fix: jsonx.ApplyJSONPatch

GitOrigin-RevId: 43c10801f5051e3d5fbea5f4f5e90394f6da0fbb

Author: alnr

CHANGELOG.md

@@ -4,13 +4,13 @@
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 **Table of Contents**
 
-- [0.0.0 (2025-07-23)](#000-2025-07-23)
+- [0.0.0 (2025-07-03)](#000-2025-07-03)
   - [Breaking Changes](#breaking-changes)
   - [Related issue(s)](#related-issues)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
-# [0.0.0](https://github.com/ory/hydra/compare/v2.3.0...v0.0.0) (2025-07-23)
+# [0.0.0](https://github.com/ory/hydra/compare/v2.3.0...v0.0.0) (2025-07-03)
 ## Breaking Changes
 
 This patch changes the behavior of configuration item `foo` to do bar. To keep the existing
@@ -41,10 +41,6 @@ If this pull request
 
 ### Bug Fixes
 
-* Add repo syncing for polis ([46d17f8](https://github.com/ory/hydra/commit/46d17f8bfdc59e2185e9ce65823eb2652e01f1b8)):
-
-    GitOrigin-RevId: e277a25d594b512b800d39dd18f36ea3d99fcf84
-
 * Allow updating when JWKS URI is set ([#3935](https://github.com/ory/hydra/issues/3935)) ([#3946](https://github.com/ory/hydra/issues/3946)) ([fb1655b](https://github.com/ory/hydra/commit/fb1655ba86077b10141132ed332ba8d6f8c70582)):
 
     The client validator no longer rejects PATCH and PUT updates when `JSONWebKeysURI` is non-empty and `JSONWebKeys` is not nil.
@@ -75,10 +71,6 @@ If this pull request
     GitOrigin-RevId: 61645585277edd95914705499afd7211a85983eb
 
 * CLI usage help examples ([#3943](https://github.com/ory/hydra/issues/3943)) ([e24f9a7](https://github.com/ory/hydra/commit/e24f9a704c22c72690bc20c498439865181d9239))
-* Copybara script ([7b33358](https://github.com/ory/hydra/commit/7b333585bb44a069bf47267c853aa2e91db0efa3)):
-
-    GitOrigin-RevId: 14665e01451ac5fcdda148b473b8fc35d4fe21ef
-
 * Correct multiple instances of 'stragegy' typo ([#3906](https://github.com/ory/hydra/issues/3906)) ([50eefbc](https://github.com/ory/hydra/commit/50eefbc21c2c43d221b6079bbd78a33ef8c754c4)):
 
     This commit addresses several occurrences where 'strategy' was
@@ -105,10 +97,6 @@ If this pull request
 
     GitOrigin-RevId: 83312e6544bc33ccc30e1e1e414cc04910429192
 
-* Include go.mod in vendored oryx ([08a3ab4](https://github.com/ory/hydra/commit/08a3ab43ddb1e2a0df430224f969fe3f0ba161bf)):
-
-    GitOrigin-RevId: 20365bbe6b2cf95ac7973bcca9056455d2cb3803
-
 * **infrastructure:** Hydra oss CI ([e846541](https://github.com/ory/hydra/commit/e84654185cdfffbf160d5309f744795d15d723f9)):
 
     GitOrigin-RevId: 3df0724e5ea4c81a0f4c481c1a3a34529356d073
@@ -157,14 +145,6 @@ If this pull request
 
     GitOrigin-RevId: 64950988a466bbdb4f25b8d9f5c416ff591c00bf
 
-* Use hard-coded fallback key instead of panic ([e1f6450](https://github.com/ory/hydra/commit/e1f645012f43f62928fdc79710b45d935878367f)):
-
-    GitOrigin-RevId: d7a2270bbf5360288199e9632b2eac6cbc29737c
-
-* Use main branch for polis ([6c24e68](https://github.com/ory/hydra/commit/6c24e68995b8eae9ba0b8872867270ef1d35113b)):
-
-    GitOrigin-RevId: 04533493184c6abdc3a211daffd98f6b68e1c9cc
-
 * Using uuid_generate_v4 function ([#3958](https://github.com/ory/hydra/issues/3958)) ([c206066](https://github.com/ory/hydra/commit/c20606606654af975e5d82998956bb998acee576)):
 
     Removing the md5 function for the uuid generation with native pgsql
@@ -173,13 +153,6 @@ If this pull request
     Closes https://github.com/ory/hydra/issues/3844
 
 
-### Code Refactoring
-
-* Move database meta functions to root x folder for reusability ([7e49133](https://github.com/ory/hydra/commit/7e49133f435d6a0f74a63e8f8d03c5d314d7d3c6)):
-
-    GitOrigin-RevId: 30ee938ea5f1d19bac8967e0ebfe2d595ec27d2b
-
-
 ### Features
 
 * Add error reason to OAuth2TokenExchangeError event ([#3971](https://github.com/ory/hydra/issues/3971)) ([241dd45](https://github.com/ory/hydra/commit/241dd45fa17ed10d1101d890199df47dab4dbce5))
@@ -254,10 +227,6 @@ If this pull request
 
     GitOrigin-RevId: dbb48d171fad1f9b4fd31385f0ef4fb01e39e823
 
-* Move config testhelpers to ory/x ([3a4ba08](https://github.com/ory/hydra/commit/3a4ba084c74cf49a521856f150a8a2c6f3c1aa25)):
-
-    GitOrigin-RevId: fd484445e9715760231f7f86ec212d094e826377
-
 * Revoke Kratos session asynchronously ([#3936](https://github.com/ory/hydra/issues/3936)) ([a0e7ee2](https://github.com/ory/hydra/commit/a0e7ee29298d4f882a7d471e0601b01c6848c40d)):
 
     This change makes the session revocation in Kratos async to improve
@@ -337,18 +306,10 @@ If this pull request
     POST admin/oauth2/auth/sessions/consent?consent_challenge_id=G_TIM3XABG14UwIgDoT1DRfipjhC1uix
     ```
 
-* Use stdlib HTTP router in Kratos ([8f81931](https://github.com/ory/hydra/commit/8f8193179a39dc142d502fbc559891ffa0385ed8)):
-
-    GitOrigin-RevId: 799513e99acbf43a05fe3113ffda45d2fff2a9e0
-
 * Use vendored jackson ([a0a9062](https://github.com/ory/hydra/commit/a0a906211bce4ced3e1f4324eb9d287ef10892a6)):
 
     GitOrigin-RevId: 591238768218ba2b5af93f91ac7e16f4c170da5b
 
-* Use vendored ory/x ([6581e01](https://github.com/ory/hydra/commit/6581e01679b2e146433061cbaaebb80a0e3905b5)):
-
-    GitOrigin-RevId: 994f3b754946ca5b2bd1bab0fe20532f5d5ab62f
-
 
 ### Performance Improvements
 
@@ -359,19 +320,8 @@ If this pull request
 
 ### Tests
 
-* **hydra:** Clean oauth2 session setup ([699e382](https://github.com/ory/hydra/commit/699e38238220f857148b503dfb96d9b057bb4583)):
-
-    GitOrigin-RevId: e05097c7439096cf40fdcf059b3396970b2f1219
-
 * Parallelize and improve ([#3989](https://github.com/ory/hydra/issues/3989)) ([a47e395](https://github.com/ory/hydra/commit/a47e39513f1f08076849f77517977abffa195364))
 
-### Unclassified
-
-* Merge 3834fab8c161a7dc98d43f32acf8efd9e6e95352 into 4dae0f4a8785eb36d8dbb27137f6b924c1e0f0b5 ([dc84053](https://github.com/ory/hydra/commit/dc840535c19d58caf130966e00d3d2fe9f3eb577)):
-
-    GitOrigin-RevId: 0c2dcaa065b64d2aafbcfd49c79363a214c5b2aa
-
-
 
 # [2.3.0](https://github.com/ory/hydra/compare/v2.2.0...v2.3.0) (2025-01-17)
 

client/handler.go

@@ -428,15 +428,16 @@ func (h *Handler) patchOAuth2Client(w http.ResponseWriter, r *http.Request, ps h
 	}
 
 	id := ps.ByName("id")
-	c, err := h.r.ClientManager().GetConcreteClient(r.Context(), id)
+	client, err := h.r.ClientManager().GetConcreteClient(r.Context(), id)
 	if err != nil {
 		h.r.Writer().WriteError(w, r, err)
 		return
 	}
 
-	oldSecret := c.Secret
+	oldSecret := client.Secret
 
-	if err := jsonx.ApplyJSONPatch(patchJSON, c, "/id"); err != nil {
+	client, err = jsonx.ApplyJSONPatch(patchJSON, client, "/id")
+	if err != nil {
 		h.r.Writer().WriteError(w, r, err)
 		return
 	}
@@ -445,16 +446,16 @@ func (h *Handler) patchOAuth2Client(w http.ResponseWriter, r *http.Request, ps h
 	// GetConcreteClient returns a client with the hashed secret, however updateClient expects
 	// an empty secret if the secret hasn't changed. As such we need to check if the patch has
 	// updated the secret or not
-	if oldSecret == c.Secret {
-		c.Secret = ""
+	if oldSecret == client.Secret {
+		client.Secret = ""
 	}
 
-	if err := h.updateClient(r.Context(), c, h.r.ClientValidator().Validate); err != nil {
+	if err := h.updateClient(r.Context(), client, h.r.ClientValidator().Validate); err != nil {
 		h.r.Writer().WriteError(w, r, err)
 		return
 	}
 
-	h.r.Writer().Write(w, r, c)
+	h.r.Writer().Write(w, r, client)
 }
 
 // Paginated OAuth2 Client List Response
@@ -573,7 +574,7 @@ type adminGetOAuth2Client struct {
 //	  200: oAuth2Client
 //	  default: errorOAuth2Default
 func (h *Handler) Get(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
-	var id = ps.ByName("id")
+	id := ps.ByName("id")
 	c, err := h.r.ClientManager().GetConcreteClient(r.Context(), id)
 	if err != nil {
 		h.r.Writer().WriteError(w, r, err)
@@ -683,7 +684,7 @@ type deleteOAuth2Client struct {
 //	  204: emptyResponse
 //	  default: genericError
 func (h *Handler) deleteOAuth2Client(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
-	var id = ps.ByName("id")
+	id := ps.ByName("id")
 	if err := h.r.ClientManager().DeleteClient(r.Context(), id); err != nil {
 		h.r.Writer().WriteError(w, r, err)
 		return
@@ -723,7 +724,7 @@ type setOAuth2ClientLifespans struct {
 //	  200: oAuth2Client
 //	  default: genericError
 func (h *Handler) setOAuth2ClientLifespans(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
-	var id = ps.ByName("id")
+	id := ps.ByName("id")
 	c, err := h.r.ClientManager().GetConcreteClient(r.Context(), id)
 	if err != nil {
 		h.r.Writer().WriteError(w, r, err)

client/sdk_test.go

@@ -5,18 +5,22 @@ package client_test
 
 import (
 	"context"
+	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 
 	"github.com/mohae/deepcopy"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	goauth2 "golang.org/x/oauth2"
+	"golang.org/x/oauth2/clientcredentials"
 
 	hydra "github.com/ory/hydra-client-go/v2"
 	"github.com/ory/hydra/v2/client"
 	"github.com/ory/hydra/v2/driver/config"
 	"github.com/ory/hydra/v2/internal/testhelpers"
+	"github.com/ory/hydra/v2/oauth2"
 	"github.com/ory/hydra/v2/x"
 	"github.com/ory/x/assertx"
 	"github.com/ory/x/contextx"
@@ -64,11 +68,19 @@ func TestClientSDK(t *testing.T) {
 
 	routerAdmin := x.NewRouterAdmin(conf.AdminURL)
 	routerPublic := x.NewRouterPublic()
-	handler := client.NewHandler(r)
-	handler.SetPublicRoutes(routerPublic)
-	handler.SetAdminRoutes(routerAdmin)
+	clHandler := client.NewHandler(r)
+	clHandler.SetPublicRoutes(routerPublic)
+	clHandler.SetAdminRoutes(routerAdmin)
+	o2Handler := oauth2.NewHandler(r, conf)
+	o2Handler.SetPublicRoutes(routerPublic, func(h http.Handler) http.Handler { return h })
+	o2Handler.SetAdminRoutes(routerAdmin)
+
 	server := httptest.NewServer(routerAdmin)
+	t.Cleanup(server.Close)
+	publicServer := httptest.NewServer(routerPublic)
+	t.Cleanup(publicServer.Close)
 	conf.MustSet(ctx, config.KeyAdminURL, server.URL)
+	conf.MustSet(ctx, config.KeyOAuth2TokenURL, publicServer.URL+"/oauth2/token")
 
 	c := hydra.NewAPIClient(hydra.NewConfiguration())
 	c.GetConfig().Servers = hydra.ServerConfigurations{{URL: server.URL}}
@@ -210,22 +222,44 @@ func TestClientSDK(t *testing.T) {
 	})
 
 	t.Run("case=patch should not alter secret if not requested", func(t *testing.T) {
-		op := "replace"
-		path := "/client_uri"
-		value := "http://foo.bar"
+		created, _, err := c.OAuth2API.CreateOAuth2Client(context.Background()).OAuth2Client(createTestClient("")).Execute()
+		require.NoError(t, err)
+		require.Equal(t, "secret", *created.ClientSecret)
 
-		client := createTestClient("")
-		created, _, err := c.OAuth2API.CreateOAuth2Client(context.Background()).OAuth2Client(client).Execute()
+		cc := clientcredentials.Config{
+			ClientID:     *created.ClientId,
+			ClientSecret: "secret",
+			TokenURL:     conf.OAuth2TokenURL(t.Context()).String(),
+			AuthStyle:    goauth2.AuthStyleInHeader,
+		}
+		token, err := cc.Token(t.Context())
 		require.NoError(t, err)
-		client.ClientId = created.ClientId
+		require.NotZero(t, token.AccessToken)
+
+		ignoreFields := []string{"registration_access_token", "registration_client_uri", "updated_at"}
+
+		patchedURI, _, err := c.OAuth2API.PatchOAuth2Client(context.Background(), *created.ClientId).JsonPatch([]hydra.JsonPatch{{Op: "replace", Path: "/client_uri", Value: "http://foo.bar"}}).Execute()
+		require.NoError(t, err)
+		require.Nil(t, patchedURI.ClientSecret, "client secret should not be returned in the response if it wasn't changed")
+		assertx.EqualAsJSONExcept(t, created, patchedURI, append(ignoreFields, "client_uri", "client_secret"), "client unchanged except client_uri; client_secret should not be returned")
 
-		result1, _, err := c.OAuth2API.PatchOAuth2Client(context.Background(), *client.ClientId).JsonPatch([]hydra.JsonPatch{{Op: op, Path: path, Value: value}}).Execute()
+		token2, err := cc.Token(t.Context())
 		require.NoError(t, err)
-		result2, _, err := c.OAuth2API.PatchOAuth2Client(context.Background(), *client.ClientId).JsonPatch([]hydra.JsonPatch{{Op: op, Path: path, Value: value}}).Execute()
+		require.NotZero(t, token2.AccessToken)
+		require.NotEqual(t, token.AccessToken, token2.AccessToken, "Got a new token after patching, with unchanged secret")
+
+		patchedSecret, _, err := c.OAuth2API.PatchOAuth2Client(context.Background(), *created.ClientId).JsonPatch([]hydra.JsonPatch{{Op: "replace", Path: "/client_secret", Value: "newsecret"}}).Execute()
 		require.NoError(t, err)
+		require.Equal(t, "newsecret", *patchedSecret.ClientSecret, "client secret should be returned if it was changed")
+		assertx.EqualAsJSONExcept(t, patchedURI, patchedSecret, append(ignoreFields, "client_secret"), "client unchanged except secret")
+
+		_, err = cc.Token(t.Context())
+		require.ErrorContains(t, err, "Client authentication failed", "should not be able to get a token with the old secret")
 
-		// secret hashes shouldn't change between these PUT calls
-		require.Equal(t, result1.ClientSecret, result2.ClientSecret)
+		cc.ClientSecret = "newsecret"
+		token3, err := cc.Token(t.Context())
+		require.NoError(t, err, "should be able to get a token with the new secret")
+		require.NotZero(t, token3.AccessToken, "Got a new token after patching with new secret")
 	})
 
 	t.Run("case=patch client that has JSONWebKeysURI", func(t *testing.T) {

oryx/jsonx/debug.go

@@ -6,6 +6,7 @@ package jsonx
 import (
 	"encoding/json"
 	"fmt"
+	"slices"
 )
 
 // Anonymize takes a JSON byte array and anonymizes its content by
@@ -30,7 +31,7 @@ func Anonymize(data []byte, except ...string) []byte {
 
 func anonymize(obj map[string]any, except ...string) {
 	for k, v := range obj {
-		if k == "schemas" || k == "id" {
+		if slices.Contains(except, k) {
 			continue
 		}
 

oryx/jsonx/patch.go

@@ -11,6 +11,7 @@ import (
 
 	jsonpatch "github.com/evanphx/json-patch/v5"
 	"github.com/gobwas/glob"
+	"github.com/pkg/errors"
 
 	"github.com/ory/x/pointerx"
 )
@@ -43,33 +44,34 @@ func isElementAccess(path string) bool {
 	return false
 }
 
-// ApplyJSONPatch applies a JSON patch to an object. It returns an error if the
-// patch is invalid or if the patch includes paths that are denied. denyPaths is
-// a list of path globs (interpreted with [glob.Compile] that are not allowed to
+// ApplyJSONPatch applies a JSON patch to an object and returns the modified
+// object. The original object is not modified. It returns an error if the patch
+// is invalid or if the patch includes paths that are denied. denyPaths is a
+// list of path globs (interpreted with [glob.Compile] that are not allowed to
 // be patched.
-func ApplyJSONPatch(p json.RawMessage, object interface{}, denyPaths ...string) error {
+func ApplyJSONPatch[T any](p json.RawMessage, object T, denyPaths ...string) (result T, err error) {
 	patch, err := jsonpatch.DecodePatch(p)
 	if err != nil {
-		return err
+		return result, errors.WithStack(err)
 	}
 
 	denyPattern := fmt.Sprintf("{%s}", strings.ToLower(strings.Join(denyPaths, ",")))
 	matcher, err := glob.Compile(denyPattern, '/')
 	if err != nil {
-		return err
+		return result, errors.WithStack(err)
 	}
 
 	for _, op := range patch {
 		// Some operations are buggy, see https://github.com/evanphx/json-patch/pull/158
 		if isUnsupported(op) {
-			return fmt.Errorf("unsupported operation: %s", op.Kind())
+			return result, errors.Errorf("unsupported operation: %s", op.Kind())
 		}
 		path, err := op.Path()
 		if err != nil {
-			return fmt.Errorf("error parsing patch operations: %v", err)
+			return result, errors.Errorf("error parsing patch operations: %v", err)
 		}
 		if matcher.Match(strings.ToLower(path)) {
-			return fmt.Errorf("patch includes denied path: %s", path)
+			return result, errors.Errorf("patch includes denied path: %s", path)
 		}
 
 		// JSON patch officially rejects replacing paths that don't exist, but we want to be more tolerant.
@@ -81,16 +83,17 @@ func ApplyJSONPatch(p json.RawMessage, object interface{}, denyPaths ...string)
 
 	original, err := json.Marshal(object)
 	if err != nil {
-		return err
+		return result, errors.WithStack(err)
 	}
 
 	options := jsonpatch.NewApplyOptions()
 	options.EnsurePathExistsOnAdd = true
 
 	modified, err := patch.ApplyWithOptions(original, options)
 	if err != nil {
-		return err
+		return result, errors.WithStack(err)
 	}
 
-	return json.Unmarshal(modified, object)
+	err = json.Unmarshal(modified, &result)
+	return result, errors.WithStack(err)
 }

oryx/snapshotx/snapshot.go

@@ -93,7 +93,7 @@ func SnapshotT(t *testing.T, actual interface{}, except ...ExceptOpt) {
 	).SnapshotT(t, compare)
 }
 
-// SnapshotTExcept
+// SnapshotTExcept is deprecated in favor of SnapshotT with ExceptOpt.
 //
 // DEPRECATED: please use SnapshotT instead
 func SnapshotTExcept(t *testing.T, actual interface{}, except []string) {