Merging to release-5.10: [TT-15798] fix schema for jtiValidation (#7375)

[buger]

User description

TT-15798 fix schema for jtiValidation (#7375)

User description

TT-15798

Summary	Custom claims validation not available in auto-suggest
Type	Bug
Status	In Dev
Points	N/A
Labels	regression-5.10.0, stability_refinement

---

This PR fixes an issue with the schema of jtiValidation.

---

PR Type

Bug fix

---

Description

• Correct jtiValidation schema to object

• Add required boolean property enabled

• Update strict and non-strict OAS schemas

---

Diagram Walkthrough

flowchart LR
  A["OAS Schema (non-strict)"] -- "jtiValidation array -> object" --> B["jtiValidation { enabled: boolean }"]
  C["OAS Schema (strict)"] -- "jtiValidation array -> object" --> B

Loading

File Walkthrough

Relevant files

Bug fix

x-tyk-api-gateway.json Convert jtiValidation to object with enabled                          apidef/oas/schema/x-tyk-api-gateway.json Change jtiValidation from array to object Define boolean property enabled Mark enabled as required +9/-2      x-tyk-api-gateway.strict.json Align strict schema: jtiValidation object enabled                apidef/oas/schema/x-tyk-api-gateway.strict.json Change jtiValidation from array to object Define boolean property enabled Mark enabled as required +9/-4

---

---

PR Type

Bug fix

---

Description

• Fix jtiValidation schema to object

• Add required boolean property enabled

• Update strict and non-strict OAS schemas

---

Diagram Walkthrough

flowchart LR
  nonStrict["OAS schema (non-strict)"] -- "jtiValidation array -> object" --> jtiObj["jtiValidation { enabled:boolean }"]
  strict["OAS schema (strict)"] -- "jtiValidation array -> object" --> jtiObj

Loading

File Walkthrough

Relevant files

Bug fix

x-tyk-api-gateway.json Convert jtiValidation to object with required enabled        apidef/oas/schema/x-tyk-api-gateway.json Change jtiValidation from array to object Add boolean property enabled Mark enabled as required +9/-2      x-tyk-api-gateway.strict.json Align strict schema for jtiValidation object                          apidef/oas/schema/x-tyk-api-gateway.strict.json Align strict schema: array to object Add boolean property enabled Mark enabled as required +9/-4

---

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Disallow extra object fields Prevent unknown fields in jtiValidation to avoid misconfiguration and ensure strict validation parity. Add "additionalProperties": false so only the defined keys are accepted. apidef/oas/schema/x-tyk-api-gateway.json [1689-1699] "jtiValidation": { "type": "object", "properties": { "enabled": { "type": "boolean" } }, "required": [ "enabled" - ] + ], + "additionalProperties": false }, Suggestion importance[1-10]: 7 __ Why: Adding additionalProperties: false to jtiValidation tightens validation and prevents silent misconfigs; it's accurate and aligns with the new object schema but is a moderate improvement, not a critical fix.	Medium
	Forbid unknown properties Enforce strictness by disallowing unexpected properties in jtiValidation. Add "additionalProperties": false to ensure only supported keys are accepted. apidef/oas/schema/x-tyk-api-gateway.strict.json [1778-1788] "jtiValidation": { "type": "object", "properties": { "enabled": { "type": "boolean" } }, "required": [ "enabled" - ] + ], + "additionalProperties": false }, Suggestion importance[1-10]: 7 __ Why: For the strict schema, disallowing extra fields in jtiValidation is appropriate and improves schema robustness; it's correct and useful, though not a high-impact bug fix.	Medium

[github-actions]

API Changes

no api changes detected

[probelabs]

🔍 Code Analysis Results

The search result confirms my hypothesis.

In apidef/oas/security.go, the Go struct JWT has a field JTIValidation of type JTIValidation.

// apidef/oas/security.go

// JTIValidation contains the configuration for the validation of the JWT ID.
// This field is a Tyk OAS only field and is only used in Tyk OAS APIs.
JTIValidation JTIValidation `bson:"jtiValidation,omitempty" json:"jtiValidation,omitempty"`

// ...

// JTIValidation contains the configuration for the validation of the JWT ID.
type JTIValidation struct {
	// Enabled indicates whether JWT ID claim is required.
	// When true, tokens must include a 'jti' claim.
	Enabled bool `bson:"enabled,omitempty" json:"enabled,omitempty"`
}

The JTIValidation struct has a single boolean field Enabled. This means the Go code expects jtiValidation to be an object like {"enabled": true}, not an array of strings as the old schema defined.

Therefore, the PR is indeed a bug fix to align the OpenAPI schemas with the actual Go implementation. The change is correct and necessary. The impact is limited to schema validation and tooling that relies on it. There should be no change in the gateway's runtime behavior.

Now I have all the information to create the final report. I will structure it as requested:

1. Change Impact Analysis
2. Architecture Visualization with a mermaid diagram.

I will now generate the final response.<attempt_completion>

Change Impact Analysis

This pull request addresses a schema inconsistency for the jtiValidation field within the OpenAPI Specification (OAS) definitions used by Tyk.

Accomplishments

The PR successfully corrects the schema for jtiValidation in both the strict (x-tyk-api-gateway.strict.json) and non-strict (x-tyk-api-gateway.json) OAS definitions. This change aligns the schema with the existing Go implementation, resolving a bug where custom claims validation was not available for auto-suggestion in tools that rely on this schema.

Key Technical Changes

The core change is the modification of the jtiValidation field's type.

• Before: The schema defined jtiValidation as a type: "array" of strings.
• After: The schema now correctly defines jtiValidation as a type: "object" with a single required boolean property named enabled.

This is a pure schema correction. The underlying Go code, specifically the apidef.JTIValidation struct, already expected this object structure. Therefore, this PR does not alter the gateway's runtime behavior but fixes the contract for API definitions.

Affected System Components

• API Definition Schema: The primary components affected are the OAS schema files (apidef/oas/schema/x-tyk-api-gateway.json and apidef/oas/schema/x-tyk-api-gateway.strict.json).
• Developer Tooling: Any tools that consume these schemas for API definition validation, auto-completion, or UI generation will be positively impacted. Developers will now see the correct structure for configuring JTI validation.
• Tyk Dashboard/UI: If the Tyk Dashboard or other management UIs use these schemas to dynamically generate forms for API configuration, they will now render the correct input for jtiValidation (e.g., a checkbox for "enabled").

Architecture Visualization

The change is a straightforward modification of a data structure within the API definition schema. A component diagram best illustrates the "before" and "after" states of the jtiValidation property.

graph TD
    subgraph "API Definition Schema (Before)"
        direction LR
        A["x-tyk-api-gateway.json"] --> B["jwtValidation: [ string ]"];
    end

    subgraph "API Definition Schema (After)"
        direction LR
        C["x-tyk-api-gateway.json"] --> D["jwtValidation: { enabled: boolean }"];
    end

    subgraph "Go Implementation (Unchanged)"
        direction LR
        E["apidef/oas/security.go"] --> F["struct JTIValidation {<br/>  Enabled bool<br/>}"]
    end

    B -- "Incorrectly defined" --> F;
    D -- "Correctly defines" --> F;

Loading

This diagram shows that the pull request modifies the JSON schema to correctly represent the data structure already expected by the Go codebase, thus resolving the inconsistency.

---

Powered by Visor from Probelabs

Last updated: 2025-09-26T12:15:17.352Z | Triggered by: opened | Commit: 2438cd0

[probelabs]

🔍 Code Analysis Results

✅ Security Check Passed

No security issues found – changes LGTM.

✅ Performance Check Passed

No performance issues found – changes LGTM.

Quality Issues (1)

Severity	Location	Issue
🟢 Info	apidef/oas/schema/x-tyk-api-gateway.json:1690-1699	The modification of the `jtiValidation` schema is not accompanied by tests to validate the new structure. While the change itself is correct, adding tests that consume and validate against this schema would ensure its integrity and prevent future regressions. 💡 Suggestion Consider adding a unit test that loads a sample API definition using the new `jtiValidation` object structure and validates it against the updated schema. This test should cover both a valid case (e.g., `"jtiValidation": { "enabled": true }`) and an invalid case where the required `enabled` property is missing.

✅ Style Check Passed

No style issues found – changes LGTM.

Dependency Issues (2)

Severity	Location	Issue
🔴 Critical	apidef/oas/schema/x-tyk-api-gateway.json:1690-1698	The schema change for `jtiValidation` from an array to an object directly impacts downstream projects that consume or manage Tyk's OpenAPI API Definitions. This change requires coordinated updates in `tyk-operator`, `tyk-sink` (MDCB), and potentially the Tyk Developer Portal, which are not referenced in this PR. 💡 Suggestion This PR should be linked to corresponding PRs in the affected downstream repositories to ensure a safe, non-breaking release. Specifically: tyk-operator: The ApiDefinition CRD schema must be updated to reflect jtiValidation as an object with a required enabled boolean property. Without this, Kubernetes API server validation will reject API definitions using this feature. tyk-sink (MDCB) / Tyk Dashboard: The component that generates the API definitions (typically the Dashboard) must be updated to produce the new object format. tyk-sink must be able to handle this change, and a migration path for existing API definitions may be needed to avoid breaking older gateways during a rolling update. portal: The UI for configuring API definitions must be updated to present a boolean toggle for jtiValidation.enabled instead of an input for an array of strings. Please ensure these dependencies are addressed and linked before this change is merged.
🔴 Critical	apidef/oas/schema/x-tyk-api-gateway.strict.json:1779-1787	The schema change for `jtiValidation` in the strict schema has the same downstream impact as the non-strict schema. It requires coordinated updates in `tyk-operator`, `tyk-sink`, and the Tyk Developer Portal. 💡 Suggestion Please refer to the suggestion for `x-tyk-api-gateway.json`. All downstream dependencies that use the API Definition schema must be updated to handle this structural change.

Connectivity Issues (3)

Severity	Location	Issue
🔴 Critical	apidef/oas/schema/x-tyk-api-gateway.strict.json:1779-1787	The change to the `jtiValidation` schema from an array to an object is a breaking change for the `tyk-operator`'s `ApiDefinition` Custom Resource Definition (CRD). The operator relies on this schema for validation, and the structural change will cause validation failures for users managing OAS APIs via Kubernetes. 💡 Suggestion A corresponding pull request must be created for the `tyk-operator` repository to update its `ApiDefinition` CRD schema to match this change. The release of this gateway update must be coordinated with the operator update.
🔴 Critical	apidef/oas/schema/x-tyk-api-gateway.json:1690-1698	This schema change is a breaking change for the MDCB data pipeline. The Tyk Dashboard, which acts as the source of truth for API Definitions in an MDCB setup, may be generating definitions based on the old, incorrect schema. `tyk-sink` would then propagate these invalid definitions, causing parsing failures at the gateway. 💡 Suggestion Ensure a coordinated update is made in the Tyk Dashboard to generate API definitions compliant with this corrected schema. This change must be synchronized across the Dashboard, `tyk-sink`, and Gateway releases to prevent data corruption.
🟡 Warning	apidef/oas/schema/x-tyk-api-gateway.json:1690-1698	The schema change for `jtiValidation` directly impacts the Tyk Developer Portal's UI for designing OAS-based APIs. Any UI component that rendered an input field for an array based on the previous schema will now be incorrect and needs to be updated. 💡 Suggestion Notify the Tyk Developer Portal team to update the API designer UI. The UI should be changed to render a boolean toggle/checkbox for the `enabled` property inside the `jtiValidation` object, reflecting the new schema.

---

Powered by Visor from Probelabs

Last updated: 2025-09-26T12:15:18.201Z | Triggered by: opened | Commit: 2438cd0

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud