Onboarding notification-senders/email PATCH endpoint #1034

lashinijay · 2025-10-31T04:29:08Z

Purpose

This change is to onboard PATCH support for notification-senders/email v2 API.

Related Issue

Add PATCH support for email provider update product-is#26158

Goals

Describe the solutions that this feature/fix will introduce to resolve the problems described above

Approach

Describe how you are implementing the solutions. Include an animated GIF or screenshot if the change affects the UI (email documentation@wso2.com to review all UI text). Include a link to a Markdown file or Google doc if the feature write-up is too long to paste here.

User stories

Summary of user stories addressed by this change>

Developer Checklist (Mandatory)

Complete the Developer Checklist in the related product-is issue to track any behavioral change or migration impact.

Release note

Brief description of the new feature or bug fix as it will appear in the release notes

Documentation

Link(s) to product documentation that addresses the changes of this PR. If no doc impact, enter “N/A” plus brief explanation of why there’s no doc impact

Training

Link to the PR for changes to the training content in https://github.com/wso2/WSO2-Training, if applicable

Certification

Type “Sent” when you have provided new/updated certification questions, plus four answers for each question (correct answer highlighted in bold), based on this change. Certification questions/answers should be sent to certification@wso2.com and NOT pasted in this PR. If there is no impact on certification exams, type “N/A” and explain why.

Marketing

Link to drafts of marketing content that will describe and promote this feature, including product page changes, technical articles, blog posts, videos, etc., if applicable

Automation tests

Unit tests

Code coverage information
Integration tests

Details about the test cases and coverage

Security checks

Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes/no
Ran FindSecurityBugs plugin and verified report? yes/no
Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets? yes/no

Samples

Provide high-level details about the samples related to this feature

Related PRs

List any other related PRs

Migrations (if applicable)

Describe migration steps and platforms on which migration has been tested

Test environment

List all JDK versions, operating systems, databases, and browser/versions on which this feature/fix was tested

Learning

Describe the research phase and any blog posts, patterns, libraries, or add-ons you used to solve the problem.

Summary by CodeRabbit

New Features
- Added PATCH support for email senders, enabling partial updates to notification sender configurations.
Security
- Enhanced email sender property exports to securely filter and handle sensitive credentials, preventing unintended exposure.

The new endpoint enforces tenant-level isolation consistent with existing security patterns.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

...bon/identity/api/server/notification/sender/v1/core/NotificationSenderManagementService.java

...bon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java

...arbon/identity/api/server/notification/sender/v2/impl/NotificationSendersApiServiceImpl.java

wso2-engineering

AI Agent Log Improvement Checklist

⚠️ Warning: AI-Generated Review Comments

The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.

✅ Before merging this pull request:

Review all AI-generated comments for accuracy and relevance.
Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.

Comment	Accepted (Y/N)	Reason
#### Log Improvement Suggestion No: 1	Y	Added a debug log for clarity
#### Log Improvement Suggestion No: 2	N	Unnecessary info log
#### Log Improvement Suggestion No: 3	N	Exception is thrown properly
#### Log Improvement Suggestion No: 4	N	Unnecessary info log
#### Log Improvement Suggestion No: 5	N	Unnecessary warn log

coderabbitai · 2025-12-12T09:48:56Z

Walkthrough

Added PATCH endpoint for partial email sender updates in API v2 with merge logic and tenant isolation checks. Also filters CLIENT_SECRET property from email sender DTO-to-API conversion in v1 service layer.

Changes

Cohort / File(s)	Summary
v1 Service Client Secret Filtering `components/.../notification.sender/...v1/src/main/java/.../NotificationSenderManagementService.java`	Filters CLIENT_SECRET property (case-insensitive) from email sender properties during DTO-to-API conversion; logs debug message on skip.
v2 Service Core Patch Logic `components/.../notification.sender/...v2/src/main/java/.../core/NotificationSenderManagementService.java`	Introduces `patchEmailSender()` public method and internal `updateEmailSenderDTOFromPatchRequest()` for merging existing and updated fields; preserves credentials for BASIC auth.
v2 REST Endpoint & OpenAPI Spec `components/.../notification.sender/...v2/src/main/java/.../impl/NotificationSendersApiServiceImpl.java`, `components/.../notification.sender/...v2/src/main/resources/notification-sender.yaml`	Adds REST endpoint `patchEmailSender()` with tenant isolation guard (405 for super tenant); extends OpenAPI spec with PATCH method mirroring PUT operation structure.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Patch merge logic: Verify correct handling of non-null field merging and credentials preservation for BASIC auth scenarios
Tenant isolation consistency: Confirm 405 response guard aligns with existing updateEmailSender and deleteEmailSender patterns
Property filtering scope: Validate CLIENT_SECRET filtering doesn't inadvertently remove other sensitive properties

Poem

🐰 A patch here, a patch there,
Partial updates with utmost care,
No secrets spill in this new flow,
Merged fields dance—tenants stay below!
YAML and code in perfect row,
hops joyfully ✨

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete with multiple mandatory sections containing only placeholder text and unfilled prompts rather than concrete information.	Complete Goals, Approach, and User stories sections with meaningful descriptions. Provide specific test coverage details, security check responses, and documentation/training/certification/marketing links where applicable.
Docstring Coverage	⚠️ Warning	Docstring coverage is 27.27% which is insufficient. The required threshold is 80.00%.	You can run `@coderabbitai generate docstrings` to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding PATCH endpoint support for the notification-senders/email API.

✨ Finishing touches

📝 Generate docstrings

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 2

♻️ Duplicate comments (1)

components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v1/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v1/core/NotificationSenderManagementService.java (1)
323-332: Prevent secret leakage: filtering CLIENT_SECRET is the right move
Two small follow-ups:

Consider guarding equalsIgnoreCase against a null key to avoid a potential NPE if upstream ever produces a null key.

The log.isDebugEnabled() guard was already suggested in prior review for this exact block.
 dto.getProperties().forEach((key, value) -> {
-    if (NotificationSenderManagementConstants.CLIENT_SECRET.equalsIgnoreCase(key)) {
+    if (key != null && NotificationSenderManagementConstants.CLIENT_SECRET.equalsIgnoreCase(key)) {
         log.debug("Skipping client secret property from email sender configuration");
         return;
     }
     Properties prop = new Properties();
     prop.setKey(key);
     prop.setValue(value);
     properties.add(prop);
 });

🧹 Nitpick comments (2)

components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java (1)
363-363: Redundant setName call.

The name is already set when getEmailSender(senderName) returns the existing DTO. This line is redundant.

Apply this diff to remove the redundant call:
-        existingEmailSenderDTO.setName(senderName);
components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/resources/notification-sender.yaml (1)
265-272: Clarify PATCH vs PUT semantics in documentation.

The summary and description are identical to the PUT operation, which doesn't communicate that PATCH performs partial updates while PUT typically requires all fields. Consider updating the documentation to clarify the difference.

Apply this diff to improve clarity:
-      summary: Update an email sender
+      summary: Partially update an email sender
       description: |
-        This API provides the capability to update an email sender by name.
+        This API provides the capability to partially update an email sender by name. Only the fields provided in the request will be updated; omitted fields will retain their existing values.
         The URL encoded email sender name is used as sender-name.<br>

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a17ea3c and 7b51ae6.

⛔ Files ignored due to path filters (2)

components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/gen/java/org/wso2/carbon/identity/api/server/notification/sender/v2/NotificationSendersApi.java is excluded by !**/gen/**
components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/gen/java/org/wso2/carbon/identity/api/server/notification/sender/v2/NotificationSendersApiService.java is excluded by !**/gen/**

📒 Files selected for processing (4)

components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v1/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v1/core/NotificationSenderManagementService.java (5 hunks)
components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java (2 hunks)
components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/impl/NotificationSendersApiServiceImpl.java (1 hunks)
components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/resources/notification-sender.yaml (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: Thisara-Welmilla
Repo: wso2/identity-api-server PR: 1032
File: components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java:384-387
Timestamp: 2025-11-06T05:02:47.521Z
Learning: In components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java, SMS sender property validation is handled by the service layer builder class (SMSSenderDTO.Builder), not at the API layer, because the validation logic is complex and depends on other attributes of the object.

📚 Learning: 2025-11-06T05:02:47.521Z

Learnt from: Thisara-Welmilla
Repo: wso2/identity-api-server PR: 1032
File: components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java:384-387
Timestamp: 2025-11-06T05:02:47.521Z
Learning: In components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java, SMS sender property validation is handled by the service layer builder class (SMSSenderDTO.Builder), not at the API layer, because the validation logic is complex and depends on other attributes of the object.

Applied to files:

components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/impl/NotificationSendersApiServiceImpl.java
components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java
components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/resources/notification-sender.yaml
components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v1/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v1/core/NotificationSenderManagementService.java

🔇 Additional comments (6)

components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v1/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v1/core/NotificationSenderManagementService.java (4)

36-36: Good: explicit constant import for sensitive-key filtering
This import aligns with the new filtering in buildEmailSenderFromDTO and helps avoid leaking secrets in API responses.

61-66: Constructor formatting-only change
No functional concerns.

125-132: Formatting-only change in exception path
No functional concerns.

265-271: Javadoc whitespace-only change
No functional concerns.

components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java (1)

265-274: LGTM! Clean delegation pattern.

The patch method correctly delegates to the internal merge logic and follows the established error handling pattern.

components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/impl/NotificationSendersApiServiceImpl.java (1)

195-204: LGTM! Consistent with existing patterns.

The implementation correctly enforces tenant isolation and follows the established delegation pattern used by other endpoints in this service.

coderabbitai · 2025-12-12T09:54:21Z

...bon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java

+        if (emailSenderUpdateRequest.getProperties() != null && !emailSenderUpdateRequest.getProperties().isEmpty()) {
+            emailSenderUpdateRequest.getProperties().forEach((prop) -> {
+                if (StringUtils.isNotBlank(prop.getKey()) && StringUtils.isNotBlank(prop.getValue())) {
+                    existingEmailSenderDTO.getProperties().put(prop.getKey(), prop.getValue());
+                }
+            });
+        }


⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# Search for property deletion or removal patterns in the codebase rg -nP -C3 'property.*delet|remov.*property|Properties.*clear|properties\.remove' --type=java

Repository: wso2/identity-api-server

Length of output: 19723

🏁 Script executed:

# Also check the API specification files fd -e yaml -e yml -e json | xargs rg -l 'notification.*sender|NotificationSender' 2>/dev/null | head -20

Repository: wso2/identity-api-server

Length of output: 407

🏁 Script executed:

# Look for OpenAPI/Swagger specifications fd -e yaml -e yml | head -30

Repository: wso2/identity-api-server

Length of output: 5079

🏁 Script executed:

# Examine the NotificationSenderManagementService file more broadly to understand the update pattern wc -l "components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java"

Repository: wso2/identity-api-server

Length of output: 316

🏁 Script executed:

# Get context around the property merge logic and the update method signature cat -n "components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java" | sed -n '350,400p'

Repository: wso2/identity-api-server

Length of output: 3260

🏁 Script executed:

# Check the OpenAPI spec for the PATCH operation cat "components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/resources/notification-sender.yaml" | head -200

Repository: wso2/identity-api-server

Length of output: 6233

🏁 Script executed:

# Search for PATCH operation in the spec rg -A 20 'patch:' "components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/resources/notification-sender.yaml"

Repository: wso2/identity-api-server

Length of output: 777

🏁 Script executed:

# Check for test files that demonstrate expected property removal behavior fd -e java -path '*test*' | xargs rg -l 'updateEmailSender|NotificationSenderManagementService' 2>/dev/null | head -10

Repository: wso2/identity-api-server

Length of output: 2542

🏁 Script executed:

# Look at the broader context - check if there's any null handling or clearing logic for properties cat -n "components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java" | sed -n '340,390p'

Repository: wso2/identity-api-server

Length of output: 3275

🏁 Script executed:

# Get the complete PATCH operation definition including requestBody rg -A 40 'patch:' "components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/resources/notification-sender.yaml"

Repository: wso2/identity-api-server

Length of output: 1372

🏁 Script executed:

# Check v1 implementation for property handling cat "components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v1/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v1/core/NotificationSenderManagementService.java" | grep -A 20 "updateEmailSenderDTOFromPatchRequest" | head -30

Repository: wso2/identity-api-server

Length of output: 50

🏁 Script executed:

# Check if there's any documentation or comments about property behavior rg -B 5 -A 10 "properties.*forEach|properties.*put" "components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java"

Repository: wso2/identity-api-server

Length of output: 4075

🏁 Script executed:

# Search for any comments or documentation about property behavior in the context of PATCH rg -B 10 'updateEmailSenderDTOFromPatchRequest' "components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java" | head -20

Repository: wso2/identity-api-server

Length of output: 839

🏁 Script executed:

# Check the schema definition for EmailSenderUpdateRequest to understand property semantics rg -A 30 'EmailSenderUpdateRequest:' "components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/resources/notification-sender.yaml"

Repository: wso2/identity-api-server

Length of output: 857

The property merge logic does not support property removal via PATCH requests.

The forEach loop (lines 375-381) only adds or updates properties; there is no mechanism to remove existing properties. This is inconsistent with standard PATCH semantics where clients should be able to modify properties completely. Consider whether the API should support property removal by:

Allowing null/empty property values to signal deletion, or

Implementing a separate removal mechanism

Note that scalar fields use conditional preservation (value != null ? value : existing), but properties use unconditional addition, creating an inconsistency in update semantics.

🤖 Prompt for AI Agents

components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java around lines 375-381: the current property merge only adds/updates entries and never removes properties, which breaks PATCH semantics; update the merge logic so that each incoming prop with a blank or null value removes the key from existingEmailSenderDTO.getProperties(), while non-blank values continue to upsert, or alternatively accept an explicit removal list in the request and apply removals before additions—implement one of these behaviors and make it consistent with how scalar fields are conditionally preserved.

coderabbitai · 2025-12-12T09:54:21Z

...bon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java

+        if (BASIC.equalsIgnoreCase(existingEmailSenderDTO.getAuthType())) {
+            existingEmailSenderDTO.getProperties().put(USERNAME, existingEmailSenderDTO.getUsername());
+            existingEmailSenderDTO.getProperties().put(PASSWORD, existingEmailSenderDTO.getPassword());
+            existingEmailSenderDTO.setUsername(null);
+            existingEmailSenderDTO.setPassword(null);
+        }


⚠️ Potential issue | 🟠 Major

Potential credential leak when switching auth types.

When the auth type is changed from BASIC to another type (e.g., OAUTH), the old username/password credentials remain in the properties map since this cleanup only executes when the final authType is BASIC. Old credentials could be returned in API responses or persisted unnecessarily.

Consider adding cleanup logic before the BASIC check:

+ // Clean up BASIC auth credentials if switching away from BASIC + if (!BASIC.equalsIgnoreCase(existingEmailSenderDTO.getAuthType())) { + existingEmailSenderDTO.getProperties().remove(USERNAME); + existingEmailSenderDTO.getProperties().remove(PASSWORD); + } + if (BASIC.equalsIgnoreCase(existingEmailSenderDTO.getAuthType())) { existingEmailSenderDTO.getProperties().put(USERNAME, existingEmailSenderDTO.getUsername()); existingEmailSenderDTO.getProperties().put(PASSWORD, existingEmailSenderDTO.getPassword()); existingEmailSenderDTO.setUsername(null); existingEmailSenderDTO.setPassword(null); }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

if (BASIC.equalsIgnoreCase(existingEmailSenderDTO.getAuthType())) {

existingEmailSenderDTO.getProperties().put(USERNAME, existingEmailSenderDTO.getUsername());

existingEmailSenderDTO.getProperties().put(PASSWORD, existingEmailSenderDTO.getPassword());

existingEmailSenderDTO.setUsername(null);

existingEmailSenderDTO.setPassword(null);

}

// Clean up BASIC auth credentials if switching away from BASIC

if (!BASIC.equalsIgnoreCase(existingEmailSenderDTO.getAuthType())) {

existingEmailSenderDTO.getProperties().remove(USERNAME);

existingEmailSenderDTO.getProperties().remove(PASSWORD);

}

if (BASIC.equalsIgnoreCase(existingEmailSenderDTO.getAuthType())) {

existingEmailSenderDTO.getProperties().put(USERNAME, existingEmailSenderDTO.getUsername());

existingEmailSenderDTO.getProperties().put(PASSWORD, existingEmailSenderDTO.getPassword());

existingEmailSenderDTO.setUsername(null);

existingEmailSenderDTO.setPassword(null);

}

🤖 Prompt for AI Agents

components/org.wso2.carbon.identity.api.server.notification.sender/org.wso2.carbon.identity.api.server.notification.sender.v2/src/main/java/org/wso2/carbon/identity/api/server/notification/sender/v2/core/NotificationSenderManagementService.java lines 382-387: the current logic only moves username/password into properties when authType is BASIC, which leaves stale credentials in properties if authType is changed away from BASIC; before handling the BASIC branch, remove any existing USERNAME and PASSWORD entries from existingEmailSenderDTO.getProperties() and also clear existingEmailSenderDTO.setUsername(null)/setPassword(null) when switching away so no old credentials remain in properties or DTO fields; add this cleanup at the start of the auth-type handling to ensure credentials are never retained for non-BASIC types.