Merging to release-5.7: [TT-13535/TT-13566] Make upstream oauth flow client secret omitempty (#6708)

[buger]

User description

[TT-13535/TT-13566] Make upstream oauth flow client secret omitempty (#6708)

User description

TT-13566

Summary	Make upstream auth oauth password client secret not required in oas schema
Type	Sub-task
Status	Ready for Testing
Points	N/A
Labels	-

---

Description

Make upstream oauth flow client secret omitempty to not break when an
API is created without clientSecret and saved later.

Related Issue

Parent: https://tyktech.atlassian.net/browse/TT-13535
Subtask: https://tyktech.atlassian.net/browse/TT-13566

Motivation and Context

How This Has Been Tested

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing
  functionality to change)
• Refactoring or add test (improvements in base code or adds test
  coverage to functionality)

Checklist

• I ensured that the documentation is up to date
• I explained why this PR updates go.mod in detail with reasoning
  why it's required
• I would like a code coverage CI quality gate exception and have
  explained why

---

PR Type

enhancement

---

Description

• Updated the ClientAuthData struct in apidef/api_definitions.go to
  make the ClientSecret field optional by adding the omitempty tag.
• This change prevents errors when an API is created without a
  clientSecret and saved later.

---

Changes walkthrough 📝

	Relevant files
Enhancement	api_definitions.go Make `ClientSecret` optional in OAuth client auth data      apidef/api_definitions.go Made ClientSecret field optional by adding omitempty tag. Updated JSON and BSON tags for ClientSecret to reflect optional status. +1/-1

---

💡 PR-Agent usage: Comment /help "your question" on any pull
request to receive relevant information

---

PR Type

Enhancement, Tests

---

Description

• Made the ClientSecret field optional in multiple files by adding the omitempty tag, ensuring it is not required for OAuth password flow.
• Updated the OpenAPI schema to remove client_secret from the list of required fields.
• Added tests to validate the schema with the optional ClientSecret field.

---

Changes walkthrough 📝

	Relevant files
Enhancement	api_definitions.go Make `ClientSecret` optional in OAuth client auth data      apidef/api_definitions.go Made ClientSecret field optional by adding omitempty tag. Updated JSON and BSON tags for ClientSecret to reflect optional status. +1/-1      upstream.go Make `ClientSecret` optional in OAuth client auth data      apidef/oas/upstream.go Made ClientSecret field optional by adding omitempty tag. Updated JSON and BSON tags for ClientSecret to reflect optional status. +1/-1      schema.go Update schema to make `ClientSecret` optional                        apidef/schema.go Removed client_secret from required fields in schema. +0/-1
Tests	api_definitions_test.go Add tests for optional `ClientSecret` in schema                    apidef/api_definitions_test.go Added test setup for UpstreamAuth with ClientSecret. Ensured schema validation with optional ClientSecret. +22/-0

---

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis ✅ 6708 - Fully compliant Fully compliant requirements: Made the ClientSecret field optional in the ClientAuthData struct. Not compliant requirements: []

⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Code Consistency Ensure that the changes made to the ClientSecret field are consistent across all relevant files and schemas.

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Score
Best practice	Replace hardcoded sensitive data in tests with dynamic values Replace the hardcoded 'dummy' client secret in tests with a variable or a function that can generate dynamic values to better simulate real-world scenarios and avoid potential misuse of hardcoded sensitive data in the test environment. apidef/api_definitions_test.go [24] -ClientSecret: "dummy", // workaround to fix schema error +ClientSecret: generateTestClientSecret(), // dynamically generate client secret for testing Suggestion importance[1-10]: 7 Why: Replacing hardcoded sensitive data with dynamically generated values in tests enhances security and realism, which is a good practice especially for sensitive data like client secrets.	7
Possible issue	Ensure proper handling of optional ClientSecret to avoid runtime errors Ensure that the optional nature of ClientSecret in ClientAuthData is handled appropriately in all parts of the application where ClientAuthData is used, to prevent runtime errors due to nil or empty values. apidef/api_definitions.go [852] -ClientSecret string `bson:"client_secret,omitempty" json:"client_secret,omitempty"` // client secret is optional for password flow +ClientSecret string `bson:"client_secret,omitempty" json:"client_secret,omitempty"` // Ensure handling of optional ClientSecret throughout the application Suggestion importance[1-10]: 5 Why: The suggestion to ensure proper handling of an optional field is valid to prevent potential runtime errors. However, it lacks specific implementation details and is more of a cautionary note than a direct code improvement.	5