Skip to content

fix(kafka-connect): call .get() on basicAuth Supplier fields in KafkaConnectApiFactory#760

Merged
fhussonnois merged 2 commits intostreamthoughts:mainfrom
Yoni-Weisberg:fix/kafka-connect-basicauth-supplier-get-v2
Apr 15, 2026
Merged

fix(kafka-connect): call .get() on basicAuth Supplier fields in KafkaConnectApiFactory#760
fhussonnois merged 2 commits intostreamthoughts:mainfrom
Yoni-Weisberg:fix/kafka-connect-basicauth-supplier-get-v2

Conversation

@Yoni-Weisberg
Copy link
Copy Markdown
Contributor

@Yoni-Weisberg Yoni-Weisberg commented Apr 14, 2026

Summary

KafkaConnectClientConfig.basicAuthUser() and basicAuthPassword() return Supplier<String> — the record accessor returns the supplier object, not the resolved string. Concatenating them without .get() embeds the lambda toString() into the Authorization header:

Authorization: Basic aW8uamlra291LmthZmthLmNvbm5lY3QuYXBpLkthZmthQ29ubmVjdENsaWVudENvbmZpZyQkTGFtYmRh...

Decoded, that's something like:

io.jikkou.kafka.connect.api.KafkaConnectClientConfig$$Lambda/0x0000...@...:io.jikkou...$$Lambda/...@...

The Connect REST API rejects this with HTTP 401 Unauthorized.

Fix: call .get() on both suppliers in getAuthorizationHeader().

This is the same class of bug fixed for the Schema Registry provider in 0b5c775.

Changes

  • KafkaConnectApiFactory.java: add .get() on config.basicAuthUser() and config.basicAuthPassword()
  • KafkaConnectApiFactoryTest.java: new test that starts a MockWebServer, makes a real HTTP request, and asserts the Authorization header encodes the actual credentials
  • pom.xml: add mockwebserver test dependency (same pattern as jikkou-provider-schema-registry)

Test plan

  • KafkaConnectApiFactoryTest#shouldBuildBasicAuthHeaderFromActualCredentials passes with the fix
  • Reverting the fix causes the test to fail with a header containing the lambda toString() rather than alice:secret

Fixes #758.

🤖 Generated with Claude Code

@Yoni-Weisberg @claude
fix(kafka-connect): call .get() on basicAuth Supplier fields in Kafka…
0cfdec6 
…ConnectApiFactory

`KafkaConnectClientConfig.basicAuthUser()` and `basicAuthPassword()` return
`Supplier<String>`, not `String`. Concatenating them without `.get()` embeds
the lambda `toString()` into the Authorization header, producing an invalid
Basic token and HTTP 401 on every request.

Adds `KafkaConnectApiFactoryTest` that verifies the header encodes the actual
credentials. Fixes streamthoughts#758.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Yoni-Weisberg @claude
test(kafka-connect): use generic assertion message in KafkaConnectApi…
2f7684a 
…FactoryTest

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Yoni-Weisberg Yoni-Weisberg mentioned this pull request Apr 15, 2026
Merged
4 tasks
@fhussonnois
Copy link
Copy Markdown
Member

fhussonnois commented Apr 15, 2026

Look good to me! Thank you very much for this contribution.

@fhussonnois fhussonnois merged commit 1c94fdb into streamthoughts:main Apr 15, 2026
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fhussonnois fhussonnois fhussonnois approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

authMethod = "basicAuth" sends wrong Authorization header — credentials are never used

2 participants

@Yoni-Weisberg @fhussonnois