Skip to content

feat(oauth): add is_public field to OIDC client schemas #1356

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jhaynie merged 1 commit into from
Apr 8, 2026
Merged

feat(oauth): add is_public field to OIDC client schemas #1356

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions packages/core/src/services/oauth/types.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ export const OAuthClientSchema = z.object({
id_token_lifetime_seconds: z.number().optional(),
allowed_user_ids: z.array(z.string()),
internal: z.boolean().optional().default(false),
is_public: z.boolean().default(true),
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether any OAuth response producers/consumers still omit `is_public`
# and would rely on the schema default.
rg -nP --type=ts -C3 '\bOAuthClientSchema\b|\bOAuthClientListItemSchema\b|APIResponseSchema\('
rg -nP --type=ts -C3 '\bis_public\b|\bclient_type\b' packages/core/src/services/oauth

Repository: agentuity/sdk

Length of output: 50369

🏁 Script executed:

# Read the OAuth types file to see the exact schema definition
cat -n packages/core/src/services/oauth/types.ts | head -50

Repository: agentuity/sdk

Length of output: 2179

🏁 Script executed:

# Search for where is_public is used/accessed in the codebase
rg -nP --type=ts 'is_public' --max-count=30 -B2 -A2

Repository: agentuity/sdk

Length of output: 1202

🏁 Script executed:

# Search for OAuth handlers and API functions
rg -nP --type=ts 'OAuth.*[Cc]lient.*[Ss]chema|OAuthClientListItemSchema|OAuthClientCreateDataSchema|OAuthClientUpdateDataSchema' packages/core/src/services/oauth -B3 -A3

Repository: agentuity/sdk

Length of output: 21797

🏁 Script executed:

# Search for code that accesses is_public after parsing responses
rg -nP --type=ts 'client\.is_public|item\.is_public|\bis_public\b' --max-count=20 -B2 -A2

Repository: agentuity/sdk

Length of output: 1202

🏁 Script executed:

# Search for test files related to OAuth clients
find packages/core -name '*.test.ts' -o -name '*.spec.ts' | xargs grep -l -i oauth 2>/dev/null | head -5

Repository: agentuity/sdk

Length of output: 95

🏁 Script executed:

# Check the OAuth test file
cat packages/core/test/env-example.test.ts | head -100

Repository: agentuity/sdk

Length of output: 3734

🏁 Script executed:

# Search for any tests that might parse OAuth responses or mention is_public
find packages -name '*.test.ts' -o -name '*.spec.ts' | xargs grep -l 'OAuthClient' 2>/dev/null

Repository: agentuity/sdk

Length of output: 41

🏁 Script executed:

# Check for any comments or documentation about is_public in the OAuth service
rg -nP --type=ts 'is_public' packages/core/src/services/oauth -B5 -A1 | head -60

Repository: agentuity/sdk

Length of output: 1901

Avoid defaulting a security-sensitive flag to true in response schemas.

Line 23 applies z.boolean().default(true) to the is_public field in OAuthClientSchema, which will silently coerce missing values to true. This asymmetry with request schemas—where is_public is .optional() without defaults—creates a defensive coding gap for a security-relevant field. If the backend ever omits or partially returns client data, misclassification to public becomes automatic rather than explicit.

Suggested change 
-	is_public: z.boolean().default(true),
+	is_public: z.boolean(),
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
is_public: z.boolean().default(true),
is_public: z.boolean(),
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@packages/core/src/services/oauth/types.ts` at line 23, The response schema
unconditionally defaults OAuthClientSchema's is_public to true, which is unsafe;
update the OAuthClientSchema definition (the is_public field) to stop defaulting
to true—either remove the .default(true) and use .optional() to mirror request
schemas or explicitly set .default(false) if you need a default, so missing
backend values aren't implicitly treated as public.

created_at: z.string(),
updated_at: z.string(),
});
Expand Down Expand Up @@ -50,6 +51,7 @@ export const OAuthClientCreateRequestSchema = z.object({
refresh_token_lifetime_seconds: z.number().optional(),
id_token_lifetime_seconds: z.number().optional(),
allowed_user_ids: z.array(z.string()).optional(),
is_public: z.boolean().optional(),
});

export type OAuthClientCreateRequest = z.infer<typeof OAuthClientCreateRequestSchema>;
Expand Down Expand Up @@ -77,6 +79,7 @@ export const OAuthClientUpdateRequestSchema = z.object({
refresh_token_lifetime_seconds: z.number().optional(),
id_token_lifetime_seconds: z.number().optional(),
allowed_user_ids: z.array(z.string()).optional(),
is_public: z.boolean().optional(),
});

export type OAuthClientUpdateRequest = z.infer<typeof OAuthClientUpdateRequestSchema>;
Expand Down
Loading