Added support for additional security schemes and hidden paths in spec publish

MatthewPopat-NHS · MatthewPopat-NHS · commit 60e7a333e3e2 · 2026-01-13T16:49:30.000Z
diff --git a/packages/cdkConstructs/src/specifications/deployApi.ts b/packages/cdkConstructs/src/specifications/deployApi.ts
@@ -15,6 +15,7 @@ export type ApiConfig = {
   clientPrivateKeyExportName: string
   proxygenPrivateKeyExportName: string
   proxygenKid: string
+  hiddenPaths: Array<string>
 }
 
 export async function deployApi(
@@ -30,7 +31,8 @@ export async function deployApi(
     clientCertExportName,
     clientPrivateKeyExportName,
     proxygenPrivateKeyExportName,
-    proxygenKid
+    proxygenKid,
+    hiddenPaths
   }: ApiConfig,
   dryRun: boolean
 ): Promise<void> {
@@ -66,16 +68,23 @@ export async function deployApi(
   }
   spec.info.version = version
   spec["x-nhsd-apim"].target.url = `https://${stackName}.${awsEnvironment}.eps.national.nhs.uk`
+
+  function replaceSchemeRefs(domain: string) {
+    const schemes = ["nhs-cis2-aal3", "nhs-login-p9", "app-level3", "app-level0"]
+    for (const scheme of schemes) {
+      if (spec.components.securitySchemes[scheme]) {
+        spec.components.securitySchemes[scheme] = {
+          "$ref": `https://${domain}/components/securitySchemes/${scheme}`
+        }
+      }
+    }
+  }
   if (apigeeEnvironment === "prod") {
     spec.servers = [ {url: `https://api.service.nhs.uk/${instance}`} ]
-    spec.components.securitySchemes["nhs-cis2-aal3"] = {
-      "$ref": "https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/nhs-cis2-aal3"
-    }
+    replaceSchemeRefs("proxygen.prod.api.platform.nhs.uk")
   } else {
     spec.servers = [ {url: `https://${apigeeEnvironment}.api.service.nhs.uk/${instance}`} ]
-    spec.components.securitySchemes["nhs-cis2-aal3"] = {
-      "$ref": "https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/nhs-cis2-aal3"
-    }
+    replaceSchemeRefs("proxygen.ptl.api.platform.nhs.uk")
   }
   if (apigeeEnvironment.includes("sandbox")) {
     delete spec["x-nhsd-apim"]["target-attributes"] // Resolve issue with sandbox trying to look up app name
@@ -132,6 +141,11 @@ export async function deployApi(
     spec_publish_env = "uat"
   }
   if (spec_publish_env) {
+    for (const path of hiddenPaths) {
+      if (spec.paths[path]) {
+        delete spec.paths[path]
+      }
+    }
     await invokeLambda(spec_publish_lambda, {
       apiName,
       environment: spec_publish_env,
diff --git a/packages/cdkConstructs/tests/specifications/deployApi.test.ts b/packages/cdkConstructs/tests/specifications/deployApi.test.ts
@@ -40,7 +40,12 @@ vi.mock("../../src/config", async (importOriginal) => {
   }
 })
 
-function createSpec() {
+type SpecOverrides = {
+  securitySchemes?: Record<string, unknown>,
+  paths?: Record<string, unknown>
+}
+
+function createSpec(overrides: SpecOverrides = {}) {
   return {
     info: {title: "EPS API", version: "0.0.1"},
     "x-nhsd-apim": {
@@ -52,10 +57,9 @@ function createSpec() {
       "target-attributes": {app: "eps"}
     },
     components: {
-      securitySchemes: {
-        "nhs-cis2-aal3": {}
-      }
+      securitySchemes: overrides.securitySchemes || {"nhs-cis2-aal3": {}}
     },
+    paths: overrides.paths || {},
     servers: []
   }
 }
@@ -80,6 +84,7 @@ function buildConfig(overrides: Partial<ApiConfig> = {}): ApiConfig {
     clientPrivateKeyExportName: "clientKey",
     proxygenPrivateKeyExportName: "proxygenKey",
     proxygenKid: "kid-123",
+    hiddenPaths: [],
     ...overrides
   }
 }
@@ -211,6 +216,60 @@ describe("deployApi", () => {
       .toBe("https://sandbox.api.service.nhs.uk/eps")
   })
 
+  test("replaces all supported security scheme refs", async () => {
+    const spec = createSpec({
+      securitySchemes: {
+        "nhs-cis2-aal3": {},
+        "nhs-login-p9": {},
+        "app-level3": {},
+        "app-level0": {}
+      }
+    })
+    await deployApi(
+      buildConfig({
+        specification: JSON.stringify(spec),
+        apigeeEnvironment: "prod",
+        awsEnvironment: "prod",
+        stackName: "eps-prod-stack",
+        proxygenKid: "kid-prod"
+      }),
+      false
+    )
+    const specPayload = payloadFromCall(1)
+    const schemes = [
+      "nhs-cis2-aal3",
+      "nhs-login-p9",
+      "app-level3",
+      "app-level0"
+    ]
+    for (const scheme of schemes) {
+      expect(specPayload.specDefinition.components.securitySchemes[scheme].$ref)
+        .toBe(`https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/${scheme}`)
+    }
+  })
+
+  test("removes hidden paths from published spec", async () => {
+    const spec = createSpec({
+      paths: {
+        "/visible": {get: {}},
+        "/hidden": {post: {}}
+      }
+    })
+    await deployApi(
+      buildConfig({
+        specification: JSON.stringify(spec),
+        apigeeEnvironment: "int",
+        stackName: "eps-int-stack",
+        proxygenKid: "kid-int",
+        hiddenPaths: ["/hidden"]
+      }),
+      false
+    )
+    const publishPayload = payloadFromCall(2)
+    expect(publishPayload.specDefinition.paths["/hidden"]).toBeUndefined()
+    expect(publishPayload.specDefinition.paths["/visible"]).toBeDefined()
+  })
+
   test("dry run only logs intended invocations", async () => {
     const logSpy = vi.spyOn(console, "log").mockImplementation(() => undefined)
 
