Skip to content

Develop obp#2873

Open
hongwei1 wants to merge 9 commits into
OpenBankProject:developfrom
hongwei1:develop-obp
Open

Develop obp#2873
hongwei1 wants to merge 9 commits into
OpenBankProject:developfrom
hongwei1:develop-obp

Conversation

@hongwei1

Copy link
Copy Markdown
Contributor

No description provided.

hongwei1 added 9 commits July 15, 2026 12:55
… endpoints

GET /aisp/balances and GET /aisp/transactions fetched every private
account for the caller without validating the bearer token's UK
consent binding first, unlike every sibling AISP endpoint (including
their own single-account counterparts). A DirectLogin or OAuth2 token
with no bound consent fell through into the account-fetch path and
surfaced as a 500 Unknown Error instead of the expected 403
OBP-35035, and callers with real consent got real account data with
no consent enforcement at all.

Add the same checkUKConsent + passesPsd2Aisp guard already used by
getAccountsAccountIdBalances and getAccountsAccountIdTransactions so
all five real-data AISP endpoints share one consent contract.

Also fix createTransactionsJsonNew to take the AccountId from the
request path instead of deriving it from the first transaction's
bank account, which returned a null AccountId whenever the account
had no transactions.
# Conflicts:
#	obp-api/src/test/scala/code/api/UKOpenBanking/v4_0_1/UKOpenBankingV401AccountInfoTests.scala
…ubstitution

Redirecting to > >(tee "$RUNTIME_LOG") makes the tee process inherit this
script's own stdout. A caller that captures this script's output with
out=$(./flushall_build_and_run.sh --background ...) never sees EOF, because
the long-running server (and the tee backing the substitution) never exits
on its own — the command substitution hangs forever even though the server
started successfully. Redirect straight to the log file instead.
checkUKConsent no longer needs a live Hydra introspection endpoint — it
checks the Bearer token's consent_id claim against an AUTHORISED consent.
Two comments describing the balances/transactions scenarios still referred
to the removed Hydra dependency; align them with the class doc above, which
was already corrected during the merge from Simon/develop.
… v4.0.1 endpoints

develop's Hydra removal (PR OpenBankProject#2866) rewrote ConsentUtil.checkUKConsent to read the
consent_id claim directly off the Bearer access token instead of calling an
external Hydra introspection endpoint. That was the only blocker keeping
getAccounts/getAccountsAccountIdBalances/getAccountsAccountIdTransactions on a
weak "authenticated -> not 401" assertion (mirroring the same limitation in
UKOpenBankingV310AisTests for the equivalent v3.1 endpoints).

The OAuth1-signed test requests carry no Bearer JWT, so the consent_id claim
lookup now fails deterministically with 403 ConsentIdClaimMissing — asserted
directly (status code + error message) instead of the previous placeholder.
…ent-403-assertions

# Conflicts:
#	obp-api/src/test/scala/code/api/UKOpenBanking/v4_0_1/UKOpenBankingV401AccountInfoTests.scala
…tions' into develop-obp

# Conflicts:
#	obp-api/src/test/scala/code/api/UKOpenBanking/v4_0_1/UKOpenBankingV401AccountInfoTests.scala
Neither flushall_build_and_run.sh nor flushall_fast_build_and_run.sh printed
the port the server actually binds, only its PID. smoke_test.sh's
start_and_test() parses "PID: <n>" and "PORT: <n>" from the script's captured
output to know where to poll /root; with no PORT line it fails fast with
"未打印实际监听端口" even after the server started and bound successfully,
leaving the server running with nothing to verify it or clean it up.

Print the actual dev.port value read from props/default.props (falling back
to 8080) right after the PID line in both scripts' background-mode branch.
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant