Merge remote-tracking branch 'upstream/develop' into develop

Author: constantine2nd

obp-api/src/main/protobuf/metrics_stream.proto

@@ -11,6 +11,7 @@ message StreamMetricsRequest {
   string url_substring                    = 4;
   string implemented_by_partial_function  = 5;
   string app_name                         = 6;
+  string consent_reference_id             = 7;
 }
 
 // Per-REST-call metric record, mirrors APIMetrics.saveMetric args and
@@ -42,6 +43,9 @@ message MetricEvent {
   string api_instance_id                  = 16;
   // OBP operation id, e.g. "OBPv6.0.0-getBanks". Matches MetricJsonV600.operation_id.
   string operation_id                     = 17;
+  // Reference id of the consent (if any) that authorised the request.
+  // Mirrors MetricJsonV600.consent_reference_id (REST v6.0.0+).
+  string consent_reference_id             = 18;
 }
 
 // Live tail of API metrics as they are written.

obp-api/src/main/resources/props/sample.props.template

@@ -1150,7 +1150,8 @@ database_messages_scheduler_interval=3600
 # Possibile values are: CONSUMER_CERTIFICATE, CONSUMER_KEY_VALUE, NONE
 # consumer_validation_method_for_consent=CONSUMER_CERTIFICATE
 #
-# consents.max_time_to_live=3600
+# Maximum allowed time_to_live (in seconds) for a consent. Default is 7776000 (90 days), matching PSD2 AIS / UK Open Banking.
+# consents.max_time_to_live=7776000
 # In case isn't defined default value is "true"
 # consents.sca.enabled=true
 # ---------------------------------------------------------

obp-api/src/main/scala/code/api/ResourceDocs1_4_0/SwaggerDefinitionsJSON.scala

@@ -3193,7 +3193,8 @@ object SwaggerDefinitionsJSON {
     response_body = json.parse("""{"code":401,"message":"OBP-20001: User not logged in. Authentication is required!"}"""),
     status_code = 401,
     operation_id = "OBPv4.0.0-getBanks",
-    api_instance_id = "obp_node_a"
+    api_instance_id = "obp_node_a",
+    consent_reference_id = Some(ExampleValue.consentReferenceIdExample.value)
   )
   lazy val metricsJsonV600 = MetricsJsonV600(
     metrics = List(metricJsonV600)

obp-api/src/main/scala/code/api/constant/constant.scala

@@ -306,6 +306,10 @@ object Constant extends MdcLoggable {
   def RATE_LIMIT_ACTIVE_PREFIX: String = getVersionedCachePrefix(RL_ACTIVE_NAMESPACE)
   final val RATE_LIMIT_ACTIVE_CACHE_TTL: Int = APIUtil.getPropsValue("rateLimitActive.cache.ttl.seconds", "3600").toInt
 
+  // Default max time_to_live for consents, in seconds. 90 days — aligns with PSD2 AIS / UK Open Banking.
+  // Used as the fallback when the `consents.max_time_to_live` prop is unset.
+  final val DEFAULT_CONSENT_TTL: Int = 7776000
+
   // Connector Cache Prefixes (with global namespace and versioning)
   def CONNECTOR_PREFIX: String = getVersionedCachePrefix(CONNECTOR_NAMESPACE)
 

obp-api/src/main/scala/code/api/util/APIUtil.scala

@@ -1199,6 +1199,7 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
         case "azp" => Full(OBPAzp(values.head))
         case "iss" => Full(OBPIss(values.head))
         case "consent_id" => Full(OBPConsentId(values.head))
+        case "consent_reference_id" => Full(OBPConsentReferenceId(values.head))
         case "user_id" => Full(OBPUserId(values.head))
         case "provider_provider_id" => Full(ProviderProviderId(values.head))
         case "bank_id" => Full(OBPBankId(values.head))
@@ -1333,6 +1334,7 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
     val iss =  getHttpRequestUrlParam(httpRequestUrl,"iss")
     val azp =  getHttpRequestUrlParam(httpRequestUrl,"azp")
     val consentId =  getHttpRequestUrlParam(httpRequestUrl,"consent_id")
+    val consentReferenceId =  getHttpRequestUrlParam(httpRequestUrl,"consent_reference_id")
     val userId =  getHttpRequestUrlParam(httpRequestUrl, "user_id")
     val providerProviderId =  getHttpRequestUrlParam(httpRequestUrl, "provider_provider_id")
     val bankId =  getHttpRequestUrlParam(httpRequestUrl, "bank_id")
@@ -1368,7 +1370,7 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
 
     Full(List(
       HTTPParam("sort_by",sortBy), HTTPParam("sort_direction",sortDirection), HTTPParam("from_date",fromDate), HTTPParam("to_date", toDate), HTTPParam("limit",limit), HTTPParam("offset",offset),
-      HTTPParam("anon", anon), HTTPParam("status", status), HTTPParam("consumer_id", consumerId), HTTPParam("azp", azp), HTTPParam("iss", iss), HTTPParam("consent_id", consentId), HTTPParam("user_id", userId), HTTPParam("provider_provider_id", providerProviderId), HTTPParam("url", url), HTTPParam("app_name", appName),
+      HTTPParam("anon", anon), HTTPParam("status", status), HTTPParam("consumer_id", consumerId), HTTPParam("azp", azp), HTTPParam("iss", iss), HTTPParam("consent_id", consentId), HTTPParam("consent_reference_id", consentReferenceId), HTTPParam("user_id", userId), HTTPParam("provider_provider_id", providerProviderId), HTTPParam("url", url), HTTPParam("app_name", appName),
       HTTPParam("implemented_by_partial_function",implementedByPartialFunction), HTTPParam("implemented_in_version",implementedInVersion), HTTPParam("verb", verb),
       HTTPParam("correlation_id", correlationId), HTTPParam("duration", duration), HTTPParam("exclude_app_names", excludeAppNames),
       HTTPParam("exclude_url_patterns", excludeUrlPattern),HTTPParam("exclude_implemented_by_partial_functions", excludeImplementedByPartialfunctions), 

obp-api/src/main/scala/code/api/util/ApiSession.scala

@@ -58,7 +58,9 @@ case class CallContext(
                         bank: Option[Bank] = None,
                         bankAccount: Option[BankAccount] = None,
                         view: Option[View] = None,
-                        counterparty: Option[CounterpartyTrait] = None
+                        counterparty: Option[CounterpartyTrait] = None,
+                        // Set when the request is authenticated via a consent. Persisted on metric rows for search/audit.
+                        consentReferenceId: Option[String] = None
                       ) extends MdcLoggable {
   override def toString: String = SecureLogging.maskSensitive(
     s"${this.getClass.getSimpleName}(${this.productIterator.mkString(", ")})"
@@ -144,7 +146,8 @@ case class CallContext(
       xRateLimitRemaining = this.xRateLimitRemaining,
       xRateLimitReset = this.xRateLimitReset,
       paginationOffset = this.paginationOffset,
-      paginationLimit = this.paginationLimit
+      paginationLimit = this.paginationLimit,
+      consentReferenceId = this.consentReferenceId
     )
   }
 
@@ -210,7 +213,8 @@ case class CallContextLight(gatewayLoginRequestPayload: Option[PayloadOfJwtJSON]
                             xRateLimitRemaining : Long = -1,
                             xRateLimitReset : Long = -1,
                             paginationOffset : Option[String] = None,
-                            paginationLimit : Option[String] = None
+                            paginationLimit : Option[String] = None,
+                            consentReferenceId: Option[String] = None
                            )
 
 trait LoginParam

obp-api/src/main/scala/code/api/util/ConsentUtil.scala

@@ -451,14 +451,20 @@ object Consent extends MdcLoggable {
     def applyConsentRules(consent: ConsentJWT): Future[(Box[User], Option[CallContext])] = {
       val temp = callContext
       // updated context if createdByUserId is present
-      val cc = if (consent.createdByUserId.nonEmpty) {
+      val ccWithOnBehalf = if (consent.createdByUserId.nonEmpty) {
         val onBehalfOfUser = Users.users.vend.getUserByUserId(consent.createdByUserId)
         temp.copy(onBehalfOfUser = onBehalfOfUser.toOption)
       } else {
         temp
       }
+      // Stamp the consent_reference_id on the CallContext so the metric writer can record it.
+      val cc = Consents.consentProvider.vend.getConsentByConsentId(consent.jti) match {
+        case Full(mc) => ccWithOnBehalf.copy(consentReferenceId = Some(mc.consentReferenceId))
+        case _        => ccWithOnBehalf
+      }
       if (cc.onBehalfOfUser.nonEmpty &&
         APIUtil.getPropsAsBoolValue(nameOfProperty = "experimental_become_user_that_created_consent", defaultValue = false)) {
+        logger.warn("WARNING: experimental_become_user_that_created_consent is DEPRECATED and will be removed soon. Please unset this property.")
         logger.info("experimental_become_user_that_created_consent = true")
         logger.info(s"${cc.onBehalfOfUser.map(_.userId).getOrElse("")} is logged on instead of Consent user")
         Future(cc.onBehalfOfUser, Some(cc)) // Just propagate on behalf of user back
@@ -552,7 +558,11 @@ object Consent extends MdcLoggable {
     implicit val dateFormats = CustomJsonFormats.formats
 
     def applyConsentRules(consent: ConsentJWT, callContext: CallContext): Future[(Box[User], Option[CallContext])] = {
-      val cc = callContext
+      // Stamp the consent_reference_id on the CallContext so the metric writer can record it.
+      val cc = Consents.consentProvider.vend.getConsentByConsentId(consent.jti) match {
+        case Full(mc) => callContext.copy(consentReferenceId = Some(mc.consentReferenceId))
+        case _        => callContext
+      }
       // 1. Get or Create a User
       getOrCreateUser(consent.sub, consent.iss, Some(consent.toConsent().consentId), None, None) map {
         case (Full(user), newUser) =>

obp-api/src/main/scala/code/api/util/ExampleValue.scala

@@ -1630,8 +1630,8 @@ object ExampleValue {
   lazy val directDebitIdExample = ConnectorField(NoExampleProvided,NoDescriptionProvided)
   glossaryItems += makeGlossaryItem("direct_debit_id", directDebitIdExample)
 
-  lazy val consentReferenceIdExample = ConnectorField("123456" ,NoDescriptionProvided)
-  glossaryItems += makeGlossaryItem("consent_id", consentReferenceIdExample)
+  lazy val consentReferenceIdExample = ConnectorField("fd13b9af-4f74-4d52-a7f1-7c2c12f3aa11" ,NoDescriptionProvided)
+  glossaryItems += makeGlossaryItem("consent_reference_id", consentReferenceIdExample)
 
   lazy val consentIdExample = ConnectorField("9d429899-24f5-42c8-8565-943ffa6a7947",NoDescriptionProvided)
   glossaryItems += makeGlossaryItem("consent_id", consentIdExample)

obp-api/src/main/scala/code/api/util/Glossary.scala

@@ -5672,7 +5672,7 @@ object Glossary extends MdcLoggable  {
 				 |For onward calls to OBP-API, `OBP_AUTHORIZATION_VIA` selects:
 				 |
 				 |- **`oauth`** — pulls the access token from the MCP request context and sends `Authorization: Bearer ...`.
-				 |- **`consent`** — if the endpoint declares any required roles and no `Consent-JWT` is supplied, the tool returns a `consent_required` payload listing the required roles and bank scope, so the client can elicit user approval and come back with a `Consent-JWT` header. Public / no-role endpoints skip this and call straight through.
+				 |- **`consent`** — the default mode for user-facing deployments. `call_obp_api` requires a `Consent-JWT` for **every** endpoint except a small allowlist of genuinely public ones (`GET /root`, the bank directory `/banks` and `/banks/{BANK_ID}`, glossary, resource-docs, API metadata). For any other endpoint called without a `Consent-JWT`, the tool returns a `consent_required` payload — required roles, bank / account / view scope, and `requires_view_access` / `is_user_scoped` flags — so the client can build the right consent and retry with a `Consent-JWT` header. Consent is required **by default**, not only for role-gated endpoints, because many identity-bound endpoints (`/users/current`, `/my/*`, account-access-via-view endpoints) declare no roles yet still need the caller's identity — a role-only gate would call them unauthenticated. The allowlist is deliberately conservative: a wrongly-excluded endpoint costs only an extra prompt, whereas wrongly skipping consent fails silently.
 				 |- **`none`** — calls OBP unauthenticated (only useful for genuinely public endpoints).
 				 |
 				 |This means the consent flow is enforced at the MCP layer, not just at OBP-API: an agent cannot accidentally call a privileged endpoint without explicit user consent.

obp-api/src/main/scala/code/api/util/OBPParam.scala

@@ -30,6 +30,7 @@ case class OBPSortBy(value: String) extends OBPQueryParam
 case class OBPAzp(value: String) extends OBPQueryParam
 case class OBPIss(value: String) extends OBPQueryParam
 case class OBPConsentId(value: String) extends OBPQueryParam
+case class OBPConsentReferenceId(value: String) extends OBPQueryParam
 case class OBPUserId(value: String) extends OBPQueryParam
 case class ProviderProviderId(value: String) extends OBPQueryParam
 case class OBPStatus(value: String) extends OBPQueryParam