fix(auth-admin): Hide client secret native clients

[magnearun]

https://www.notion.so/Bug-Remove-ClientSecret-from-Native-apps-in-IDS-7efd495d0290439bb9df3aea265a4b88?pvs=4

https://www.notion.so/Bug-Secret-created-for-Native-app-client-ff4918b4682e4ababb8723fe0c9b8e9c?pvs=4

What

Hide ui or client secret in ids admin since native client should not have client secrets but until now we have being adding them regardless
Stop creating client secrets for native clients

Why

Native clients do not require client secrets

Screenshots / Gifs

Attach Screenshots / Gifs to help reviewers understand the scope of the pull request

Checklist:

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• Formatting passes locally with my changes
• I have rebased against main before asking for a review

Summary by CodeRabbit

• New Features

  • Enhanced client creation process to handle native client types more efficiently.
  • Added clientType prop to the BasicInfo component for improved data handling.

• Bug Fixes

  • Updated logic in BasicInfo to refine the criteria for displaying client secrets based on clientType.

• Documentation

  • Updated interface definitions to include new properties and enhance clarity on component usage.

[coderabbitai]

Walkthrough

The changes introduce modifications to the MeClientsController, EditClient, and BasicInfo components, focusing on the handling of client types during client creation and editing processes. A new import, ClientType, is added to the MeClientsController, affecting the control flow in the create method. The EditClient component is updated to pass a new clientType prop to BasicInfo, which also sees an updated interface to accommodate this new property and modifies its logic for determining client secrets based on the clientType.

Changes

File	Change Summary
apps/services/auth/admin-api/src/app/v2/clients/me-clients.controller.ts	- Added import of ClientType. - Modified create method to return the client early if clientType is native.
libs/portals/admin/ids-admin/src/screens/Client/EditClient.tsx	- Added clientType prop to BasicInfo component.
libs/portals/admin/ids-admin/src/screens/Client/components/BasicInfo.tsx	- Added import of AuthAdminClient. - Updated BasicInfoProps to include clientType. - Modified logic for hasClientSecrets based on clientType.

Possibly related PRs

• fix(auth-admin-web): remove delegation controls from old ids admin for client and api-scope #14999: The changes in ClientCreateForm.tsx involve client settings, which may relate to how clients are created and managed, similar to the modifications in the create method of MeClientsController.
• fix(auth-admin-api): Add missing env #15991: This PR adds an environment variable related to the auth admin API, which could be relevant to the overall client management and authentication process, although it does not directly modify client handling logic.
• feat(ids-api): Default scopes for clients #16476: The addition of default scopes for clients in this migration could relate to the handling of client types, which is a focus in the main PR's changes to client creation logic.
• fix(auth-admin): Use display name for api scope groups #16736: The update to use display names for API scope groups may connect to how client types and their associated scopes are represented, aligning with the changes in client handling in the main PR.

Suggested labels

automerge

Suggested reviewers

• GunnlaugurG
• magnearun

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 36.43%. Comparing base (e1dd2d5) to head (199faeb).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #16763      +/-   ##
==========================================
- Coverage   36.44%   36.43%   -0.02%     
==========================================
  Files        6852     6852              
  Lines      143559   143796     +237     
  Branches    40972    41089     +117     
==========================================
+ Hits        52326    52388      +62     
- Misses      91233    91408     +175     

Flag	Coverage Δ
api	3.34% <ø> (ø)
api-domains-auth-admin	48.48% <ø> (ø)
application-system-api	40.98% <ø> (ø)
application-template-api-modules	27.65% <ø> (ø)
services-auth-admin-api	52.49% <100.00%> (+<0.01%)	⬆️
services-auth-ids-api	52.09% <ø> (ø)
services-user-notification	46.91% <ø> (ø)
services-user-profile	61.87% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...in-api/src/app/v2/clients/me-clients.controller.ts	95.55% <100.00%> (+0.20%)	⬆️

... and 78 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e1dd2d5...199faeb. Read the comment docs.

[datadog-island-is]

Datadog Report

All test runs e8f8d32 🔗

✅ 4 Total Test Services: 0 Failed, 4 Passed
➡️ Test Sessions change in coverage: 8 no change

Test Services

Service Name	Failed	Known Flaky	New Flaky	Passed	Skipped	Total Time	Code Coverage Change	Test Service View
api	0	0	0	4	0	2.41s	1 no change	Link
api-domains-auth-admin	0	0	0	18	0	10.34s	1 no change	Link
portals-admin-ids-admin	0	0	0	2	0	7.08s	1 no change	Link
services-auth-admin-api	0	0	0	130	0	3m 10.2s	1 no change	Link

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (3)

apps/services/auth/admin-api/src/app/v2/clients/me-clients.controller.ts (1)

104-107: Consider moving client type check to ClientSecretsService

For better separation of concerns, consider moving the client type validation to the ClientSecretsService. This would:

• Encapsulate client secret creation rules in one place
• Make the controller thinner and more focused
• Make it easier to maintain and test

Example refactor:

 async create(
   @CurrentUser() user: User,
   @Param('tenantId') tenantId: string,
   @Body() input: AdminCreateClientDto,
 ): Promise<AdminClientDto> {
   const client = await this.clientsService.create(input, user, tenantId)
-  if (client.clientType === ClientType.native) {
-    return client
-  }
   await this.clientsSecretsService.create(tenantId, client.clientId)
   return client
 }

And in ClientSecretsService:

async create(tenantId: string, clientId: string): Promise<void> {
  const client = await this.clientsService.findByTenantIdAndClientId(tenantId, clientId);
  if (client.clientType === ClientType.native) {
    return;
  }
  // existing secret creation logic
}

libs/portals/admin/ids-admin/src/screens/Client/EditClient.tsx (1)

129-129: Consider adding prop type validation.

To improve type safety and reusability across NextJS apps (as per coding guidelines), consider adding PropTypes or TypeScript prop validation for the clientType prop in the BasicInfo component.

- clientType={client.clientType}
+ clientType={client.clientType as AuthAdminClientType}

libs/portals/admin/ids-admin/src/screens/Client/components/BasicInfo.tsx (1)

39-41: Consider adding a comment to explain the business logic.

While the logic is correct, adding a comment would help future maintainers understand why native clients don't need client secrets.

+// Native clients don't require client secrets as per OAuth 2.0 specifications
 const hasClientSecrets =
   Boolean(clientSecrets && clientSecrets.length > 0) &&
   clientType !== AuthAdminClientType.native

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 7e8abb4 and 34bc9dd.

📒 Files selected for processing (3)

• apps/services/auth/admin-api/src/app/v2/clients/me-clients.controller.ts (2 hunks)
• libs/portals/admin/ids-admin/src/screens/Client/EditClient.tsx (1 hunks)
• libs/portals/admin/ids-admin/src/screens/Client/components/BasicInfo.tsx (2 hunks)

🧰 Additional context used

📓 Path-based instructions (3)

apps/services/auth/admin-api/src/app/v2/clients/me-clients.controller.ts (2)

Pattern apps/services/**/*: "Confirm that the code adheres to the following:

• NestJS architecture, including modules, services, and controllers.
• Dependency injection patterns and service encapsulation.
• Integration and unit testing coverage and practices."

---

Pattern apps/**/*: "Confirm that the code adheres to the following:

• NextJS best practices, including file structure, API routes, and static generation methods.
• Efficient state management and server-side rendering techniques.
• Optimal use of TypeScript for component and utility type safety."

libs/portals/admin/ids-admin/src/screens/Client/EditClient.tsx (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

libs/portals/admin/ids-admin/src/screens/Client/components/BasicInfo.tsx (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

🔇 Additional comments (6)

apps/services/auth/admin-api/src/app/v2/clients/me-clients.controller.ts (2)

20-20: LGTM: Import addition follows best practices

The ClientType import is correctly grouped with other imports from the same module and is necessary for the new type check.

---

104-107: Verify impact on existing native clients

The implementation correctly prevents client secret creation for native clients. However, this is a breaking change that needs verification.

Let's check for existing native clients with secrets:

✅ Verification successful

The initial search revealed that native clients are used in the system, but we need to verify the historical handling of client secrets for native clients to ensure this change aligns with existing patterns and won't break existing implementations.

---

Change is safe and aligns with existing architecture

The code analysis reveals this change is safe and consistent with the existing architecture for the following reasons:

1. Native clients are already configured to not require client secrets:

   • In createClient.ts: Client secrets are only required for 'web' and 'machine' clients
   • In client forms: requireClientSecret is explicitly set to false for native clients

2. The change follows established patterns:

   • Native clients use PKCE for security instead of client secrets
   • UI already handles native clients differently in secret management flows
   • Migration scripts and seeders show native clients are grouped with SPA clients, which don't use secrets

The change simply moves an existing architectural requirement into an explicit guard clause, making the behavior more obvious and maintainable.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Search for references to native clients and their secrets
# to assess the impact of this change

# Look for native client type usage
echo "Searching for native client type usage..."
rg -A 5 "clientType.*native" 

# Look for related tests
echo "Searching for related test files..."
fd -e spec.ts -e test.ts | xargs rg -l "native.*client"

Length of output: 10216

---

Script:

#!/bin/bash
# Let's verify if there are any existing native clients with secrets in the database migrations or seeders

# Search for native client configurations in seeders
echo "Searching seeder data for native clients..."
fd seeder -e json -e js | xargs rg "clientType.*native" -B 2 -A 5

# Search for client secret related code specifically for native clients
echo "Searching for native client secret handling..."
rg -A 5 "requireClientSecret.*native|clientSecret.*native"

# Search for PKCE requirements for native clients
echo "Searching for PKCE requirements..."
rg "requirePkce.*native|PKCE.*native"

Length of output: 13491

libs/portals/admin/ids-admin/src/screens/Client/EditClient.tsx (1)

129-129: LGTM! The change aligns with PR objectives.

The addition of the clientType prop to BasicInfo enables the component to handle native clients differently, which directly implements the PR's goal of hiding client secrets for native clients.

libs/portals/admin/ids-admin/src/screens/Client/components/BasicInfo.tsx (3)

7-7: LGTM! Type definitions and imports are well structured.

The changes properly introduce the necessary types and maintain good TypeScript practices.

Also applies to: 10-10, 16-16

---

23-23: LGTM! Props destructuring is properly updated.

The clientType prop is correctly added to the component's parameters.

---

Line range hint 1-200: Component meets all coding guidelines requirements.

✅ The component:

• Is reusable across different NextJS apps
• Uses TypeScript effectively for props and type exports
• Has no tree-shaking concerns

[GunnlaugurG]

LGTM🚀