fix: use non-nullable empty string for clientAuth in public PKCE clients

Address PR review feedback from @zerox80 to use empty string instead
of nullable String? for clientAuth parameter.

- Change clientAuth from String? to String across domain/data layers
- Use empty string "" for public clients instead of null
- Simplify header check to isNotEmpty() instead of null-safe chain
- Add unit test for public PKCE client token exchange scenario

Author: rcdailey

opencloudApp/src/main/java/eu/opencloud/android/presentation/authentication/AccountAuthenticator.java

@@ -345,7 +345,7 @@ private String refreshToken(
 
         String clientIdForRequest = null;
         String clientSecretForRequest = null;
-        String clientAuth = null;
+        String clientAuth;
 
         if (clientId == null) {
             Timber.d("Client Id not stored. Let's use the hardcoded one");
@@ -366,12 +366,12 @@ private String refreshToken(
             // RFC 7636: Public clients (token_endpoint_auth_method: none) must not send Authorization header
             if (oidcServerConfigurationUseCaseResult.getDataOrNull() != null &&
                     oidcServerConfigurationUseCaseResult.getDataOrNull().isTokenEndpointAuthMethodNone()) {
-                clientAuth = null;
+                clientAuth = "";
                 clientIdForRequest = clientId;
             } else if (oidcServerConfigurationUseCaseResult.getDataOrNull() != null &&
                     oidcServerConfigurationUseCaseResult.getDataOrNull().isTokenEndpointAuthMethodSupportedClientSecretPost()) {
                 // For client_secret_post, credentials go in body, not Authorization header
-                clientAuth = null;
+                clientAuth = "";
                 clientIdForRequest = clientId;
                 clientSecretForRequest = clientSecret;
             } else {

opencloudApp/src/main/java/eu/opencloud/android/presentation/authentication/LoginActivity.kt

@@ -669,38 +669,37 @@ class LoginActivity : AppCompatActivity(), SslUntrustedCertDialog.OnSslUntrusted
         // Use oidc discovery one, or build an oauth endpoint using serverBaseUrl + Setup string.
         val tokenEndPoint: String
 
-        var clientId: String? = null
-        var clientSecret: String? = null
-        var clientAuth: String? = null
+        // Determine clientId and clientSecret
+        val (clientId, clientSecret) = if (clientRegistrationInfo?.clientId != null && clientRegistrationInfo.clientSecret != null) {
+            Pair(clientRegistrationInfo.clientId, clientRegistrationInfo.clientSecret as String)
+        } else {
+            Pair(getString(R.string.oauth2_client_id), getString(R.string.oauth2_client_secret))
+        }
+
+        var clientIdForRequest: String? = null
+        var clientSecretForRequest: String? = null
+        var clientAuth: String
 
         val serverInfo = authenticationViewModel.serverInfo.value?.peekContent()?.getStoredData()
         if (serverInfo is ServerInfo.OIDCServer) {
             tokenEndPoint = serverInfo.oidcServerConfiguration.tokenEndpoint
 
             // RFC 7636: Public clients (token_endpoint_auth_method: none) must not send Authorization header
             if (serverInfo.oidcServerConfiguration.isTokenEndpointAuthMethodNone()) {
-                clientAuth = null
-                clientId = clientRegistrationInfo?.clientId ?: contextProvider.getString(R.string.oauth2_client_id)
+                clientAuth = ""
+                clientIdForRequest = clientId
             } else if (serverInfo.oidcServerConfiguration.isTokenEndpointAuthMethodSupportedClientSecretPost()) {
                 // For client_secret_post, credentials go in body, not Authorization header
-                clientAuth = null
-                clientId = clientRegistrationInfo?.clientId ?: contextProvider.getString(R.string.oauth2_client_id)
-                clientSecret = clientRegistrationInfo?.clientSecret ?: contextProvider.getString(R.string.oauth2_client_secret)
+                clientAuth = ""
+                clientIdForRequest = clientId
+                clientSecretForRequest = clientSecret
             } else {
                 // For other methods (e.g., client_secret_basic), use Basic auth header
-                clientAuth = if (clientRegistrationInfo?.clientId != null && clientRegistrationInfo.clientSecret != null) {
-                    OAuthUtils.getClientAuth(clientRegistrationInfo.clientSecret as String, clientRegistrationInfo.clientId)
-                } else {
-                    OAuthUtils.getClientAuth(getString(R.string.oauth2_client_secret), getString(R.string.oauth2_client_id))
-                }
+                clientAuth = OAuthUtils.getClientAuth(clientSecret, clientId)
             }
         } else {
             tokenEndPoint = "$serverBaseUrl${File.separator}${contextProvider.getString(R.string.oauth2_url_endpoint_access)}"
-            clientAuth = if (clientRegistrationInfo?.clientId != null && clientRegistrationInfo.clientSecret != null) {
-                OAuthUtils.getClientAuth(clientRegistrationInfo.clientSecret as String, clientRegistrationInfo.clientId)
-            } else {
-                OAuthUtils.getClientAuth(getString(R.string.oauth2_client_secret), getString(R.string.oauth2_client_id))
-            }
+            clientAuth = OAuthUtils.getClientAuth(clientSecret, clientId)
         }
 
         val scope = resources.getString(R.string.oauth2_openid_scope)
@@ -710,8 +709,8 @@ class LoginActivity : AppCompatActivity(), SslUntrustedCertDialog.OnSslUntrusted
             tokenEndpoint = tokenEndPoint,
             clientAuth = clientAuth,
             scope = scope,
-            clientId = clientId,
-            clientSecret = clientSecret,
+            clientId = clientIdForRequest,
+            clientSecret = clientSecretForRequest,
             authorizationCode = authorizationCode,
             redirectUri = OAuthUtils.buildRedirectUri(applicationContext).toString(),
             codeVerifier = authenticationViewModel.codeVerifier

opencloudComLibrary/src/main/java/eu/opencloud/android/lib/resources/oauth/TokenRequestRemoteOperation.kt

@@ -54,8 +54,8 @@ class TokenRequestRemoteOperation(
 
             val postMethod = PostMethod(URL(tokenRequestParams.tokenEndpoint), requestBody)
 
-            tokenRequestParams.clientAuth?.takeIf { it.isNotEmpty() }?.let {
-                postMethod.addRequestHeader(AUTHORIZATION_HEADER, it)
+            if (tokenRequestParams.clientAuth.isNotEmpty()) {
+                postMethod.addRequestHeader(AUTHORIZATION_HEADER, tokenRequestParams.clientAuth)
             }
 
             val status = client.executeHttpMethod(postMethod)

opencloudComLibrary/src/main/java/eu/opencloud/android/lib/resources/oauth/params/TokenRequestParams.kt

@@ -30,7 +30,7 @@ import okhttp3.RequestBody
 
 sealed class TokenRequestParams(
     val tokenEndpoint: String,
-    val clientAuth: String?,
+    val clientAuth: String,
     val grantType: String,
     val scope: String,
     val clientId: String?,
@@ -40,7 +40,7 @@ sealed class TokenRequestParams(
 
     class Authorization(
         tokenEndpoint: String,
-        clientAuth: String?,
+        clientAuth: String,
         grantType: String,
         scope: String,
         clientId: String?,
@@ -65,7 +65,7 @@ sealed class TokenRequestParams(
 
     class RefreshToken(
         tokenEndpoint: String,
-        clientAuth: String?,
+        clientAuth: String,
         grantType: String,
         scope: String,
         clientId: String?,

opencloudData/src/test/java/eu/opencloud/android/data/oauth/datasources/implementation/OCRemoteOAuthDataSourceTest.kt

@@ -34,13 +34,15 @@ import eu.opencloud.android.testutil.oauth.OC_CLIENT_REGISTRATION
 import eu.opencloud.android.testutil.oauth.OC_CLIENT_REGISTRATION_REQUEST
 import eu.opencloud.android.testutil.oauth.OC_OIDC_SERVER_CONFIGURATION
 import eu.opencloud.android.testutil.oauth.OC_TOKEN_REQUEST_ACCESS
+import eu.opencloud.android.testutil.oauth.OC_TOKEN_REQUEST_ACCESS_PUBLIC_CLIENT
 import eu.opencloud.android.testutil.oauth.OC_TOKEN_RESPONSE
 import eu.opencloud.android.utils.createRemoteOperationResultMock
 import io.mockk.every
 import io.mockk.mockk
 import io.mockk.verify
 import org.junit.Assert.assertEquals
 import org.junit.Assert.assertNotNull
+import org.junit.Assert.assertTrue
 import org.junit.Before
 import org.junit.Test
 
@@ -102,6 +104,37 @@ class OCRemoteOAuthDataSourceTest {
         }
     }
 
+    /**
+     * Test for public PKCE clients (RFC 7636).
+     * Public clients MUST NOT send Authorization header during token exchange.
+     * This test verifies that token requests work correctly with empty clientAuth.
+     */
+    @Test
+    fun `performTokenRequest with public PKCE client returns a TokenResponse`() {
+        val tokenResponseResult: RemoteOperationResult<TokenResponse> =
+            createRemoteOperationResultMock(data = OC_REMOTE_TOKEN_RESPONSE, isSuccess = true)
+
+        every {
+            oidcService.performTokenRequest(ocClientMocked, any())
+        } returns tokenResponseResult
+
+        // Verify the fixture has empty clientAuth for public clients
+        assertTrue(
+            "clientAuth should be empty for public clients",
+            OC_TOKEN_REQUEST_ACCESS_PUBLIC_CLIENT.clientAuth.isEmpty()
+        )
+
+        val tokenResponse = remoteOAuthDataSource.performTokenRequest(OC_TOKEN_REQUEST_ACCESS_PUBLIC_CLIENT)
+
+        assertNotNull(tokenResponse)
+        assertEquals(OC_TOKEN_RESPONSE, tokenResponse)
+
+        verify(exactly = 1) {
+            clientManager.getClientForAnonymousCredentials(OC_SECURE_BASE_URL, any())
+            oidcService.performTokenRequest(ocClientMocked, any())
+        }
+    }
+
     @Test
     fun `registerClient returns a ClientRegistrationInfo`() {
         val clientRegistrationResponse: RemoteOperationResult<ClientRegistrationResponse> =

opencloudDomain/src/main/java/eu/opencloud/android/domain/authentication/oauth/model/TokenRequest.kt

@@ -24,7 +24,7 @@ package eu.opencloud.android.domain.authentication.oauth.model
 sealed class TokenRequest(
     val baseUrl: String,
     val tokenEndpoint: String,
-    val clientAuth: String?,
+    val clientAuth: String,
     val grantType: String,
     val scope: String,
     val clientId: String?,
@@ -33,7 +33,7 @@ sealed class TokenRequest(
     class AccessToken(
         baseUrl: String,
         tokenEndpoint: String,
-        clientAuth: String?,
+        clientAuth: String,
         scope: String,
         clientId: String? = null,
         clientSecret: String? = null,
@@ -45,7 +45,7 @@ sealed class TokenRequest(
     class RefreshToken(
         baseUrl: String,
         tokenEndpoint: String,
-        clientAuth: String?,
+        clientAuth: String,
         scope: String,
         clientId: String? = null,
         clientSecret: String? = null,

opencloudTestUtil/src/main/java/eu/opencloud/android/testutil/oauth/TokenRequest.kt

@@ -43,3 +43,25 @@ val OC_TOKEN_REQUEST_ACCESS = TokenRequest.AccessToken(
     redirectUri = OC_REDIRECT_URI,
     codeVerifier = "A high-entropy cryptographic random STRING using the unreserved characters"
 )
+
+/**
+ * Test fixtures for public PKCE clients (RFC 7636).
+ * Public clients MUST NOT send Authorization header during token exchange.
+ */
+val OC_TOKEN_REQUEST_REFRESH_PUBLIC_CLIENT = TokenRequest.RefreshToken(
+    baseUrl = OC_SECURE_BASE_URL,
+    tokenEndpoint = OC_TOKEN_ENDPOINT,
+    clientAuth = "", // Empty for public clients per RFC 7636
+    scope = OC_SCOPE,
+    refreshToken = OC_REFRESH_TOKEN
+)
+
+val OC_TOKEN_REQUEST_ACCESS_PUBLIC_CLIENT = TokenRequest.AccessToken(
+    baseUrl = OC_SECURE_BASE_URL,
+    tokenEndpoint = OC_TOKEN_ENDPOINT,
+    clientAuth = "", // Empty for public clients per RFC 7636
+    scope = OC_SCOPE,
+    authorizationCode = "4uth0r1z4t10nC0d3",
+    redirectUri = OC_REDIRECT_URI,
+    codeVerifier = "A high-entropy cryptographic random STRING using the unreserved characters"
+)