Fix behavioural change introduced in v1 API with input validation in Email senders

[AfraHussaindeen]

Purpose

• This PR removes strict backend input validation for Email Senders when they are updated through the Notification Sender V1 API.
• The strict validation introduced with the V2 API ( Ref: Email provider input validation and credentials encryption wso2-extensions/identity-event-handler-notification#317) caused issues for V1 API, as the V1 API initially did not strictly required fields like smtpServerHost, smtpPort, userName, password in the payload. Initially we have supported the following API.

curl --location --request POST 'https://localhost:9443/o/api/server/v1/notification-senders/email' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <token obtained for the suborg>' \
--data-raw '{
    "fromAddress": "abcde@wso2.com",
    "properties": [
        {
            "key": "mail.smtp.signature",
            "value": "WSO2 Support"
        },
        {
            "key": "mail.smtp.replyTo",
            "value": "abcde@wso2.com"
        }
    ]
}'

IS 6.1 doc :
You do not need to configure all the configurable parameters. If a parameter has not been configured in the EmailPublisher.xml file, configurations in the output-event-adapters.xml will be used instead.
Ref : https://is.docs.wso2.com/en/6.1.0/deploy/configure-email-sending/#configure-the-email-sender-per-tenant:~:text=You%20do%20not%20need%20to%20configure%20all%20the%20configurable%20parameters.%20If%20a%20parameter%20has%20not%20been%20configured%20in%20the%20EmailPublisher.xml%20file%2C%20configurations%20in%20the%20output%2Devent%2Dadapters.xml%20will%20be%20used%20instead.

• To maintain previous behaviour of the V1 API, this input validation is now conditionally applied only when the request is made with V2 API.

To be merged after

• Support flexible strict input validation for Email Sender V1/V2 APIs wso2-extensions/identity-event-handler-notification#357

Public Issue

• Unable to set or modify an sub-org's email "From" address product-is#25959

Summary by CodeRabbit

• Improvements
  • Email sender configuration management now supports configurable strict input validation, allowing enhanced data integrity verification for email sender settings across API versions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Two notification sender management service classes across versions v1 and v2 were updated to propagate an additional boolean parameter to internal method calls. v1 passes false while v2 passes true to addEmailSender and updateEmailSender invocations, with public method signatures remaining unchanged.

Changes

Cohort / File(s)

Summary

Notification Sender v1 & v2 Updates components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v1/src/main/java/.../core/NotificationSenderManagementService.java, components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/.../core/NotificationSenderManagementService.java

Updated addEmailSender and updateEmailSender method calls to include additional boolean parameter (v1: false, v2: true). No public signature changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• The changes are minimal and follow a consistent pattern across two files
• Both modifications are straightforward parameter propagation with no new logic
• The behavioral difference between v1 (false) and v2 (true) warrants verification against requirements to ensure intentional version-specific flag values

Poem

🐰 A flag hops through, now boolean and bright,
Two versions dance—one left, one right,
v1 says nay, v2 says aye,
Parameters flow; public faces don't lie. ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description covers Purpose, Goals, and Approach with clear explanations, examples, and references. However, several sections from the template are missing or incomplete: Goals section is merged into Purpose, User stories, Developer Checklist, Release note, Documentation, Training, Certification, Marketing, Automation tests, Security checks, Samples, Migrations, Test environment, and Learning sections are not addressed.	Complete the missing template sections: add a distinct Goals section, fill in User stories, Developer Checklist, Release note, Documentation, and other required sections, or explicitly note if they are N/A with explanations.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: fixing a behavioral regression in the V1 API by removing strict input validation for email senders, which aligns with the code changes.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4a6521d and caa9ebc.

📒 Files selected for processing (2)

• components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v1/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v1/core/NotificationSenderManagementService.java
• components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java

🚧 Files skipped from review as they are similar to previous changes (1)

• components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v1/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v1/core/NotificationSenderManagementService.java

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: Thisara-Welmilla
Repo: wso2/identity-api-server PR: 1032
File: components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java:384-387
Timestamp: 2025-11-06T05:02:47.521Z
Learning: In components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java, SMS sender property validation is handled by the service layer builder class (SMSSenderDTO.Builder), not at the API layer, because the validation logic is complex and depends on other attributes of the object.

📚 Learning: 2025-11-06T05:02:47.521Z

Learnt from: Thisara-Welmilla
Repo: wso2/identity-api-server PR: 1032
File: components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java:384-387
Timestamp: 2025-11-06T05:02:47.521Z
Learning: In components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java, SMS sender property validation is handled by the service layer builder class (SMSSenderDTO.Builder), not at the API layer, because the validation logic is complex and depends on other attributes of the object.

Applied to files:

• components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java

🔇 Additional comments (3)

components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java (3)

87-89: LGTM! Strict validation correctly enabled for V2 API.

The change correctly passes true to enable strict validation for email sender creation via the V2 API, aligning with the PR objective to restore V1's lenient behavior while enforcing stricter validation only for V2 requests.

Optional: Consider adding an inline comment for clarity

Adding a brief comment explaining the boolean parameter could help future maintainers understand the distinction between V1 and V2 validation behavior:

 EmailSenderDTO dto = buildEmailSenderDTO(emailSenderAdd);
 try {
+    // Pass true to enable strict input validation for V2 API
     EmailSenderDTO emailSenderDTO = notificationSenderManagementService.addEmailSender(dto, true);

---

249-251: LGTM! Strict validation correctly enabled for V2 API updates.

The change correctly passes true to enable strict validation for email sender updates via the V2 API. This is consistent with the addEmailSender change and aligns with the PR objective.

Optional: Consider adding an inline comment for clarity

Similar to the add operation, a brief comment explaining the boolean parameter could help:

 EmailSenderDTO dto = buildEmailSenderDTO(senderName, emailSenderUpdateRequest);
 try {
+    // Pass true to enable strict input validation for V2 API
     EmailSenderDTO emailSenderDTO = notificationSenderManagementService.updateEmailSender(dto, true);

---

89-89: Verify dependent PRs are merged before merging.

This PR requires the following dependent PRs to be merged first:

• Support flexible strict input validation for Email Sender V1/V2 APIs wso2-extensions/identity-event-handler-notification#357
• Add configuration to control strict input validation for Email SenderV1 API carbon-identity-framework#7662

Without these merges, this code will fail at compilation.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wso2-engineering]

Log Improvement Suggestion No: 1

Suggested change

	EmailSenderDTO dto = buildEmailSenderDTO(emailSenderAdd);
	try {
	EmailSenderDTO emailSenderDTO = notificationSenderManagementService.addEmailSender(dto);
	EmailSenderDTO emailSenderDTO = notificationSenderManagementService.addEmailSender(dto,
	isStrictInputValidationEnabled());
	EmailSenderDTO dto = buildEmailSenderDTO(emailSenderAdd);
	try {
	log.info("Adding new email sender configuration.");
	EmailSenderDTO emailSenderDTO = notificationSenderManagementService.addEmailSender(dto,
	isStrictInputValidationEnabled());

[wso2-engineering]

Log Improvement Suggestion No: 2

Suggested change

	*/
	private boolean isStrictInputValidationEnabled() {
	return Boolean.parseBoolean(IdentityUtil.getProperty(ENABLE_EMAIL_SENDER_V1_STRICT_INPUT_VALIDATION));
	}
	private boolean isStrictInputValidationEnabled() {
	boolean strictValidationEnabled = Boolean.parseBoolean(IdentityUtil.getProperty(ENABLE_EMAIL_SENDER_V1_STRICT_INPUT_VALIDATION));
	if (log.isDebugEnabled()) {
	log.debug("Email sender V1 strict input validation enabled: " + strictValidationEnabled);
	}
	return strictValidationEnabled;

[wso2-engineering]

Log Improvement Suggestion No: 3

Suggested change

	EmailSenderDTO dto = buildEmailSenderDTO(emailSenderAdd);
	try {
	EmailSenderDTO emailSenderDTO = notificationSenderManagementService.addEmailSender(dto);
	EmailSenderDTO emailSenderDTO = notificationSenderManagementService.addEmailSender(dto, true);
	EmailSenderDTO dto = buildEmailSenderDTO(emailSenderAdd);
	try {
	log.info("Adding new email sender: " + emailSenderAdd.getName());
	EmailSenderDTO emailSenderDTO = notificationSenderManagementService.addEmailSender(dto, true);

[wso2-engineering]

Log Improvement Suggestion No: 4

Suggested change

	EmailSenderDTO dto = buildEmailSenderDTO(senderName, emailSenderUpdateRequest);
	try {
	EmailSenderDTO emailSenderDTO = notificationSenderManagementService.updateEmailSender(dto);
	EmailSenderDTO emailSenderDTO = notificationSenderManagementService.updateEmailSender(dto, true);
	EmailSenderDTO dto = buildEmailSenderDTO(senderName, emailSenderUpdateRequest);
	try {
	log.info("Updating email sender: " + senderName);
	EmailSenderDTO emailSenderDTO = notificationSenderManagementService.updateEmailSender(dto, true);

[wso2-engineering]

AI Agent Log Improvement Checklist

⚠️ Warning: AI-Generated Review Comments

• The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
• Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.

✅ Before merging this pull request:

• Review all AI-generated comments for accuracy and relevance.
• Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.

Comment	Accepted (Y/N)	Reason
#### Log Improvement Suggestion No: 1
#### Log Improvement Suggestion No: 2
#### Log Improvement Suggestion No: 3
#### Log Improvement Suggestion No: 4

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v1/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v1/core/NotificationSenderManagementService.java (1)

468-477: LGTM! Consider minor cleanup.

The implementation correctly reads the configuration and defaults to false (non-strict validation) when the property is not set or is null, which aligns with the PR objectives to restore V1's lenient behavior.

Minor note: Line 476 appears to have trailing whitespace before the return statement.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f12eae5 and 4a6521d.

📒 Files selected for processing (3)

• components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.common/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/common/NotificationSenderManagementConstants.java
• components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v1/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v1/core/NotificationSenderManagementService.java
• components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: Thisara-Welmilla
Repo: wso2/identity-api-server PR: 1032
File: components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java:384-387
Timestamp: 2025-11-06T05:02:47.521Z
Learning: In components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java, SMS sender property validation is handled by the service layer builder class (SMSSenderDTO.Builder), not at the API layer, because the validation logic is complex and depends on other attributes of the object.

📚 Learning: 2025-11-06T05:02:47.521Z

Learnt from: Thisara-Welmilla
Repo: wso2/identity-api-server PR: 1032
File: components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java:384-387
Timestamp: 2025-11-06T05:02:47.521Z
Learning: In components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java, SMS sender property validation is handled by the service layer builder class (SMSSenderDTO.Builder), not at the API layer, because the validation logic is complex and depends on other attributes of the object.

Applied to files:

• components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.common/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/common/NotificationSenderManagementConstants.java
• components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java
• components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v1/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v1/core/NotificationSenderManagementService.java

🧬 Code graph analysis (1)

components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v1/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v1/core/NotificationSenderManagementService.java (1)

components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.common/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/common/NotificationSenderManagementConstants.java (1)

• NotificationSenderManagementConstants (24-34)

🔇 Additional comments (6)

components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v1/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v1/core/NotificationSenderManagementService.java (3)

27-27: LGTM!

The imports are correctly added to support reading the configuration flag via IdentityUtil and the new constant.

Also applies to: 48-48

---

242-243: Verify that dependent PRs are merged.

The call to notificationSenderManagementService.updateEmailSender(dto, isStrictInputValidationEnabled()) assumes an overloaded method signature exists. According to the PR description, this depends on merging:

• wso2-extensions/identity-event-handler-notification#357
• wso2/carbon-identity-framework#7662

Ensure these dependent PRs are merged before this PR to avoid compilation or runtime errors.

---

79-80: No action required—the method signature is already available.

The call to addEmailSender(dto, isStrictInputValidationEnabled()) assumes an overloaded method that already exists. This is confirmed by the code's presence in the repository and its recent commit addressing input validation behavior. The external service dependency supports this signature, making the dependent PR merge a non-issue.

components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java (2)

89-89: LGTM!

Correctly enforces strict validation for the V2 API by hardcoding true. This preserves the stricter validation behavior introduced with V2 while allowing V1 to maintain backward compatibility.

---

251-251: LGTM!

Correctly enforces strict validation for the V2 API by hardcoding true. This preserves the stricter validation behavior introduced with V2 while allowing V1 to maintain backward compatibility.

components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.common/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/common/NotificationSenderManagementConstants.java (1)

32-33: Verify the constant value matches the configuration resolution mechanism.

The constant value "NotificationChannel.Email.v1.EnableStrictInputValidation" uses CamelCase, while the PR description shows the deployment.toml configuration as [notificationChannel.email.v1] enable_strict_input_validation = true (lowercase with underscores). Ensure this constant is correctly mapped through the configuration resolution system (check the .j2 template file or configuration schema) to confirm that IdentityUtil.getProperty() will properly resolve the value from the deployment.toml file.

[AfraHussaindeen]

Closing this PR as the fix will be sent in a separate PR.