Fix alert 5

scripts/generate-openapi.sh

@@ -1,4 +1,5 @@
 #!/bin/sh
+set -euo pipefail
 
 GENERATED_PACKAGE_NAME="generated"
 SDK_PACKAGE_NAME="com/corbado"
@@ -10,17 +11,24 @@ cd "$(dirname "$0")"
 rm -rf .gen
 mkdir -p .gen
 cd .gen
-rm -rf ../../src/main/java/$SDK_PACKAGE_NAME/$GENERATED_PACKAGE_NAME
-mkdir -p ../../src/main/java/$SDK_PACKAGE_NAME/$GENERATED_PACKAGE_NAME
+rm -rf "../../src/main/java/$SDK_PACKAGE_NAME/$GENERATED_PACKAGE_NAME"
+mkdir -p "../../src/main/java/$SDK_PACKAGE_NAME/$GENERATED_PACKAGE_NAME"
+
+mkdir -p templates
 
 cp ../backend_api.yml backend_api.yml
 cp ../common.yml common.yml
+cp ../ApiClient.mustache templates/ApiClient.mustache
 
+# --- 1) Generate with our overridden template (force okhttp-gson) ---
 docker pull openapitools/openapi-generator-cli
-docker run -v ${PWD}:/local --user $(id -u):$(id -g) openapitools/openapi-generator-cli generate \
+
+docker run --rm --name corbado-openapi-gen -v "${PWD}:/local" --user "$(id -u):$(id -g)" \
+  openapitools/openapi-generator-cli generate \
     -i /local/backend_api.yml \
     -g java \
     -o /local \
+    -t /local/templates \
     --additional-properties=packageName=com.corbado.generated \
     --additional-properties=groupId=com.corbado \
     --additional-properties=artifactId=corbado-java-generated \
@@ -31,9 +39,29 @@ docker run -v ${PWD}:/local --user $(id -u):$(id -g) openapitools/openapi-genera
     --additional-properties=useSwaggerAnnotations=false \
     --additional-properties=disallowAdditionalPropertiesIfNotPresent=false
 
-cp -r src/main/java/$SDK_PACKAGE_NAME/$GENERATED_PACKAGE_NAME/* ../../src/main/java/$SDK_PACKAGE_NAME/$GENERATED_PACKAGE_NAME
-cd ..
-rm -rf .gen
+# --- 2) Verify the override actually applied ---
+GEN_API_CLIENT="src/main/java/com/corbado/generated/invoker/ApiClient.java"
 
+if [ ! -f "$GEN_API_CLIENT" ]; then
+  echo "ERROR: Generated ApiClient.java not found at $GEN_API_CLIENT" >&2
+  echo "Hint: Check the invokerPackage and selected library." >&2
+  find src -name ApiClient.java || true
+  exit 1
+fi
 
+# Check for our injected exception string
+if ! grep -q 'TLS verification disabled (verifyingSsl=false). Refusing to install insecure TrustManager.' "$GEN_API_CLIENT"; then
+  echo "ERROR: Template override did NOT apply to generated ApiClient.java" >&2
+  echo "Diagnostics:" >&2
+  grep -n 'applySslSettings' "$GEN_API_CLIENT" || true
+  grep -n 'okhttp3' "$GEN_API_CLIENT" || echo "No okhttp3 import found; are you generating jersey instead of okhttp-gson?" >&2
+  exit 1
+fi
+
+# --- 3) Copy generated sources into your project tree ---
+cp -r "src/main/java/$SDK_PACKAGE_NAME/$GENERATED_PACKAGE_NAME/"* "../../src/main/java/$SDK_PACKAGE_NAME/$GENERATED_PACKAGE_NAME"
+
+cd ..
+rm -rf .gen
 
+echo "✅ Generation complete and secure applySslSettings() injected."

src/main/java/com/corbado/generated/invoker/ApiClient.java

@@ -1495,61 +1495,59 @@ public Response intercept(Interceptor.Chain chain) throws IOException {
      */
     protected void applySslSettings() {
         try {
-            TrustManager[] trustManagers;
-            HostnameVerifier hostnameVerifier;
+            // 1) Never allow "trust-all"
             if (!verifyingSsl) {
-                trustManagers = new TrustManager[]{
-                        new X509TrustManager() {
-                            @Override
-                            public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
-                            }
-
-                            @Override
-                            public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
-                            }
-
-                            @Override
-                            public java.security.cert.X509Certificate[] getAcceptedIssuers() {
-                                return new java.security.cert.X509Certificate[]{};
-                            }
-                        }
-                };
-                hostnameVerifier = new HostnameVerifier() {
-                    @Override
-                    public boolean verify(String hostname, SSLSession session) {
-                        return true;
-                    }
-                };
+                throw new IllegalStateException(
+                    "TLS verification disabled (verifyingSsl=false). Refusing to install insecure TrustManager."
+                );
+            }
+
+            // 2) If no custom CA and no client certs, keep platform defaults (best/simplest)
+            boolean hasCustomCa = (sslCaCert != null);
+            boolean hasClientCert = (keyManagers != null && keyManagers.length > 0);
+
+            if (!hasCustomCa && !hasClientCert) {
+                // Do NOT override sslSocketFactory/hostnameVerifier: let OkHttp use system trust + default hostname checks
+                httpClient = httpClient.newBuilder().build();
+                return;
+            }
+
+            // 3) Build TrustManager from system trust or the provided CA(s)
+            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            if (!hasCustomCa) {
+                // System/JVM default trust store
+                tmf.init((KeyStore) null);
             } else {
-                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-
-                if (sslCaCert == null) {
-                    trustManagerFactory.init((KeyStore) null);
-                } else {
-                    char[] password = null; // Any password will work.
-                    CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
-                    Collection<? extends Certificate> certificates = certificateFactory.generateCertificates(sslCaCert);
-                    if (certificates.isEmpty()) {
-                        throw new IllegalArgumentException("expected non-empty set of trusted certificates");
-                    }
-                    KeyStore caKeyStore = newEmptyKeyStore(password);
-                    int index = 0;
-                    for (Certificate certificate : certificates) {
-                        String certificateAlias = "ca" + (index++);
-                        caKeyStore.setCertificateEntry(certificateAlias, certificate);
-                    }
-                    trustManagerFactory.init(caKeyStore);
+                char[] password = null; // any password works for an empty keystore
+                CertificateFactory cf = CertificateFactory.getInstance("X.509");
+                Collection<? extends Certificate> certs = cf.generateCertificates(sslCaCert);
+                if (certs == null || certs.isEmpty()) {
+                    throw new IllegalArgumentException("Expected non-empty set of trusted certificates");
                 }
-                trustManagers = trustManagerFactory.getTrustManagers();
-                hostnameVerifier = OkHostnameVerifier.INSTANCE;
+                KeyStore caKeyStore = newEmptyKeyStore(password);
+                int i = 0;
+                for (Certificate c : certs) {
+                    caKeyStore.setCertificateEntry("ca" + (i++), c);
+                }
+                tmf.init(caKeyStore);
             }
 
-            SSLContext sslContext = SSLContext.getInstance("TLS");
-            sslContext.init(keyManagers, trustManagers, new SecureRandom());
+            TrustManager[] tms = tmf.getTrustManagers();
+            if (tms.length == 0 || !(tms[0] instanceof X509TrustManager)) {
+                throw new IllegalStateException("No X509TrustManager from TrustManagerFactory");
+            }
+            X509TrustManager x509Tm = (X509TrustManager) tms[0];
+
+            // 4) Initialize SSLContext with optional client key managers (for mTLS) + the proper trust manager
+            SSLContext sc = SSLContext.getInstance("TLS");
+            sc.init(keyManagers, new TrustManager[] { x509Tm }, new SecureRandom());
+
+            // 5) Wire into OkHttp with strict hostname verification
             httpClient = httpClient.newBuilder()
-                            .sslSocketFactory(sslContext.getSocketFactory(), (X509TrustManager) trustManagers[0])
-                            .hostnameVerifier(hostnameVerifier)
-                            .build();
+                    .sslSocketFactory(sc.getSocketFactory(), x509Tm)
+                    .hostnameVerifier(OkHostnameVerifier.INSTANCE)
+                    .build();
+
         } catch (GeneralSecurityException e) {
             throw new RuntimeException(e);
         }
@@ -1586,4 +1584,4 @@ protected String requestBodyToString(RequestBody requestBody) throws ApiExceptio
         // empty http request body
         return "";
     }
-}
+}

src/main/java/com/corbado/generated/invoker/ApiException.java

@@ -22,7 +22,7 @@
  * <p>ApiException class.</p>
  */
 @SuppressWarnings("serial")
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public class ApiException extends Exception {
     private static final long serialVersionUID = 1L;
 

src/main/java/com/corbado/generated/invoker/Configuration.java

@@ -17,7 +17,7 @@
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.Supplier;
 
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public class Configuration {
   public static final String VERSION = "1.0.0";
 

src/main/java/com/corbado/generated/invoker/Pair.java

@@ -13,7 +13,7 @@
 
 package com.corbado.generated.invoker;
 
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public class Pair {
   private final String name;
   private final String value;

src/main/java/com/corbado/generated/invoker/ServerConfiguration.java

@@ -18,7 +18,7 @@
 /**
  * Representing a Server configuration.
  */
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public class ServerConfiguration {
     public String URL;
     public String description;

src/main/java/com/corbado/generated/invoker/ServerVariable.java

@@ -18,7 +18,7 @@
 /**
  * Representing a Server Variable for server URL template substitution.
  */
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public class ServerVariable {
     public String description;
     public String defaultValue;

src/main/java/com/corbado/generated/invoker/StringUtil.java

@@ -16,7 +16,7 @@
 import java.util.Collection;
 import java.util.Iterator;
 
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public class StringUtil {
   /**
    * Check if the given array contains the given value (with case-insensitive comparison).

src/main/java/com/corbado/generated/invoker/auth/ApiKeyAuth.java

@@ -20,7 +20,7 @@
 import java.util.Map;
 import java.util.List;
 
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public class ApiKeyAuth implements Authentication {
   private final String location;
   private final String paramName;

src/main/java/com/corbado/generated/invoker/auth/Authentication.java

@@ -20,7 +20,7 @@
 import java.util.Map;
 import java.util.List;
 
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public interface Authentication {
     /**
      * Apply authentication settings to header and query params.

src/main/java/com/corbado/generated/invoker/auth/HttpBearerAuth.java

@@ -22,7 +22,7 @@
 import java.util.Optional;
 import java.util.function.Supplier;
 
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public class HttpBearerAuth implements Authentication {
   private final String scheme;
   private Supplier<String> tokenSupplier;

src/main/java/com/corbado/generated/model/AaguidDetails.java

@@ -50,7 +50,7 @@
 /**
  * AaguidDetails
  */
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public class AaguidDetails {
   public static final String SERIALIZED_NAME_AAGUID = "aaguid";
   @SerializedName(SERIALIZED_NAME_AAGUID)

src/main/java/com/corbado/generated/model/AbstractOpenApiSchema.java

@@ -21,7 +21,7 @@
 /**
  * Abstract class for oneOf,anyOf schemas defined in OpenAPI spec
  */
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public abstract class AbstractOpenApiSchema {
 
     // store the actual instance of the schema/object

src/main/java/com/corbado/generated/model/AppendHistoryData.java

@@ -50,7 +50,7 @@
 /**
  * AppendHistoryData
  */
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public class AppendHistoryData {
   public static final String SERIALIZED_NAME_DEFAULT_COUNT = "defaultCount";
   @SerializedName(SERIALIZED_NAME_DEFAULT_COUNT)

src/main/java/com/corbado/generated/model/AuthEvent.java

@@ -53,7 +53,7 @@
 /**
  * AuthEvent
  */
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public class AuthEvent {
   public static final String SERIALIZED_NAME_AUTH_EVENT_I_D = "authEventID";
   @SerializedName(SERIALIZED_NAME_AUTH_EVENT_I_D)

src/main/java/com/corbado/generated/model/AuthEventCreateReq.java

@@ -54,7 +54,7 @@
 /**
  * AuthEventCreateReq
  */
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public class AuthEventCreateReq {
   public static final String SERIALIZED_NAME_USERNAME = "username";
   @SerializedName(SERIALIZED_NAME_USERNAME)

src/main/java/com/corbado/generated/model/Challenge.java

@@ -52,7 +52,7 @@
 /**
  * Challenge
  */
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public class Challenge {
   public static final String SERIALIZED_NAME_CHALLENGE_I_D = "challengeID";
   @SerializedName(SERIALIZED_NAME_CHALLENGE_I_D)

src/main/java/com/corbado/generated/model/ChallengeCreateReq.java

@@ -52,7 +52,7 @@
 /**
  * ChallengeCreateReq
  */
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public class ChallengeCreateReq {
   public static final String SERIALIZED_NAME_CHALLENGE_TYPE = "challengeType";
   @SerializedName(SERIALIZED_NAME_CHALLENGE_TYPE)

src/main/java/com/corbado/generated/model/ChallengeUpdateReq.java

@@ -50,7 +50,7 @@
 /**
  * ChallengeUpdateReq
  */
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public class ChallengeUpdateReq {
   public static final String SERIALIZED_NAME_VALUE = "value";
   @SerializedName(SERIALIZED_NAME_VALUE)

src/main/java/com/corbado/generated/model/ClientEnv.java

@@ -50,7 +50,7 @@
 /**
  * ClientEnv
  */
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public class ClientEnv {
   public static final String SERIALIZED_NAME_ID = "id";
   @SerializedName(SERIALIZED_NAME_ID)

src/main/java/com/corbado/generated/model/ClientEnvList.java

@@ -53,7 +53,7 @@
 /**
  * ClientEnvList
  */
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public class ClientEnvList {
   public static final String SERIALIZED_NAME_CLIENT_ENVS = "clientEnvs";
   @SerializedName(SERIALIZED_NAME_CLIENT_ENVS)

src/main/java/com/corbado/generated/model/ClientInformation.java

@@ -53,7 +53,7 @@
 /**
  * ClientInformation
  */
-@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-10T14:34:06.387838337Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
+@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2025-09-11T08:51:20.340730305Z[Etc/UTC]", comments = "Generator version: 7.16.0-SNAPSHOT")
 public class ClientInformation {
   public static final String SERIALIZED_NAME_REMOTE_ADDRESS = "remoteAddress";
   @SerializedName(SERIALIZED_NAME_REMOTE_ADDRESS)