[TT-13375] Improved Upstream Auth validation rules

[lghiur]

User description

TT-13375

Summary	Validate Upstream Auth settings
Type	Story
Status	Ready for Testing
Points	N/A
Labels	-

---

https://tyktech.atlassian.net/browse/TT-13375

Description

Made Upstream Auth basic auth fields required: pwd, username and header
Made Upstream Oauth enabled and allowedAuthorizeTypes required

---

PR Type

enhancement

---

Description

• Enhanced validation rules for Upstream Basic Authentication by making username and password fields required.
• Changed the headerName field to header in X-Tyk-UpstreamBasicAuthentication, referencing X-Tyk-AuthSource.
• Updated X-Tyk-UpstreamOAuth to require allowedAuthorizeTypes and allow extraMetadata to be null.

---

Changes walkthrough 📝

	Relevant files
Enhancement	x-tyk-api-gateway.json Enhance validation rules for Upstream Auth configurations apidef/oas/schema/x-tyk-api-gateway.json Made username and password fields required in X-Tyk-UpstreamBasicAuthentication. Changed headerName to header with a reference to X-Tyk-AuthSource. Made allowedAuthorizeTypes required in X-Tyk-UpstreamOAuth. Allowed extraMetadata to be null in X-Tyk-UpstreamOAuth. +23/-7

---

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

[buger]

I'm a bot and I 👍 this PR title. 🤖

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Schema Consistency The change from 'headerName' to 'header' and its reference to '#/definitions/X-Tyk-AuthSource' might cause issues if not properly validated across all consuming services that use this schema. Required Fields The addition of 'username' and 'password' to the required fields list for 'X-Tyk-UpstreamBasicAuthentication' needs thorough testing to ensure it does not break existing configurations where these fields might not be present. Data Type Changes The change allowing 'allowedAuthorizeTypes' and 'extraMetadata' to be null could lead to unexpected behaviors if the handling of these null values is not properly implemented in the consuming logic.

[github-actions]

API Changes

no api changes detected

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Score
Security	Review required fields for security implications Review the necessity of including password in the required fields for X-Tyk-UpstreamBasicAuthentication to ensure it aligns with security best practices. apidef/oas/schema/x-tyk-api-gateway.json [2036-2038] "required": [ "enabled", - "username", - "password" + "username" ] Suggestion importance[1-10]: 6 Why: The suggestion to review the inclusion of 'password' in the required fields is significant for security best practices. Removing 'password' from required fields could enhance security if not needed mandatorily, aligning with least privilege principles.	6
Enhancement	Verify and update enum values for authorization types Ensure that the allowedAuthorizeTypes field's enum values are exhaustive and correctly reflect the supported authorization types. apidef/oas/schema/x-tyk-api-gateway.json [2055] "enum": [ - "clientCredentials" + "clientCredentials", + "additionalType" ] Suggestion importance[1-10]: 3 Why: This suggestion is useful for ensuring that the enum values for authorization types are comprehensive. However, it assumes there are missing types without specific evidence from the PR context, making it less impactful unless further information is provided.	3
Possible issue	Ensure correct schema references to avoid errors Ensure that the $ref to X-Tyk-AuthSource in the header property is correctly defined in the schema to avoid reference errors. apidef/oas/schema/x-tyk-api-gateway.json [2080-2081] +"header": { + "$ref": "#/definitions/X-Tyk-AuthSource" +} - Suggestion importance[1-10]: 1 Why: The suggestion to ensure correct schema references is valid but does not propose any change or detect an actual issue in the PR. It only advises checking the reference, which is already correctly implemented in the PR.	1
	Confirm support for multiple types to prevent mismatches Verify that the type field for allowedAuthorizeTypes and extraMetadata correctly supports both 'array' and 'null' to prevent type mismatches. apidef/oas/schema/x-tyk-api-gateway.json [2074-2076] +"type": [ + "array", + "null" +] - Suggestion importance[1-10]: 1 Why: This suggestion is valid as it emphasizes the importance of supporting both 'array' and 'null' types. However, the PR already implements this correctly, so the suggestion does not lead to any change or improvement.	1

[sonarcloud]

Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarCloud