Skip to content
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
package code.api.UKOpenBanking.v4_0_1

import code.api.util.APIUtil.DateWithDayFormat
import code.api.util.ErrorMessages.ConsentIdClaimMissing
import code.consent.Consents
import com.openbankproject.commons.model.ErrorMessage
import org.json4s._
import org.scalatest.Tag

Expand All @@ -12,13 +14,11 @@
// seeded data -> 200/201/204 with real field values, error paths (unknown
// consent/account), and a full consent create -> get -> delete -> get lifecycle.
//
// getAccounts / getAccountsAccountIdBalances / getAccountsAccountIdTransactions
// call NewStyle.function.checkUKConsent, which requires the Bearer access token
// to be a JWT carrying a consent_id claim bound to an AUTHORISED consent of the
// calling user+consumer (see code.api.util.ConsentUtil.checkUKConsent). The test
// framework's DirectLogin tokens carry no consent_id, so (mirroring
// UKOpenBankingV310AisTests' precedent for the same three v3.1 endpoints) only
// "unauthenticated -> 401" and "authenticated -> not 401" are asserted for those three.
// getAccounts / getAccountsAccountIdBalances / getAccountsAccountIdTransactions call
// NewStyle.function.checkUKConsent (code.api.util.ConsentUtil.checkUKConsent), which reads
// the `consent_id` claim off the Bearer access token — no external identity-provider call.
// These OAuth1-signed test requests carry no Bearer JWT, so the claim lookup deterministically
// fails with a 403 ConsentIdClaimMissing (see the scenario comments on those three features).
//
// The remaining 80 endpoints are still static spec-faithful stubs; their tests
// are unchanged (two scenarios: authenticated -> fixed code, unauthenticated -> 401).
Expand Down Expand Up @@ -104,10 +104,15 @@
}
}
// ── AccountsApi ────────────────────────────────────────────────────
// DATA-DEPENDENT: checkUKConsent requires a consent-bound token (consent_id claim — see class doc above).
// checkUKConsent extracts the `consent_id` claim from the Bearer access token (no external
// Hydra call since Consent.checkUKConsent dropped the Hydra dependency). These OAuth1-signed
// test requests carry no Bearer JWT at all, so the claim lookup deterministically fails ->
// 403 ConsentIdClaimMissing, mirroring "authenticated but no bound consent" in production.
feature("UKOB v4.0.1 GET /aisp/accounts") {
scenario("authenticated", UKOpenBankingV401AccountInfo) {
getAuthed("aisp", "accounts").code should not equal (401)
scenario("authenticated without a consent-bound token -> 403", UKOpenBankingV401AccountInfo) {

Check failure on line 112 in obp-api/src/test/scala/code/api/UKOpenBanking/v4_0_1/UKOpenBankingV401AccountInfoTests.scala

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Define a constant instead of duplicating this literal "authenticated without a consent-bound token -> 403" 3 times.

See more on https://sonarcloud.io/project/issues?id=OpenBankProject_OBP-API&issues=AZ9mB-copT2KYv7YR6dt&open=AZ9mB-copT2KYv7YR6dt&pullRequest=2872
val response = getAuthed("aisp", "accounts")
response.code should equal(403)
response.body.extract[ErrorMessage].message.trim should equal(ConsentIdClaimMissing.trim)
}
scenario("unauthenticated -> 401", UKOpenBankingV401AccountInfo) {
getUnauthed("aisp", "accounts").code should equal(401)
Expand All @@ -133,8 +138,10 @@
}
}
feature("UKOB v4.0.1 GET /aisp/accounts/ACCOUNT_ID/balances") {
scenario("authenticated", UKOpenBankingV401AccountInfo) {
getAuthed("aisp", "accounts", acc, "balances").code should not equal (401)
scenario("authenticated without a consent-bound token -> 403", UKOpenBankingV401AccountInfo) {
val response = getAuthed("aisp", "accounts", acc, "balances")
response.code should equal(403)
response.body.extract[ErrorMessage].message.trim should equal(ConsentIdClaimMissing.trim)
}
scenario("unauthenticated -> 401", UKOpenBankingV401AccountInfo) {
getUnauthed("aisp", "accounts", acc, "balances").code should equal(401)
Expand Down Expand Up @@ -237,10 +244,12 @@
}
}
// ── TransactionsApi ────────────────────────────────────────────────
// DATA-DEPENDENT: checkUKConsent requires a consent-bound token (consent_id claim — see class doc above).
// See the "no external Hydra call" note above feature("UKOB v4.0.1 GET /aisp/accounts").
feature("UKOB v4.0.1 GET /aisp/accounts/ACCOUNT_ID/transactions") {
scenario("authenticated", UKOpenBankingV401AccountInfo) {
getAuthed("aisp", "accounts", acc, "transactions").code should not equal (401)
scenario("authenticated without a consent-bound token -> 403", UKOpenBankingV401AccountInfo) {
val response = getAuthed("aisp", "accounts", acc, "transactions")
response.code should equal(403)
response.body.extract[ErrorMessage].message.trim should equal(ConsentIdClaimMissing.trim)
}
scenario("unauthenticated -> 401", UKOpenBankingV401AccountInfo) {
getUnauthed("aisp", "accounts", acc, "transactions").code should equal(401)
Expand Down
Loading