fix(auth): reject partial API auth credentials instead of treating as anonymous

[Akash504-ai]

What does this PR do?

Fixes an issue in OptionalApiAuthGuard where partially provided API auth credentials (only client ID or only client secret) were incorrectly treated as unauthenticated requests instead of invalid ones.

Previously:

• Sending only client ID OR only client secret ---> request was allowed as anonymous

Now:

• Partial credentials ---> request is rejected (401)
• No credentials ---> still allowed (as intended for optional auth)

This aligns the behavior with the existing comment and expected auth semantics: "optional means no auth is fine, but invalid auth must fail"

---

Why this change?

The current logic creates a subtle auth downgrade issue: Invalid or incomplete credentials are silently ignored and treated as if no auth was provided.

This can lead to unintended access in endpoints that assume: "If auth is present, it must be valid"

This PR ensures:

• Clear separation between "no auth" vs "invalid auth"
• Consistent and predictable authentication behavior

---

Behavior Change

Before:

After:

Changes

• Updated OptionalApiAuthGuard to throw error when only client ID or only client secret is provided
• Added tests to verify correct guard behavior for partial credentials

---

Mandatory Tasks

• I have self-reviewed the code
• I have updated the developer docs (N/A)
• I confirm automated tests are in place that prove my fix is effective

---

How should this be tested?

1. Send request with only X_CAL_CLIENT_ID ---> should return 401

2. Send request with only X_CAL_SECRET_KEY ---> should return 401

3. Send request with no auth ---> should be allowed (if endpoint uses OptionalApiAuthGuard)

4. Send valid credentials ---> should authenticate normally

No special env variables required beyond standard setup.

---

Checklist

• My code follows project style guidelines
• No new warnings introduced
• PR is small and focused

[github-actions]

Welcome to Cal.diy, @Akash504-ai! Thanks for opening this pull request.

A few things to keep in mind:

• This is Cal.diy, not Cal.com. Cal.diy is a community-driven, fully open-source fork of Cal.com licensed under MIT. Your changes here will be part of Cal.diy — they will not be deployed to the Cal.com production app.
• Please review our Contributing Guidelines if you haven't already.
• Make sure your PR title follows the Conventional Commits format.

A maintainer will review your PR soon. Thanks for contributing!

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a3759f6c-75f0-4625-9743-c9b55082c13a

📥 Commits

Reviewing files that changed from the base of the PR and between 44ccc72 and bf3ebf1.

📒 Files selected for processing (2)

• apps/api/v2/src/modules/auth/guards/optional-api-auth/optional-api-auth.guard.ts
• apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.e2e-spec.ts

---

📝 Walkthrough

Walkthrough

This pull request modifies error handling in the OptionalApiAuthGuard to reject incomplete credential scenarios. The guard now throws authentication errors when either only a client ID or only a client secret is provided, rather than suppressing these errors. The change affects the guard's control flow specifically for these partial credential cases, while maintaining existing behavior for other scenarios. E2E test coverage is added to verify the guard correctly rejects both cases of incomplete credentials.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main change: fixing partial API auth credentials handling in OptionalApiAuthGuard, which is the core focus of this PR.
Description check	✅ Passed	The description comprehensively explains the issue, the fix, why it matters, provides before/after behavior comparison, testing instructions, and confirms automated tests are in place.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

This PR has been marked as stale due to inactivity. If you're still working on it or need any help, please let us know or update the PR to keep it active.