Simplify API Key YAML configuration and JavaDoc; add collapsed attr…

[predic8]

…ibute to MCElement annotations.

Summary by CodeRabbit

• Documentation

  • Simplified API-key extractor YAML to inline key-value form (header: , query: ) across migration guide and examples.
  • Updated examples to require explicit header/query names (e.g., X-Api-Key, api-key) and made CORS examples more concise.

• Refactor

  • API-key extractor entries in configuration views are now shown collapsed by default.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

---

📝 Walkthrough

Walkthrough

This PR changes ApiKey extractor YAML from nested mappings to inline scalar form (e.g., header: X-Api-Key, query: api-key), adds collapsed = true to @MCElement on ApiKey extractor classes, adds @Required on setters, and updates Javadoc/examples. No runtime extraction logic was changed.

Changes

Cohort / File(s)	Summary
ApiKey Extractors (core) core/src/main/java/com/predic8/membrane/core/interceptor/apikey/extractors/ApiKeyHeaderExtractor.java, core/src/main/java/com/predic8/membrane/core/interceptor/apikey/extractors/ApiKeyQueryParamExtractor.java	Added collapsed = true to @MCElement; added @Required on setter(s); Javadoc YAML examples changed from nested name: to inline header:/query: scalars. No behavioral changes.
Migration guide docs/MIGRATION-GUIDE.md	Updated migration docs and examples to show inline extractor syntax (header: X-API-KEY, query: api-key) and listed header/query as single-attribute inline-configurable elements.
Examples (distribution) distribution/examples/security/api-key/apikey-openapi/apis.yaml, distribution/examples/security/api-key/rbac/apis.yaml, distribution/examples/security/api-key/simple/apis.yaml, distribution/examples/security/jwt/apikey-to-jwt-conversion/apis.yaml	Replaced nested mappings like header: { name: X-Key } with scalar header: X-Key and set query: api-key where applicable; examples updated to the inline form.
CORS docs (core) core/src/main/java/com/predic8/membrane/core/interceptor/cors/CorsInterceptor.java	Minor Javadoc formatting tweaks (example blocks converted to inline text). No functional changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Update headerExtractor yaml syntax (Breaking Change) #2767 — Modifies ApiKey extractor classes and their MCElement/YAML configuration syntax to inline header/query.
• Rename singleAttribute to collapsed and make it work for both Attributes and TextContent #2585 — Introduces/adjusts MCElement.collapsed / single-attribute inline support leveraged by these changes.
• Improve yaml syntax: Use collapsed for suitable classes (Breaking Change) #2776 — Applies collapsed = true to MCElement usages including ApiKey extractors and related metadata updates.

Suggested reviewers

• predic8

Poem

🐇
I nibbled nested maps away,
One-line headers saved the day.
Keys now hop from field to tree,
Clean and simple — whee! — from me.
🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main changes: simplifying API Key YAML configuration and JavaDoc, and adding the collapsed attribute to MCElement annotations.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch api-key-collapsed

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

docs/MIGRATION-GUIDE.md (2)

207-211: ⚠️ Potential issue | 🟡 Minor

Newly-collapsed header and query extractor elements are missing from the supported-elements list

This PR adds collapsed = true to the ApiKeyHeaderExtractor and ApiKeyQueryParamExtractor MCElement annotations, giving them the same inline single-attribute syntax as the elements listed here. However, the enumeration at line 210 still omits them. Because the sentence reads "The supported elements are: …", users looking for authoritative coverage won't find these two entries.

📝 Suggested update

-The supported elements are: `api.description`, `publicURL`, `headerFilter.include`, `headerFilter.exclude`, `keyTable`, `scopeTable`, `accessControl.allow`, `accessControl.deny`, `counter`, `mutation`
+The supported elements are: `api.description`, `publicURL`, `headerFilter.include`, `headerFilter.exclude`, `keyTable`, `scopeTable`, `accessControl.allow`, `accessControl.deny`, `counter`, `mutation`, `header` (ApiKey extractor), `query` (ApiKey extractor)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/MIGRATION-GUIDE.md` around lines 207 - 211, Update the
supported-elements enumeration to include the newly-collapsed extractor elements
by adding the ApiKeyHeaderExtractor and ApiKeyQueryParamExtractor to the list
(these correspond to the MCElement annotations with collapsed = true); edit the
sentence listing supported elements so it explicitly includes `header` and
`query` (or the names representing ApiKeyHeaderExtractor and
ApiKeyQueryParamExtractor) alongside the existing entries like
`headerFilter.include` and `headerFilter.exclude` to ensure the documentation
reflects the new inline single-attribute syntax.

---

30-31: ⚠️ Potential issue | 🟡 Minor

Migration bullets describe a rename-only change but the syntax also restructures the value

The bullet points instruct users to "rename" the extractors, but the actual change is more than a rename — the nested name: attribute is also collapsed into an inline value. A user following only the bullets would produce:

# result of rename-only migration
apiKey:
  extractors:
    - header:
        name: X-API-KEY
    - query:
        name: api-key

…which diverges from the documented "now" form. Adding a note about the inline value change (or replacing "Rename" with "Replace") prevents this confusion:

📝 Suggested wording

-## ApiKey extractors:
-- Rename `headerExtractor` to `header`
-- Rename `queryParamExtractor` to `query`
+## ApiKey extractors:
+- Replace `headerExtractor: \n    name: <value>` with `header: <value>`
+- Replace `queryParamExtractor: \n    name: <value>` with `query: <value>`

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/MIGRATION-GUIDE.md` around lines 30 - 31, Update the migration bullets
for headerExtractor -> header and queryParamExtractor -> query to indicate that
this is more than a simple rename: the nested "name:" attribute is collapsed
into an inline value (i.e., replace the nested object form with an inline
scalar), so change the wording from "Rename" to "Replace" or add a note
explaining the value restructuring and include a before/after example showing
headerExtractor/header and queryParamExtractor/query with the nested `name:`
form transforming into the inline form; reference the extractor keys
headerExtractor/queryParamExtractor and their new forms header/query in the
guidance.

🧹 Nitpick comments (1)

core/src/main/java/com/predic8/membrane/core/interceptor/apikey/extractors/ApiKeyHeaderExtractor.java (1)

30-34: YAML doc only shows collapsed/custom-header form — consider adding a note on the default and the expanded syntax.

The previous documentation showed both the default X-Api-Key behavior and a custom header. The new example exclusively shows the custom inline form. Users who relied on the explicit expanded attribute form (e.g., - header:\n name: Authorization) won't find it documented here, and the default-header case (no YAML configuration needed at all due to the ApiKeysInterceptor fallback) is no longer illustrated.

Consider adding a brief note or a second example snippet like:

 * `@yaml` <pre><code>
 * apiKey:
 *  extractors:
 *    - header: x-key # custom header name
+ *    # or use default (X-Api-Key) — no extractors block needed
 * </code></pre>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@core/src/main/java/com/predic8/membrane/core/interceptor/apikey/extractors/ApiKeyHeaderExtractor.java`
around lines 30 - 34, Update the documentation in ApiKeyHeaderExtractor.java to
show both the collapsed custom-header form and the default/expanded syntaxes:
add a short note that the interceptor falls back to the default header X-Api-Key
when no extractor is configured (mention ApiKeysInterceptor), and include a
second YAML example demonstrating the expanded form (e.g., - header: name:
Authorization) so users see both custom inline and explicit attribute ways to
configure the extractor.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@core/src/main/java/com/predic8/membrane/core/interceptor/apikey/extractors/ApiKeyHeaderExtractor.java`:
- Line 37: The `@MCElement` annotation on ApiKeyHeaderExtractor (the
ApiKeyHeaderExtractor class) currently sets collapsed=true which breaks existing
expanded-form YAML configs; revert this by removing the collapsed attribute or
explicitly setting collapsed=false on the `@MCElement` annotation for
ApiKeyHeaderExtractor so the parser continues to accept expanded object form
(alternatively update the example YAMLs to the inline scalar form if the
collapsed behavior is intended).

In
`@core/src/main/java/com/predic8/membrane/core/interceptor/apikey/extractors/ApiKeyQueryParamExtractor.java`:
- Line 40: The `@MCElement` annotation on ApiKeyQueryParamExtractor was changed to
include collapsed = true which forces inline scalar YAML and will break existing
expanded-form configs; revert the change or make it optional: remove collapsed =
true from the `@MCElement` on class ApiKeyQueryParamExtractor (or add a
compatibility flag) so the GenericYamlParser.handleCollapsed logic is not
triggered, and run config parsing tests to ensure expanded YAML like "- query:\n
name: api-key" still parses correctly; if you must keep collapsed behavior, add
migration docs and a compatibility check around parsing in
GenericYamlParser.handleCollapsed to accept mapping form for this element name.

---

Outside diff comments:
In `@docs/MIGRATION-GUIDE.md`:
- Around line 207-211: Update the supported-elements enumeration to include the
newly-collapsed extractor elements by adding the ApiKeyHeaderExtractor and
ApiKeyQueryParamExtractor to the list (these correspond to the MCElement
annotations with collapsed = true); edit the sentence listing supported elements
so it explicitly includes `header` and `query` (or the names representing
ApiKeyHeaderExtractor and ApiKeyQueryParamExtractor) alongside the existing
entries like `headerFilter.include` and `headerFilter.exclude` to ensure the
documentation reflects the new inline single-attribute syntax.
- Around line 30-31: Update the migration bullets for headerExtractor -> header
and queryParamExtractor -> query to indicate that this is more than a simple
rename: the nested "name:" attribute is collapsed into an inline value (i.e.,
replace the nested object form with an inline scalar), so change the wording
from "Rename" to "Replace" or add a note explaining the value restructuring and
include a before/after example showing headerExtractor/header and
queryParamExtractor/query with the nested `name:` form transforming into the
inline form; reference the extractor keys headerExtractor/queryParamExtractor
and their new forms header/query in the guidance.

---

Nitpick comments:
In
`@core/src/main/java/com/predic8/membrane/core/interceptor/apikey/extractors/ApiKeyHeaderExtractor.java`:
- Around line 30-34: Update the documentation in ApiKeyHeaderExtractor.java to
show both the collapsed custom-header form and the default/expanded syntaxes:
add a short note that the interceptor falls back to the default header X-Api-Key
when no extractor is configured (mention ApiKeysInterceptor), and include a
second YAML example demonstrating the expanded form (e.g., - header: name:
Authorization) so users see both custom inline and explicit attribute ways to
configure the extractor.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

distribution/examples/security/api-key/apikey-openapi/apis.yaml (1)

1-1: ⚠️ Potential issue | 🟡 Minor

The referenced schema v7.1.0 does not support the new scalar header: X-Api-Key format used in this file.

The schema defines HeaderExtractorParser as an object expecting a name property, but line 19 uses a scalar string syntax. This will cause yaml-language-server validation errors. Either use the older object format (header: { name: X-Api-Key }) or update the schema reference to a version that supports the new scalar extractor syntax.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@distribution/examples/security/api-key/apikey-openapi/apis.yaml` at line 1,
The YAML uses the new scalar extractor syntax "header: X-Api-Key" which
conflicts with the referenced schema (HeaderExtractorParser expects an object
with a name property); fix by replacing the scalar with the object form (e.g.,
header: { name: X-Api-Key }) wherever the scalar header is used (or
alternatively update the schema reference to a version that explicitly supports
the scalar extractor syntax), ensuring entries that map to HeaderExtractorParser
match the object shape.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@distribution/examples/security/api-key/apikey-openapi/apis.yaml`:
- Line 1: The YAML uses the new scalar extractor syntax "header: X-Api-Key"
which conflicts with the referenced schema (HeaderExtractorParser expects an
object with a name property); fix by replacing the scalar with the object form
(e.g., header: { name: X-Api-Key }) wherever the scalar header is used (or
alternatively update the schema reference to a version that explicitly supports
the scalar extractor syntax), ensuring entries that map to HeaderExtractorParser
match the object shape.

[christiangoerdes]

/ok-to-test

[membrane-ci-server]

This pull request needs "/ok-to-test" from an authorized committer.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

core/src/main/java/com/predic8/membrane/core/interceptor/apikey/extractors/ApiKeyQueryParamExtractor.java (1)

29-32: ⚠️ Potential issue | 🟠 Major

@Required breaks existing configs that relied on the default "api-key" value — update Javadoc to reflect mandatory requirement.

Adding @Required on setParamName enforces the attribute as mandatory during YAML parsing. Before this PR, users who wrote - query (omitting the attribute entirely) silently got the default "api-key". After this change, the YAML parser throws ConfigurationParsingException before the field default is ever used, breaking those existing configurations.

The class-level Javadoc on lines 30–31 still reads "By default, the parameter name is api-key", which directly contradicts @Required by implying the attribute is optional. Update the Javadoc to clarify that the name attribute is now mandatory.

The same issue exists in ApiKeyHeaderExtractor.java (line 57 has @Required; lines 25–26 have conflicting Javadoc).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@core/src/main/java/com/predic8/membrane/core/interceptor/apikey/extractors/ApiKeyQueryParamExtractor.java`
around lines 29 - 32, Update the class Javadoc for ApiKeyQueryParamExtractor to
remove/replace the sentence claiming a default "api-key" and instead state that
the parameter name is mandatory (the name attribute must be provided) to match
the presence of `@Required` on setParamName; reference the setParamName method and
the `@Required` annotation so maintainers know the enforced contract. Do the same
change in ApiKeyHeaderExtractor: update its class Javadoc to reflect that the
header name is required (matching the `@Required` on the setter, e.g., setName)
rather than implying a default. Ensure both Javadocs clearly state the attribute
is mandatory and will be validated during YAML parsing.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In
`@core/src/main/java/com/predic8/membrane/core/interceptor/apikey/extractors/ApiKeyQueryParamExtractor.java`:
- Around line 29-32: Update the class Javadoc for ApiKeyQueryParamExtractor to
remove/replace the sentence claiming a default "api-key" and instead state that
the parameter name is mandatory (the name attribute must be provided) to match
the presence of `@Required` on setParamName; reference the setParamName method and
the `@Required` annotation so maintainers know the enforced contract. Do the same
change in ApiKeyHeaderExtractor: update its class Javadoc to reflect that the
header name is required (matching the `@Required` on the setter, e.g., setName)
rather than implying a default. Ensure both Javadocs clearly state the attribute
is mandatory and will be validated during YAML parsing.

---

Duplicate comments:
In
`@core/src/main/java/com/predic8/membrane/core/interceptor/apikey/extractors/ApiKeyQueryParamExtractor.java`:
- Line 40: The MCElement annotation on ApiKeyQueryParamExtractor currently sets
collapsed = true which will reject expanded YAML mappings and break existing
configs; update the annotation on the ApiKeyQueryParamExtractor class (the
`@MCElement`(...)) to remove collapsed = true or set collapsed = false so the
GenericYamlParser will accept both collapsed and expanded mapping forms,
preserving backward compatibility.