You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(auth): suppress the client authenticator on security:[] operations
An operation declared `security: []` is explicitly unauthenticated, but the
generated api method passed nil/null as the auth argument, so base_api's
`auth || client_authenticator` fallback re-acquired the client credential and
attached it. That leaked the credential to endpoints the spec marks
unauthenticated — including the testEcho* operations, which reflect the request
back.
Introduce a no-auth sentinel that security:[] operations pass instead of nil.
base_api now resolves three states: the sentinel suppresses auth (no fallback),
nil falls back to the client authenticator (unchanged), and an explicit
authenticator is used as a per-call override (unchanged). Applied uniformly
across all 12 SDKs with a security-none parity test and a secured-still-works
guard. Existing tests that exercised auth through a security:[] op were
repointed at a secured op.
0 commit comments