From 0da53c355695c24b90931e17666738444cc56bb0 Mon Sep 17 00:00:00 2001
From: arcuri82 <arcuri82@gmail.com>
Date: Thu, 16 Apr 2026 12:05:30 +0200
Subject: [PATCH 1/2] removed comments related to Maven plugins

---
 src/main/resources/wfc/schemas/auth.yaml | 13 +------------
 1 file changed, 1 insertion(+), 12 deletions(-)

diff --git a/src/main/resources/wfc/schemas/auth.yaml b/src/main/resources/wfc/schemas/auth.yaml
index acd64cb..80852b5 100644
--- a/src/main/resources/wfc/schemas/auth.yaml
+++ b/src/main/resources/wfc/schemas/auth.yaml
@@ -27,8 +27,6 @@ properties:
       type: string
 required: ["auth"]
 $defs:
-#  TODO unfortunately, tools like jsonschema2pojo-maven-plugin have major limitations when dealing with enums.
-#  This is not created as a top-level class
   HttpVerb:
     type: string
     enum:
@@ -99,17 +97,8 @@ $defs:
         items:
           $ref: "#/$defs/Header"
       verb:
-#        description: "The verb used to connect to the login endpoint. \
-#                     Most of the time, this will be a 'POST'."
-#        type: string
-#        enum:
-#            - POST
-#            - GET
-#            - PATCH
-#            - DELETE
-#            - PUT
         $ref: "#/$defs/HttpVerb"
-        ## FIXME: unfortunately, plugin is not able to handle this... need new schema version with $ref not replacing everything
+        ## FIXME: need to schema version with $ref not replacing everything
 #        description: "The verb used to connect to the login endpoint. \
 #                      Most of the time, this will be a 'POST'."
 #        allOf:

From 4b686af4d703eb5894f5d008e227f6dafcba5f59 Mon Sep 17 00:00:00 2001
From: arcuri82 <arcuri82@gmail.com>
Date: Thu, 16 Apr 2026 12:12:58 +0200
Subject: [PATCH 2/2] using x-required

---
 src/main/resources/wfc/schemas/auth.yaml | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/main/resources/wfc/schemas/auth.yaml b/src/main/resources/wfc/schemas/auth.yaml
index 80852b5..8845b12 100644
--- a/src/main/resources/wfc/schemas/auth.yaml
+++ b/src/main/resources/wfc/schemas/auth.yaml
@@ -1,3 +1,12 @@
+#####################################################################################################################
+## We use a JSON Schema to validate JSON/YAML configuration files with auth info.
+## However, such files need to be post-processed to handle merge of keys from 'authTemplate'.
+## In the past, YAML had native support for this in the form of templates, but this is no longer the case.
+## A concrete side-effect of this issue is that we cannot use "required" constraints, as those would be applied
+## to the document as it is, before the template resolution.
+## A pragmatic compromise is to avoid "required", and rather use "x-required".
+## The validation of required constraints would then be delegated to whatever is used to resolve the templates.
+#####################################################################################################################
 $schema: "https://json-schema.org/draft/2020-12/schema"
 $id: "https://github.com/WebFuzzing/Commons/blob/master/src/main/resources/wfc/schemas/auth.yaml"
 title: "Web Fuzzing Commons Authentication"
@@ -45,7 +54,7 @@ $defs:
       value:
         description: "The value of the header"
         type: string
-    required: ["name","value"]
+    x-required: ["name","value"]
   AuthenticationInfo:
     type: object
     properties:
@@ -69,7 +78,7 @@ $defs:
           $ref: "#/$defs/Header"
       loginEndpointAuth:
           $ref: "#/$defs/LoginEndpoint"
-    required: ["name"]
+    x-required: ["name"]
   ###
   LoginEndpoint:
     description: "Used to represent the case in which a login endpoint is used to obtain the authentication credentials. \
@@ -115,7 +124,7 @@ $defs:
                       If so, a fuzzer can use those as auth info in following requests, instead of trying to extract \
                       an auth token from the response payload."
         type: boolean
-    required: ["verb"]
+    x-required: ["verb"]
   ###
   TokenHandling:
     description: "Specify how to extract the token from the HTTP response, and how to use it for auth in following requests. \
@@ -156,7 +165,7 @@ $defs:
         examples:
           - "Bearer {token}"
           - "JWT {token}"
-    required: ["extractFrom", "extractSelector", "sendIn", "sendName"]
+    x-required: ["extractFrom", "extractSelector", "sendIn", "sendName"]
   ###
   PayloadUsernamePassword:
     description: "Payload with username and password information. \
@@ -175,4 +184,4 @@ $defs:
       passwordField:
         description: "The name of the field in the body payload containing the password"
         type: string
-    required: ["username","usernameField","password","passwordField"]
+    x-required: ["username","usernameField","password","passwordField"]