true);  // credentials = keyValue

This results in two problems in the database:

1. Empty credentials column in oba_user_indices — all working API keys have credentials matching the key value, but CLI-created keys have an empty string.
2. ROLE_ANONYMOUS instead of ROLE_USER in oba_user_roles_mapping — likely a downstream consequence of the empty credentials.

Steps to Reproduce

1. Start OBA with a working bundle and database
2. Create an API key via the CLI:

   java -jar onebusaway-api-key-cli-withAllDependencies.jar create \
     --config /path/to/data-sources.xml --key foo
   

   CLI reports: API key created successfully: foo
3. Call the API with the new key:

   curl "http://localhost:8080/api/where/current-time.json?key=foo"
   

   Returns: {"code": 401, "text": "permission denied"}

Expected Behavior

The API call should return 200 OK with valid data.

Workaround

Manually fix the database after key creation:

UPDATE oba_user_indices SET credentials='foo' WHERE value='foo';
UPDATE oba_user_roles_mapping SET roles_name='ROLE_USER' WHERE user_id=<user_id>;

Then restart the OBA server (keys are cached in memory).

Environment

• onebusaway-api-key-cli v2.7.0 (withAllDependencies shaded JAR)
• OBA API webapp v2.7.0
• MySQL 8.4
• JDK 11 (Tomcat 8.5.100)