From e8242d8afdc04099d4b08ed176d1471c5bce01df Mon Sep 17 00:00:00 2001
From: Matheus Cruz <matheuscruz.dev@gmail.com>
Date: Fri, 26 Jun 2026 14:57:22 -0300
Subject: [PATCH] Validate task's auth being referencing a not defined
 use.authentications

Signed-off-by: Matheus Cruz <matheuscruz.dev@gmail.com>
---
 .../executors/http/HttpExecutorBuilder.java   | 17 +++++
 .../impl/test/UndefinedAuthReferenceTest.java | 67 +++++++++++++++++++
 2 files changed, 84 insertions(+)
 create mode 100644 impl/test/src/test/java/io/serverlessworkflow/impl/test/UndefinedAuthReferenceTest.java

diff --git a/impl/http/src/main/java/io/serverlessworkflow/impl/executors/http/HttpExecutorBuilder.java b/impl/http/src/main/java/io/serverlessworkflow/impl/executors/http/HttpExecutorBuilder.java
index e6ec62530..dcbf50575 100644
--- a/impl/http/src/main/java/io/serverlessworkflow/impl/executors/http/HttpExecutorBuilder.java
+++ b/impl/http/src/main/java/io/serverlessworkflow/impl/executors/http/HttpExecutorBuilder.java
@@ -16,6 +16,8 @@
 package io.serverlessworkflow.impl.executors.http;
 
 import io.serverlessworkflow.api.types.ReferenceableAuthenticationPolicy;
+import io.serverlessworkflow.api.types.Use;
+import io.serverlessworkflow.api.types.UseAuthentications;
 import io.serverlessworkflow.impl.WorkflowDefinition;
 import io.serverlessworkflow.impl.WorkflowUtils;
 import io.serverlessworkflow.impl.WorkflowValueResolver;
@@ -41,10 +43,25 @@ private HttpExecutorBuilder(WorkflowDefinition definition) {
   }
 
   public HttpExecutorBuilder withAuth(ReferenceableAuthenticationPolicy policy) {
+    checkAuthentication(policy);
     this.policy = policy;
     return this;
   }
 
+  private void checkAuthentication(ReferenceableAuthenticationPolicy policy) {
+    if (policy == null || policy.getAuthenticationPolicyReference() == null) {
+      return;
+    }
+    String name = policy.getAuthenticationPolicyReference().getUse();
+    Use use = definition.workflow().getUse();
+    UseAuthentications authentications = use == null ? null : use.getAuthentications();
+    if (authentications == null || !authentications.getAdditionalProperties().containsKey(name)) {
+      throw new IllegalArgumentException(
+          String.format(
+              "Authentication '%s' is referenced but not defined in use.authentications.", name));
+    }
+  }
+
   public HttpExecutorBuilder withBody(Object body) {
     this.body = body;
     return this;
diff --git a/impl/test/src/test/java/io/serverlessworkflow/impl/test/UndefinedAuthReferenceTest.java b/impl/test/src/test/java/io/serverlessworkflow/impl/test/UndefinedAuthReferenceTest.java
new file mode 100644
index 000000000..95c81d739
--- /dev/null
+++ b/impl/test/src/test/java/io/serverlessworkflow/impl/test/UndefinedAuthReferenceTest.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright 2020-Present The Serverless Workflow Specification Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.serverlessworkflow.impl.test;
+
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+import io.serverlessworkflow.api.types.Workflow;
+import io.serverlessworkflow.fluent.spec.WorkflowBuilder;
+import io.serverlessworkflow.fluent.spec.dsl.DSL;
+import io.serverlessworkflow.impl.WorkflowApplication;
+import java.net.URI;
+import org.junit.jupiter.api.Test;
+
+class UndefinedAuthReferenceTest {
+
+  @Test
+  void httpWithUndefinedAuthReferenceShouldFailAtBuildTime() {
+    Workflow workflow =
+        WorkflowBuilder.workflow("undefined-auth-ref-http", "test", "0.1.0")
+            .tasks(
+                DSL.call(
+                    DSL.http()
+                        .method("GET")
+                        .uri(
+                            URI.create("http://localhost:10110/dir/index.html"),
+                            a -> a.use("sampleDigest"))))
+            .build();
+    try (WorkflowApplication app = WorkflowApplication.builder().build()) {
+      assertThatThrownBy(() -> app.workflowDefinition(workflow))
+          .isInstanceOf(IllegalArgumentException.class)
+          .hasMessageContaining("sampleDigest")
+          .hasMessageContaining("not defined in use.authentications");
+    }
+  }
+
+  @Test
+  void openApiWithUndefinedAuthReferenceShouldFailAtBuildTime() {
+    Workflow workflow =
+        WorkflowBuilder.workflow("undefined-auth-ref-openapi", "test", "0.1.0")
+            .tasks(
+                DSL.call(
+                    DSL.openapi()
+                        .document("http://localhost:10110/openapi.json")
+                        .operation("getPet")
+                        .authentication(a -> a.use("sampleDigest"))))
+            .build();
+    try (WorkflowApplication app = WorkflowApplication.builder().build()) {
+      assertThatThrownBy(() -> app.workflowDefinition(workflow))
+          .isInstanceOf(IllegalArgumentException.class)
+          .hasMessageContaining("sampleDigest")
+          .hasMessageContaining("not defined in use.authentications");
+    }
+  }
+}