Skip to content

feat(csharp): remove omitted basic auth fields from SDK API, use empty string internally #14409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Swimburger merged 34 commits into from
Apr 7, 2026
Merged

feat(csharp): remove omitted basic auth fields from SDK API, use empty string internally #14409

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
266c344
feat(csharp-sdk): support optional username/password in basic auth wh…
Swimburger Mar 31, 2026
99467fe
fix(csharp-sdk): use per-field omit checks and constructor optionalit…
Swimburger Apr 1, 2026
3b8db30
fix(csharp-sdk): regenerate seed output for basic-auth-optional after…
Swimburger Apr 1, 2026
86ac58b
merge: resolve versions.yml conflict with main (bump to 2.55.4)
Swimburger Apr 1, 2026
a405301
fix(csharp-sdk): update createdAt date to 2026-04-01 for v2.55.4
Swimburger Apr 1, 2026
b41fd85
fix(csharp-sdk): remove omitted fields entirely from constructor para…
Swimburger Apr 2, 2026
88250dd
ci: retrigger CI after flaky csharp-sdk cancellation
Swimburger Apr 2, 2026
abe481b
ci: retrigger CI for flaky csharp-sdk seed-test-results cancellation
Swimburger Apr 2, 2026
61e6899
ci: retrigger CI for flaky csharp-sdk seed-test-results cancellation …
Swimburger Apr 2, 2026
86bdc62
ci: retrigger CI for flaky csharp-sdk seed-test-results cancellation …
Swimburger Apr 2, 2026
a4edff7
fix(csharp-sdk): skip auth header when both fields omitted and auth i…
Swimburger Apr 2, 2026
0aaecec
merge: resolve versions.yml conflict with main, fix if/else if bug wh…
Swimburger Apr 2, 2026
784d50b
merge: resolve versions.yml conflict with main (bump to 2.56.1)
Swimburger Apr 2, 2026
342a4ae
merge: resolve versions.yml conflict with main (bump to 2.56.2)
Swimburger Apr 2, 2026
93c2242
merge: resolve versions.yml conflict with main (bump to 2.56.3)
Swimburger Apr 2, 2026
c7ddfb5
merge: resolve versions.yml conflict with main (bump to 2.56.4)
Swimburger Apr 2, 2026
3921d83
merge: resolve versions.yml conflict with main (bump to 2.56.5)
Swimburger Apr 2, 2026
3b58b4e
merge: resolve versions.yml conflict with main (bump to 2.56.6)
Swimburger Apr 3, 2026
6867963
fix(csharp-sdk): use 'omit' instead of 'optional' in versions.yml cha…
Swimburger Apr 3, 2026
90f03d8
refactor: rename basic-auth-optional fixture to basic-auth-pw-omitted
Swimburger Apr 3, 2026
a906dce
fix(csharp-sdk): bump version to 2.57.0 (feat requires minor bump)
Swimburger Apr 3, 2026
1f03553
merge: resolve conflict with main (IR v66 name compression + basic au…
Swimburger Apr 3, 2026
996210c
merge: resolve CI workflow conflict with main
Swimburger Apr 3, 2026
fcf385e
fix(csharp-sdk): handle usernameOmit/passwordOmit in dynamic snippets…
Swimburger Apr 3, 2026
6fb25c8
refactor(csharp-sdk): simplify omit checks from === true to !!
Swimburger Apr 3, 2026
6dafafd
fix(csharp-sdk): update irVersion to 66 to match seed.yml
Swimburger Apr 3, 2026
5cb74f2
refactor(csharp-sdk): simplify === true to !! in RootClientGenerator …
Swimburger Apr 3, 2026
bc8f325
fix: pass usernameOmit/passwordOmit through DynamicSnippetsConverter …
Swimburger Apr 3, 2026
f0dab5a
Merge remote-tracking branch 'origin/main' into devin/1774997734-basi…
devin-ai-integration[bot] Apr 6, 2026
f0c88da
merge: resolve merge with main
Swimburger Apr 6, 2026
fe0ead4
fix(csharp-sdk): regenerate basic-auth-pw-omitted seed output to remo…
Swimburger Apr 6, 2026
84687de
fix(csharp-sdk): remove unnecessary {""} from auth header, use clean …
Swimburger Apr 6, 2026
a5e48f0
fix: remove trailing whitespace in RootClientGenerator.ts (biome)
Swimburger Apr 6, 2026
7b1c834
merge: resolve versions.yml conflict with main (add 2.56.6)
Swimburger Apr 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 14 additions & 6 deletions generators/csharp/dynamic-snippets/src/EndpointSnippetGenerator.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -385,16 +385,24 @@ export class EndpointSnippetGenerator extends WithGeneration {
auth: FernIr.dynamic.BasicAuth;
values: FernIr.dynamic.BasicAuthValues;
}): NamedArgument[] {
return [
{
// usernameOmit/passwordOmit may exist in newer IR versions
const authRecord = auth as unknown as Record<string, unknown>;
const usernameOmitted = !!authRecord.usernameOmit;
const passwordOmitted = !!authRecord.passwordOmit;
const args: NamedArgument[] = [];
if (!usernameOmitted) {
args.push({
name: this.context.getParameterName(auth.username),
assignment: this.csharp.Literal.string(values.username)
},
{
});
}
if (!passwordOmitted) {
args.push({
name: this.context.getParameterName(auth.password),
assignment: this.csharp.Literal.string(values.password)
}
];
});
}
return args;
}

private getConstructorBearerAuthArgs({
Expand Down
47 changes: 35 additions & 12 deletions generators/csharp/sdk/src/root-client/RootClientGenerator.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -454,6 +454,7 @@ export class RootClientGenerator extends FileGenerator<CSharpFile, SdkGeneratorC
(s): s is typeof s & { type: "basic" } => s.type === "basic"
);
const isAuthOptional = !this.context.ir.sdkConfig.isAuthMandatory;
let isFirstBlock = true;
for (let i = 0; i < basicSchemes.length; i++) {
const basicScheme = basicSchemes[i];
if (basicScheme == null) {
Expand All @@ -467,15 +468,30 @@ export class RootClientGenerator extends FileGenerator<CSharpFile, SdkGeneratorC
const passwordAccess = unified
? `clientOptions.${this.toPascalCase(passwordName)}`
: passwordName;
const usernameOmitted = !!basicScheme.usernameOmit;
const passwordOmitted = !!basicScheme.passwordOmit;
// Condition: only require non-omitted fields to be present
let condition: string;
if (!usernameOmitted && !passwordOmitted) {
condition = `${usernameAccess} != null && ${passwordAccess} != null`;
} else if (usernameOmitted && !passwordOmitted) {
condition = `${passwordAccess} != null`;
} else if (!usernameOmitted && passwordOmitted) {
condition = `${usernameAccess} != null`;
} else {
// Both fields omitted — skip auth header entirely when auth is non-mandatory
continue;
}
Comment on lines +481 to +484
Copy link
Copy Markdown
Contributor

@graphite-app graphite-app bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When both username and password are omitted, the code skips adding any authorization header via continue. However, this occurs regardless of whether isAuthOptional is true or false. If auth is mandatory (isAuthOptional === false) but both fields are omitted, the generated client will instantiate successfully (with no auth parameters) but all authenticated requests will fail at runtime with 401 errors.

} else {
    // Both fields omitted
    if (!isAuthOptional) {
        // This is a config error - mandatory auth requires at least one field
        throw new Error("Cannot have mandatory auth with both username and password omitted");
    }
    continue;
}

Alternatively, this validation should occur at IR validation time before code generation.

Suggested change
} else {
// Both fields omitted — skip auth header entirely when auth is optional
continue;
}
} else {
// Both fields omitted
if (!isAuthOptional) {
// This is a config error - mandatory auth requires at least one field
throw new Error("Cannot have mandatory auth with both username and password omitted");
}
// Auth is optional — skip auth header entirely
continue;
}

Spotted by Graphite

Fix in Graphite

Is this helpful? React 👍 or 👎 to let us know.

if (isAuthOptional || basicSchemes.length > 1) {
const controlFlowKeyword = i === 0 ? "if" : "else if";
innerWriter.controlFlow(
controlFlowKeyword,
this.csharp.codeblock(`${usernameAccess} != null && ${passwordAccess} != null`)
);
const controlFlowKeyword = isFirstBlock ? "if" : "else if";
innerWriter.controlFlow(controlFlowKeyword, this.csharp.codeblock(condition));
Comment thread
devin-ai-integration[bot] marked this conversation as resolved.
}
isFirstBlock = false;
// Build credential string: omitted fields are empty, provided fields use interpolation
const usernamePart = usernameOmitted ? "" : `{${usernameAccess}}`;
const passwordPart = passwordOmitted ? "" : `{${passwordAccess}}`;
innerWriter.writeTextStatement(
`clientOptionsWithAuth.Headers["Authorization"] = $"Basic {Convert.ToBase64String(global::System.Text.Encoding.UTF8.GetBytes($"{${usernameAccess}}:{${passwordAccess}}"))}"`
`clientOptionsWithAuth.Headers["Authorization"] = $"Basic {Convert.ToBase64String(global::System.Text.Encoding.UTF8.GetBytes($"${usernamePart}:${passwordPart}"))}"`
);
if (isAuthOptional || basicSchemes.length > 1) {
innerWriter.endControlFlow();
Expand Down Expand Up @@ -802,8 +818,12 @@ export class RootClientGenerator extends FileGenerator<CSharpFile, SdkGeneratorC
{
const usernameName = this.case.camelSafe(scheme.username);
const passwordName = this.case.camelSafe(scheme.password);
return [
{
const usernameOmitted = !!scheme.usernameOmit;
const passwordOmitted = !!scheme.passwordOmit;
// When omit is true, the field is completely removed from the end-user API.
const params: ConstructorParameter[] = [];
if (!usernameOmitted) {
params.push({
name: usernameName,
docs: scheme.docs ?? `The ${usernameName} to use for authentication.`,
isOptional,
Expand All @@ -817,8 +837,10 @@ export class RootClientGenerator extends FileGenerator<CSharpFile, SdkGeneratorC
type: this.Primitive.string,
environmentVariable: scheme.usernameEnvVar,
exampleValue: this.case.screamingSnakeSafe(scheme.username)
},
{
});
}
if (!passwordOmitted) {
params.push({
name: passwordName,
docs: scheme.docs ?? `The ${passwordName} to use for authentication.`,
isOptional,
Expand All @@ -832,8 +854,9 @@ export class RootClientGenerator extends FileGenerator<CSharpFile, SdkGeneratorC
type: this.Primitive.string,
environmentVariable: scheme.passwordEnvVar,
exampleValue: this.case.screamingSnakeSafe(scheme.password)
}
];
});
}
return params;
}
} else if (scheme.type === "oauth") {
if (this.oauth !== null) {
Expand Down
12 changes: 12 additions & 0 deletions generators/csharp/sdk/versions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,16 @@
# yaml-language-server: $schema=../../../fern-versions-yml.schema.json
- version: 2.58.0
changelogEntry:
- summary: |
Support omitting username or password from basic auth when configured via
`usernameOmit` or `passwordOmit` in the IR. Omitted fields are removed from
the SDK's public API and treated as empty strings internally (e.g., omitting
password encodes `username:`, omitting username encodes `:password`). When
both are omitted, the Authorization header is skipped entirely.
type: feat
createdAt: "2026-04-03"
irVersion: 66

- version: 2.57.0-rc.0
changelogEntry:
- summary: |
Expand Down
17 changes: 14 additions & 3 deletions packages/cli/generation/ir-generator/src/dynamic-snippets/DynamicSnippetsConverter.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -732,11 +732,22 @@ export class DynamicSnippetsConverter {
}
const scheme = auth.schemes[0];
switch (scheme.type) {
case "basic":
return DynamicSnippets.Auth.basic({
case "basic": {
const basicAuth: DynamicSnippets.BasicAuth & {
usernameOmit?: boolean;
passwordOmit?: boolean;
} = {
username: this.inflateName(scheme.username),
password: this.inflateName(scheme.password)
});
};
if (scheme.usernameOmit) {
basicAuth.usernameOmit = scheme.usernameOmit;
}
if (scheme.passwordOmit) {
basicAuth.passwordOmit = scheme.passwordOmit;
}
return DynamicSnippets.Auth.basic(basicAuth);
Comment on lines +736 to +749
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration bot Apr 3, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Prohibited as unknown as X type assertion used instead of updating dynamic IR SDK types

Line 389 uses auth as unknown as Record<string, unknown> to access usernameOmit/passwordOmit fields that aren't declared on the FernIr.dynamic.BasicAuth type. This is explicitly prohibited by CLAUDE.md: "Never use as any or as unknown as X. These are escape hatches that bypass the type system entirely. If the types don't line up, fix the types." The root cause is that the @fern-api/dynamic-ir-sdk (v65.5.0, per generators/csharp/dynamic-snippets/package.json:39) hasn't been updated to include usernameOmit/passwordOmit in the BasicAuth interface. The proper fix is to update the dynamic IR SDK's BasicAuth type to include these optional fields, which would also make the corresponding DynamicSnippetsConverter.ts changes at lines 736-749 type-safe instead of relying on undeclared extra properties surviving JSON round-trips.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Comment on lines +736 to +749
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration bot Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 usernameOmit/passwordOmit not added to dynamic IR BasicAuth schema, causing data loss through serialization

The DynamicSnippetsConverter.ts adds usernameOmit and passwordOmit as extra properties to the dynamic BasicAuth object, but these fields are NOT defined in the dynamic IR schema (packages/ir-sdk/fern/apis/ir-types-latest/definition/dynamic/auth.yml:22-25). The serialization schema at packages/ir-sdk/src/sdk/serialization/resources/dynamic/resources/auth/types/BasicAuth.ts:9-12 uses objectWithoutOptionalProperties with only username and password, meaning these fields are stripped during any schema-based deserialization. The EndpointSnippetGenerator.ts:389 then casts to Record<string, unknown> to read them, but those fields will be undefined if the dynamic IR went through Fern's schema deserialization. This creates a fragile contract where the feature works only when the IR is passed in-process or via raw JSON.parse (as in the test utility at generators/csharp/dynamic-snippets/src/__test__/utils/buildDynamicSnippetsGenerator.ts:15), but would silently break if any code path uses schema-based parsing.

Prompt for agents 
The dynamic IR BasicAuth type needs usernameOmit and passwordOmit fields added to its schema so these values survive serialization/deserialization. Update the following files:

1. packages/ir-sdk/fern/apis/ir-types-latest/definition/dynamic/auth.yml - Add usernameOmit (optional boolean) and passwordOmit (optional boolean) to the BasicAuth type properties.

2. After updating the YAML schema, regenerate the SDK types by running the appropriate IR generation command (pnpm ir:generate). This will update:
   - packages/ir-sdk/src/sdk/api/resources/dynamic/resources/auth/types/BasicAuth.ts
   - packages/ir-sdk/src/sdk/serialization/resources/dynamic/resources/auth/types/BasicAuth.ts

3. Once the types are updated, the as unknown as Record<string, unknown> cast in generators/csharp/dynamic-snippets/src/EndpointSnippetGenerator.ts can be replaced with direct property access on the properly typed BasicAuth object.

4. The DynamicSnippetsConverter.ts intersection type workaround (DynamicSnippets.BasicAuth & { usernameOmit?: boolean; passwordOmit?: boolean }) can then be simplified to just use DynamicSnippets.BasicAuth directly.

Also consider updating the v65 dynamic auth schema if backward compatibility with that IR version is needed.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration bot Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a known limitation — usernameOmit/passwordOmit are not yet part of the dynamic IR BasicAuth schema. Adding them requires updating the IR schema YAML, regenerating SDK types, and potentially updating the v65→v62 migration. This was intentionally deferred as an IR-level change (per earlier discussion with @niels). The current implementation works in-process and via raw JSON, which covers the seed test path. A follow-up PR to add these fields to the dynamic IR schema would make this fully robust.

}
case "bearer":
return DynamicSnippets.Auth.bearer({
token: this.inflateName(scheme.token)
Expand Down
2 changes: 1 addition & 1 deletion seed/csharp-sdk/basic-auth-pw-omitted/.fern/metadata.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion seed/csharp-sdk/basic-auth-pw-omitted/README.md
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions seed/csharp-sdk/basic-auth-pw-omitted/snippet.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion seed/csharp-sdk/basic-auth-pw-omitted/src/SeedApi.DynamicSnippets/Example0.cs
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion seed/csharp-sdk/basic-auth-pw-omitted/src/SeedApi.DynamicSnippets/Example1.cs
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion seed/csharp-sdk/basic-auth-pw-omitted/src/SeedApi.DynamicSnippets/Example2.cs
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion seed/csharp-sdk/basic-auth-pw-omitted/src/SeedApi.DynamicSnippets/Example3.cs
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion seed/csharp-sdk/basic-auth-pw-omitted/src/SeedApi.DynamicSnippets/Example4.cs
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion seed/csharp-sdk/basic-auth-pw-omitted/src/SeedApi.DynamicSnippets/Example5.cs
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion seed/csharp-sdk/basic-auth-pw-omitted/src/SeedApi.DynamicSnippets/Example6.cs
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion ...sic-auth-pw-omitted/src/SeedBasicAuthPwOmitted.Test/Unit/MockServer/BaseMockServerTest.cs
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 1 addition & 2 deletions ...harp-sdk/basic-auth-pw-omitted/src/SeedBasicAuthPwOmitted/SeedBasicAuthPwOmittedClient.cs
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading