fix(auth): upgrade rest-client and warn on empty credentials

[HardlyDifficult]

Summary

• Upgrade @hardlydifficult/rest-client from 1.0.0 to 1.0.65 (65 patches of auth bug fixes)
• Add warning when clientId is empty but authUrl is configured, making silent auth fallbacks observable

Problem

The Canton reverse proxy returns HTTP 404 for unauthenticated requests. When @hardlydifficult/rest-client@1.0.0 failed to acquire a token (due to a strict null check bug in isTokenValid()), requests were sent without authentication, causing persistent 404 errors across all devnet operations.

Test plan

• npm run lint passes
• npm run build passes
• npm test passes (347 unit tests)

---

Note

Medium Risk
Touches authentication behavior by upgrading @hardlydifficult/rest-client and adding a new warning path when credentials are missing, which could affect token acquisition and request auth in edge cases. Risk is limited to the auth/config surface and is otherwise a small, targeted change.

Overview
Updates @hardlydifficult/rest-client from 1.0.0 to 1.0.65.

Adjusts AuthenticationManager config conversion to accept a logger and emit a warning when an authUrl is set but clientId is empty, making the fallback to unauthenticated requests explicit.

^{Written by Cursor Bugbot for commit d6e7b44. This will update automatically on new commits. Configure here.}

Summary by CodeRabbit

• Bug Fixes
  • Authentication configuration now provides warning messages when required credentials are missing but an authentication URL is specified, helping identify misconfiguration issues more easily.

[claude]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 015e587c-cb52-46be-9510-502f130ac6df

📥 Commits

Reviewing files that changed from the base of the PR and between 6d8eec2 and d6e7b44.

📒 Files selected for processing (2)

• package.json
• src/core/auth/AuthenticationManager.ts

---

📝 Walkthrough

Walkthrough

Updated @hardlydifficult/rest-client from version 1.0.0 to 1.0.65. Modified AuthenticationManager to pass an optional logger parameter to convertAuthConfig, enabling warning logs when clientId is missing but authUrl is configured.

Changes

Cohort / File(s)	Summary
Dependency Update package.json	Bumped @hardlydifficult/rest-client dependency from 1.0.0 to 1.0.65
Authentication Manager Enhancement src/core/auth/AuthenticationManager.ts	Modified constructor to pass optional logger to convertAuthConfig; convertAuthConfig now emits warnings when clientId is empty/whitespace but authUrl is configured

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• Use @hardlydifficult/rest-client and websocket packages #301: Introduced the AuthenticationManager/convertAuthConfig integration that this PR now extends with logger parameter support and warning emissions.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main changes: upgrading the rest-client dependency and adding a warning for empty credentials in authentication configuration.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/auth-404-empty-credentials

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Spurious warning fires for intentionally unauthenticated ScanApiClient

Medium Severity

The new warning fires whenever authUrl is non-empty and clientId is empty, but ScanApiClient intentionally sets clientId: '' because scan endpoints are public/unauthenticated. Since Canton (the main entry point) shares the same authUrl across all three clients, every Canton instance with auth configured will emit this spurious warning for the scan client. Additionally, the env var hint hardcodes LEDGER_JSON_API_CLIENT_ID but convertAuthConfig is API-type-agnostic — the hint is misleading for VALIDATOR_API and SCAN_API callers.

Additional Locations (1)

• src/core/auth/AuthenticationManager.ts#L71-L72