Skip to content

Develop obp#2868

Merged
simonredfern merged 8 commits into
OpenBankProject:developfrom
hongwei1:develop-obp
Jul 15, 2026
Merged

Develop obp#2868
simonredfern merged 8 commits into
OpenBankProject:developfrom
hongwei1:develop-obp

Conversation

@hongwei1

Copy link
Copy Markdown
Contributor

No description provided.

hongwei1 added 8 commits July 14, 2026 13:02
Replace static spec-example responses with real OBP connector calls for
the account-access-consents, accounts, balances, and transactions
endpoints in UK Open Banking v4.0.1 AccountInfo — the same 9 endpoints
that carry real implementations in v3.1, covering the full consent
lifecycle plus the 5 endpoints OBP-Hola actually calls.

Connector call sequences are carried over from the v3.1 handlers
(Http4sUKOBv310AccountAccess/Accounts/Balances/Transactions) since the
underlying data access is unchanged between API versions. Response
shaping needed a new factory (JSONFactory_UKOpenBanking_401) because the
v4.0.1 Account/Balance/Transaction resources changed shape from v3.1
(AccountTypeCode replaces AccountType, single-string SchemeName, added
TotalValue/TransactionMutability/Status codes, etc.).

getAccounts, getAccountsAccountIdBalances and getAccountsAccountIdTransactions
call checkUKConsent, which requires a live Hydra OAuth2 introspection
endpoint with no local test double, so those three keep the same
"authenticated -> not 401" assertion already used for their v3.1
counterparts. The other 6 endpoints get full scenario coverage: real
seeded data, unknown-consent and empty-data paths, and a full
create -> get -> delete -> get consent lifecycle.
…MAIL_TEST_MODE

run_tests_parallel.sh unconditionally exports OBP_MAIL_TEST_MODE=true for every
shard, and APIUtil.getPropsValue always checks sys.env before Props/setPropsValues
overrides. That made PasswordResetTest's setPropsValues("mail.test.mode" -> "false", ...)
a no-op locally, so the "SMTP failure must surface as a 500" scenario always got
a 201 sent response instead (CI was unaffected since it only sets a props-file
default, no env var).

Add EnvVarOverride, a test-only trait that mutates the process environment for
the scope of a block and restores it afterward, and use it to force
OBP_MAIL_TEST_MODE=false for that one scenario. On modern JDKs the Unix
ProcessEnvironment backing map is keyed by internal Variable/Value wrapper
types rather than plain Strings, so the override goes through their
valueOf(String) factories instead of assuming a Map[String, String].
…sandbox env var

Same root cause as the PasswordResetTest fix: run_tests_parallel.sh exports
OBP_ALLOW_USER_GENERATED_SCALA_CODE=true for every shard, and that env var
always wins over setPropsValues("allow_user_generated_scala_code" -> "false")
per APIUtil.getPropsValue. The five OFF-state scenarios could never actually
observe the kill-switch disabled locally, so they failed deterministically
under run_tests_parallel.sh (CI was unaffected, since it only sets a
props-file default, no env var).

Reuses the EnvVarOverride trait added for the PasswordResetTest fix to force
the env var out of the way for the scope of each OFF scenario.
Add POST /obp/v5.1.0/banks/BANK_ID/consents/CONSENT_ID/authorise, a
user-scoped (role-free) endpoint that authorises a UK Open Banking
account-access consent as the current PSU.

UK consents are lodged by the TPP via client_credentials and start in
AWAITINGAUTHORISATION with no bound user. After the PSU authenticates,
this endpoint transitions the consent to AUTHORISED, binds it to the PSU
(mUserId) and stamps the PSU into the consent JWT's createdByUserId,
supplying the previously missing authorisation-binding step so that
subsequent UK data calls whose token carries the consent_id claim pass
checkUKConsent. The consent JWT's permission views are preserved.
…batch

A user can hold a view/grant on an account that has since been deleted
(a dangling BankIdAccountId). LocalMappedConnector.getBankAccounts mapped
each id through openOrThrowException, so one orphaned grant would 500 an
entire "list my accounts" call. Skip accounts that no longer resolve;
callers needing a specific account use getBankAccount(single).
Add POST /obp/v5.1.0/banks/BANK_ID/consents/CONSENT_ID/authorise/challenge
to start Strong Customer Authentication for a UK consent, and require the
challenge answer on the authorise endpoint before flipping the consent to
AUTHORISED.

Uses the shared OBP challenge engine (createChallengesC2 /
validateChallengeAnswerC4) with ChallengeType.OBP_CONSENT_CHALLENGE — the
same engine Berlin Group uses, which is status-agnostic and so works on an
AWAITINGAUTHORISATION consent (unlike the INITIATED-only checkAnswer path).
The OTP is delivered per suggested_default_sca_method (DUMMY answer "123"
in dev, EMAIL/SMS in prod). A wrong answer leaves the consent unauthorised.
@sonarqubecloud

Copy link
Copy Markdown

@simonredfern simonredfern merged commit 9521f45 into OpenBankProject:develop Jul 15, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants