Merging to release-5.8: [TT-5588] [OAS] gateway apiKey import generates unnecessary object (#7270)

[buger]

User description

TT-5588 [OAS] gateway apiKey import generates unnecessary object (#7270)

User description

TT-5588

Summary	[OAS] gateway apiKey import generates unnecessary object
Type	Bug
Status	In Dev
Points	N/A
Labels	codilime_refined

---

Description

The header object is unnecessarily generated during creation of a Tyk
OAS API by importing an OpenAPI description with security scheme
defined.

Related Issue

Motivation and Context

How This Has Been Tested

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing
  functionality to change)
• Refactoring or add test (improvements in base code or adds test
  coverage to functionality)

Checklist

• I ensured that the documentation is up to date
• I explained why this PR updates go.mod in detail with reasoning
  why it's required
• I would like a code coverage CI quality gate exception and have
  explained why

---

PR Type

Bug fix, Tests

---

Description

• Prevent AuthSources from being serialized in Token struct

• Update JSON serialization tags to exclude AuthSources

• Add test to verify AuthSources are not serialized

• Ensure unmarshalled Token omits AuthSources fields

---

Diagram Walkthrough

flowchart LR
  TokenStruct["Token struct"]
  Serialization["JSON Serialization"]
  TestCase["Test: AuthSources not serialized"]
  TokenStruct -- "exclude AuthSources from JSON" --> Serialization
  Serialization -- "verify exclusion" --> TestCase

Loading

File Walkthrough

	Relevant files
Bug fix	security.go Exclude AuthSources from Token JSON serialization                apidef/oas/security.go Changed JSON struct tag for AuthSources to exclude from serialization Prevents AuthSources from appearing in serialized JSON output +1/-1
Tests	security_test.go Add test for non-serialization of AuthSources in Token      apidef/oas/security_test.go Added test to ensure AuthSources fields are not serialized Verifies that Query, Header, and Cookie are nil after serialization round-trip +15/-0

---

---

PR Type

Bug fix, Tests

---

Description

• Stop serializing Token.AuthSources to JSON

• Update struct tag to json:"-"

• Add test validating non-serialization

• Ensure round-trip omits AuthSources fields

---

Diagram Walkthrough

flowchart LR
  Token["Token struct (AuthSources)"]
  JSON["JSON serialization"]
  Test["Test ensures omission"]
  Token -- "json:\"-\" on AuthSources" --> JSON
  JSON -- "round-trip marshal/unmarshal" --> Test

Loading

File Walkthrough

	Relevant files
Bug fix	security.go Exclude AuthSources from Token JSON                                            apidef/oas/security.go Change Token.AuthSources JSON tag to json:"-". Prevent inline serialization of auth sources. +1/-1
Tests	security_test.go Test non-serialization of AuthSources                                        apidef/oas/security_test.go Add JSON round-trip test for Token. Verify Query, Header, Cookie remain nil after marshal/unmarshal. Import encoding/json for serialization. +15/-0

---

[github-actions]

API Changes

--- prev.txt	2025-08-11 09:23:36.540342635 +0000
+++ current.txt	2025-08-11 09:23:32.046325981 +0000
@@ -4505,7 +4505,7 @@
 	Enabled bool `bson:"enabled" json:"enabled"` // required
 
 	// AuthSources contains the configuration for authentication sources.
-	AuthSources `bson:",inline" json:",inline"`
+	AuthSources `bson:",inline" json:"-"`
 
 	// EnableClientCertificate allows to create dynamic keys based on certificates.
 	//

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Preserve unmarshaling while omitting output Using json:"-" removes AuthSources from all JSON serializations, which may break upstream consumers that rely on reading these fields. If the intent is to skip only marshaling while still allowing unmarshaling, implement custom MarshalJSON that omits AuthSources but a UnmarshalJSON that populates it. apidef/oas/security.go [33] -AuthSources `bson:",inline" json:"-"` +type Token struct { + Enabled bool `bson:"enabled" json:"enabled"` + AuthSources `bson:",inline" json:"-"` + // ... other fields ... +} +func (t Token) MarshalJSON() ([]byte, error) { + type alias Token + type view struct { + Enabled bool `json:"enabled"` + // add other exported fields that should be serialized, excluding AuthSources + } + v := view{ + Enabled: t.Enabled, + } + return json.Marshal(v) +} + +func (t *Token) UnmarshalJSON(data []byte) error { + type alias Token + // First unmarshal to alias to keep all fields (including AuthSources) available + aux := struct { + Enabled bool `json:"enabled"` + // include other serialized fields + // inline sources to allow their presence without emitting them + Query *AuthSource `json:"query,omitempty"` + Header *AuthSource `json:"header,omitempty"` + Cookie *AuthSource `json:"cookie,omitempty"` + }{} + if err := json.Unmarshal(data, &aux); err != nil { + return err + } + t.Enabled = aux.Enabled + // preserve ability to accept incoming AuthSources if present + t.Query = aux.Query + t.Header = aux.Header + t.Cookie = aux.Cookie + return nil +} + Suggestion importance[1-10]: 3 __ Why: The existing code intentionally uses json:"-" and the test asserts that AuthSources fields are not serialized, aligning with the PR’s goal. Proposing custom Marshal/Unmarshal is unnecessary and potentially overcomplicates the model without demonstrated need; it may also contradict the test that ensures these fields are omitted.	Low

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud