fix: REST client BASIC auth uses Rest\$ConstantValue with correct BSON key (#200)

Three root causes found and fixed:

1. Studio Pro requires Rest\$ConstantValue for BASIC auth credentials,
   not Rest\$StringValue. Using StringValue causes InvalidCastException
   when opening the document and 401 at runtime because the auth header
   is never sent.

2. The BSON field name for the constant reference is "Value" (matching
   the metamodel), not "Constant" (which was an incorrect guess). With
   the wrong key, Mendix can't resolve the constant → CE7073.

3. When literal strings are provided for auth credentials (e.g.,
   Password: 'secret'), the executor now auto-creates string constants
   (Module.ClientName_Username / _Password) so the BSON always contains
   Rest\$ConstantValue references. This is transparent to the user.

Also adds missing ExportLevel, Tags, Timeout, BaseUrlParameter, and
OpenApiFile fields that Studio Pro always populates on REST clients.

Test case: mdl-examples/bug-tests/200-basic-auth-rest-client.mdl
creates a REST client pointing at httpbin.org/basic-auth with a test
page for side-by-side comparison of REST client auth vs inline REST
CALL auth.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ako

mdl-examples/bug-tests/200-basic-auth-rest-client.mdl

@@ -0,0 +1,168 @@
+-- ============================================================================
+-- Bug #200: REST Client BASIC Auth — runtime verification test case
+-- ============================================================================
+--
+-- This script creates a REST client with BASIC authentication and a microflow
+-- that calls it. Open the project in Studio Pro and run the microflow to
+-- verify the Authorization header is sent correctly.
+--
+-- The test uses httpbin.org/basic-auth which returns 200 only if the correct
+-- Basic auth credentials are provided, and 401 otherwise.
+--
+-- Usage:
+--   mxcli exec mdl-examples/bug-tests/200-basic-auth-rest-client.mdl -p app.mpr
+--   Then open in Studio Pro and run ACT_TestBasicAuth from the test page.
+--
+-- Expected result:
+--   - ACT_TestBasicAuth logs "Auth OK: 200" (httpbin returns the auth echo)
+--   - If auth header is NOT sent, httpbin returns 401 and the log shows "Auth FAILED"
+--
+-- ============================================================================
+
+CREATE MODULE AuthTest;
+
+-- ############################################################################
+-- PART 1: CONSTANTS FOR AUTH CREDENTIALS
+-- ############################################################################
+
+-- Mendix requires Rest$ConstantValue for BASIC auth (not Rest$StringValue).
+-- Literal strings in Authentication: BASIC (...) are auto-promoted to
+-- constants by mxcli. For explicit control, create constants first:
+
+CREATE CONSTANT AuthTest.ApiUser TYPE String DEFAULT 'testuser';
+CREATE CONSTANT AuthTest.ApiPass TYPE String DEFAULT 'testpass123!';
+
+-- ############################################################################
+-- PART 2: REST CLIENT WITH BASIC AUTH
+-- ############################################################################
+
+-- httpbin.org/basic-auth/{user}/{pass} returns 200 + JSON if correct
+-- Basic auth credentials are sent, 401 otherwise.
+-- This is the definitive test: if we get 200, the header was sent.
+
+CREATE REST CLIENT AuthTest.HttpBinAuthAPI (
+  BaseUrl: 'https://httpbin.org',
+  Authentication: BASIC (Username: $ApiUser, Password: $ApiPass)
+)
+{
+  /** Calls /basic-auth/testuser/testpass123! — returns 200 if auth header sent */
+  OPERATION CheckAuth {
+    Method: GET,
+    Path: '/basic-auth/testuser/testpass123!',
+    Headers: ('Accept' = 'application/json'),
+    Timeout: 30,
+    Response: NONE
+  }
+};
+
+-- ############################################################################
+-- PART 2: TEST MICROFLOW
+-- ############################################################################
+
+/**
+ * Test BASIC auth on consumed REST client.
+ *
+ * Calls httpbin.org/basic-auth/testuser/testpass123! which requires
+ * correct Basic auth. Logs the HTTP status code:
+ *   200 = auth header sent correctly
+ *   401 = auth header missing or wrong (BUG #200)
+ */
+CREATE MICROFLOW AuthTest.ACT_TestBasicAuth ()
+RETURNS Boolean AS $Success
+BEGIN
+  DECLARE $Success Boolean = false;
+
+  -- Call the REST client operation
+  SEND REST REQUEST AuthTest.HttpBinAuthAPI.CheckAuth;
+
+  -- Check the response status
+  IF $latestHttpResponse/StatusCode = 200 THEN
+    LOG INFO NODE 'AuthTest' 'Auth OK: 200 — Basic auth header was sent correctly';
+    SET $Success = true;
+  ELSE
+    LOG WARNING NODE 'AuthTest' 'Auth FAILED: status=' + toString($latestHttpResponse/StatusCode) + ' — Basic auth header was NOT sent (bug #200)';
+  END IF;
+
+  RETURN $Success;
+END;
+/
+
+-- ############################################################################
+-- PART 3: COMPARISON — INLINE REST CALL (known to work)
+-- ############################################################################
+
+/**
+ * Same test using inline REST CALL (this always worked).
+ * Run both microflows and compare: if ACT_TestBasicAuth fails but
+ * ACT_TestBasicAuthInline succeeds, the bug is in the REST client
+ * auth serialization.
+ */
+CREATE MICROFLOW AuthTest.ACT_TestBasicAuthInline ()
+RETURNS Boolean AS $Success
+BEGIN
+  DECLARE $Success Boolean = false;
+
+  $Response = REST CALL GET 'https://httpbin.org/basic-auth/testuser/testpass123!'
+    HEADER Accept = 'application/json'
+    AUTH BASIC 'testuser' PASSWORD 'testpass123!'
+    TIMEOUT 30
+    RETURNS String
+    ON ERROR CONTINUE;
+
+  IF $Response != '' THEN
+    LOG INFO NODE 'AuthTest' 'Inline auth OK — response received';
+    SET $Success = true;
+  ELSE
+    LOG WARNING NODE 'AuthTest' 'Inline auth FAILED — empty response';
+  END IF;
+
+  RETURN $Success;
+END;
+/
+
+-- ############################################################################
+-- PART 4: TEST PAGE
+-- ############################################################################
+
+CREATE PAGE AuthTest.AuthTestPage
+(
+  Title: 'Bug #200 — Basic Auth Test',
+  Layout: Atlas_Core.Atlas_Default,
+  Url: 'auth-test'
+)
+{
+  LAYOUTGRID grid {
+    ROW rowTitle {
+      COLUMN col (DesktopWidth: 12) {
+        DYNAMICTEXT txtTitle (Content: 'Bug #200: REST Client Basic Auth', RenderMode: H2)
+        DYNAMICTEXT txtDesc (Content: 'Click each button and check the console log. Both should show status 200.', RenderMode: Paragraph)
+      }
+    }
+    ROW rowButtons {
+      COLUMN colClient (DesktopWidth: 6) {
+        ACTIONBUTTON btnClient (
+          Caption: 'Test REST Client Auth',
+          Action: MICROFLOW AuthTest.ACT_TestBasicAuth,
+          ButtonStyle: Primary
+        )
+        DYNAMICTEXT txtClient (Content: 'Uses CREATE REST CLIENT with BASIC auth', RenderMode: Paragraph)
+      }
+      COLUMN colInline (DesktopWidth: 6) {
+        ACTIONBUTTON btnInline (
+          Caption: 'Test Inline REST CALL Auth',
+          Action: MICROFLOW AuthTest.ACT_TestBasicAuthInline,
+          ButtonStyle: Default
+        )
+        DYNAMICTEXT txtInline (Content: 'Uses inline REST CALL ... AUTH BASIC (known working)', RenderMode: Paragraph)
+      }
+    }
+  }
+};
+
+-- ############################################################################
+-- PART 5: VERIFICATION
+-- ############################################################################
+
+SHOW REST CLIENTS IN AuthTest;
+DESCRIBE REST CLIENT AuthTest.HttpBinAuthAPI;
+DESCRIBE MICROFLOW AuthTest.ACT_TestBasicAuth;

mdl/executor/cmd_rest_clients.go

@@ -337,13 +337,44 @@ func createRestClient(ctx *ExecContext, stmt *ast.CreateRestClientStmt) error {
 		BaseUrl:       stmt.BaseUrl,
 	}
 
-	// Authentication
+	// Authentication — Mendix requires Rest$ConstantValue for BASIC auth credentials
+	// (Rest$StringValue causes InvalidCastException in Studio Pro). When literal
+	// strings are provided, auto-create constants to hold them.
 	if stmt.Authentication != nil {
-		svc.Authentication = &model.RestAuthentication{
-			Scheme:   stmt.Authentication.Scheme,
-			Username: stmt.Authentication.Username,
-			Password: stmt.Authentication.Password,
+		auth := &model.RestAuthentication{
+			Scheme: stmt.Authentication.Scheme,
 		}
+		// Username — must use Rest$ConstantValue pointing to a real constant.
+		// $Variable refs pass through; literal strings auto-create constants.
+		if strings.HasPrefix(stmt.Authentication.Username, "$") {
+			// Already a $Constant ref — resolve to qualified name for BY_NAME lookup
+			name := strings.TrimPrefix(stmt.Authentication.Username, "$")
+			if !strings.Contains(name, ".") {
+				name = moduleName + "." + name
+			}
+			auth.Username = "$" + name
+		} else if stmt.Authentication.Username != "" {
+			constName := stmt.Name.Name + "_Username"
+			if err := e.ensureConstant(moduleName, containerID, constName, stmt.Authentication.Username); err != nil {
+				return fmt.Errorf("failed to create username constant: %w", err)
+			}
+			auth.Username = "$" + moduleName + "." + constName
+		}
+		// Password
+		if strings.HasPrefix(stmt.Authentication.Password, "$") {
+			name := strings.TrimPrefix(stmt.Authentication.Password, "$")
+			if !strings.Contains(name, ".") {
+				name = moduleName + "." + name
+			}
+			auth.Password = "$" + name
+		} else if stmt.Authentication.Password != "" {
+			constName := stmt.Name.Name + "_Password"
+			if err := e.ensureConstant(moduleName, containerID, constName, stmt.Authentication.Password); err != nil {
+				return fmt.Errorf("failed to create password constant: %w", err)
+			}
+			auth.Password = "$" + moduleName + "." + constName
+		}
+		svc.Authentication = auth
 	}
 
 	// Operations
@@ -457,6 +488,30 @@ func convertMappingEntries(entries []ast.RestMappingEntry, importDirection bool)
 	return result
 }
 
+// ensureConstant creates a string constant if it doesn't already exist.
+func (e *Executor) ensureConstant(moduleName string, containerID model.ID, constName, value string) error {
+	// Check if constant already exists
+	constants, _ := e.reader.ListConstants()
+	h, _ := e.getHierarchy()
+	for _, c := range constants {
+		modID := h.FindModuleID(c.ContainerID)
+		modName := h.GetModuleName(modID)
+		if modName == moduleName && c.Name == constName {
+			return nil // already exists
+		}
+	}
+
+	// Create the constant
+	constant := &model.Constant{
+		ContainerID:  containerID,
+		Name:         constName,
+		Type:         model.ConstantDataType{Kind: "String"},
+		DefaultValue: value,
+		ExportLevel:  "Hidden",
+	}
+	return e.writer.CreateConstant(constant)
+}
+
 // dropRestClient handles DROP REST CLIENT statement.
 func dropRestClient(ctx *ExecContext, stmt *ast.DropRestClientStmt) error {
 

sdk/mpr/parser_rest.go

@@ -334,7 +334,15 @@ func extractRestValue(v any) string {
 	case "Rest$StringValue":
 		return extractString(valMap["Value"])
 	case "Rest$ConstantValue":
-		return extractString(valMap["Constant"])
+		// The BSON field is "Value" (QualifiedName of the constant).
+		// Historical code wrote "Constant" — try both for backward compat.
+		if v := extractString(valMap["Value"]); v != "" {
+			return "$" + v
+		}
+		if v := extractString(valMap["Constant"]); v != "" {
+			return "$" + v
+		}
+		return ""
 	}
 	return ""
 }

sdk/mpr/writer_rest.go

@@ -49,6 +49,12 @@ func (w *Writer) serializeConsumedRestService(svc *model.ConsumedRestService) ([
 		"Name":          svc.Name,
 		"Documentation": svc.Documentation,
 		"Excluded":      svc.Excluded,
+		// ExportLevel: whether the document is exposed to other modules/projects.
+		// Studio Pro defaults to "Hidden". Missing this field has been observed
+		// to cause runtime auth issues (#200).
+		"ExportLevel":      "Hidden",
+		"BaseUrlParameter": nil,
+		"OpenApiFile":      nil,
 	}
 
 	// BaseUrl as Rest$ValueTemplate
@@ -97,11 +103,12 @@ func serializeRestAuthScheme(auth *model.RestAuthentication) bson.M {
 // Values starting with "$" are treated as constant references; others as string literals.
 func serializeRestValue(value string) bson.M {
 	if strings.HasPrefix(value, "$") {
-		// Constant reference — strip the $ prefix for the constant name
+		// Constant reference — the BSON field is "Value" (QualifiedName of the constant).
+		constRef := strings.TrimPrefix(value, "$")
 		return bson.M{
-			"$ID":      idToBsonBinary(generateUUID()),
-			"$Type":    "Rest$ConstantValue",
-			"Constant": strings.TrimPrefix(value, "$"),
+			"$ID":   idToBsonBinary(generateUUID()),
+			"$Type": "Rest$ConstantValue",
+			"Value": constRef,
 		}
 	}
 	return bson.M{
@@ -119,9 +126,15 @@ func serializeRestOperation(op *model.RestClientOperation) bson.M {
 		"Name":  op.Name,
 	}
 
-	if op.Timeout > 0 {
-		doc["Timeout"] = int64(op.Timeout)
+	// Timeout: Studio Pro always writes this field; default is 300 seconds.
+	timeout := int64(op.Timeout)
+	if timeout <= 0 {
+		timeout = 300
 	}
+	doc["Timeout"] = timeout
+
+	// Tags: Studio Pro always writes this field (versioned string array).
+	doc["Tags"] = bson.A{int32(1)}
 
 	// Method: polymorphic (WithBody or WithoutBody)
 	doc["Method"] = serializeRestMethod(op)

sdk/mpr/writer_rest_test.go

@@ -135,7 +135,7 @@ func TestSerializeConsumedRestServiceWithConstantAuth(t *testing.T) {
 		t.Fatalf("Username: expected map, got %T", authScheme["Username"])
 	}
 	assertField(t, username, "$Type", "Rest$ConstantValue")
-	assertField(t, username, "Constant", "MyModule.ApiUser")
+	assertField(t, username, "Value", "MyModule.ApiUser")
 }
 
 func TestSerializeRestOperationGetWithParams(t *testing.T) {