Skip to content

Enforce UK consent check on aggregate endpoints; fix background-launch hang#2870

Closed
hongwei1 wants to merge 6 commits into
OpenBankProject:developfrom
hongwei1:develop-obp
Closed

Enforce UK consent check on aggregate endpoints; fix background-launch hang#2870
hongwei1 wants to merge 6 commits into
OpenBankProject:developfrom
hongwei1:develop-obp

Conversation

@hongwei1

Copy link
Copy Markdown
Contributor

Summary

  • Enforce the UK consent check on the aggregate AISP balances/transactions endpoints (previously only the per-account endpoints checked it).
  • Fix a hang: flushall_build_and_run.sh's background server launch redirected through > >(tee "$RUNTIME_LOG"), a process substitution whose tee inherits the script's own stdout. A caller that captures this script's output via out=$(...) never sees EOF — because the long-running server never exits — so the capture hangs forever even after the server started successfully. Redirect straight to the log file instead.
  • Remove two stale "requires live Hydra" comments in the UK v4.0.1 account-info tests, left over after checkUKConsent moved to a JWT consent_id-claim check.

This branch also carries two commits from Simon/develop (merged in) that assert the consent is valid for its API standard (OBP/BG/UK) — not authored by me, included because they were already on the shared develop-obp line when I merged to pick up its cleanup of stale Hydra references.

Test plan

  • /obp-api-test smoke test: run_tests_parallel.sh — 3125 tests, 0 failures; full build + /root OK; fast incremental build + /root OK (same git_commit on both)
  • Verified the process-substitution hang fix in isolation (old pattern times out, new pattern returns immediately)

simonredfern and others added 6 commits July 15, 2026 12:24
… endpoints

GET /aisp/balances and GET /aisp/transactions fetched every private
account for the caller without validating the bearer token's UK
consent binding first, unlike every sibling AISP endpoint (including
their own single-account counterparts). A DirectLogin or OAuth2 token
with no bound consent fell through into the account-fetch path and
surfaced as a 500 Unknown Error instead of the expected 403
OBP-35035, and callers with real consent got real account data with
no consent enforcement at all.

Add the same checkUKConsent + passesPsd2Aisp guard already used by
getAccountsAccountIdBalances and getAccountsAccountIdTransactions so
all five real-data AISP endpoints share one consent contract.

Also fix createTransactionsJsonNew to take the AccountId from the
request path instead of deriving it from the first transaction's
bank account, which returned a null AccountId whenever the account
had no transactions.
# Conflicts:
#	obp-api/src/test/scala/code/api/UKOpenBanking/v4_0_1/UKOpenBankingV401AccountInfoTests.scala
…ubstitution

Redirecting to > >(tee "$RUNTIME_LOG") makes the tee process inherit this
script's own stdout. A caller that captures this script's output with
out=$(./flushall_build_and_run.sh --background ...) never sees EOF, because
the long-running server (and the tee backing the substitution) never exits
on its own — the command substitution hangs forever even though the server
started successfully. Redirect straight to the log file instead.
checkUKConsent no longer needs a live Hydra introspection endpoint — it
checks the Bearer token's consent_id claim against an AUTHORISED consent.
Two comments describing the balances/transactions scenarios still referred
to the removed Hydra dependency; align them with the class doc above, which
was already corrected during the merge from Simon/develop.
@sonarqubecloud

Copy link
Copy Markdown

@hongwei1 hongwei1 closed this Jul 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants