Handles test/live API key

Author: jbarnsley10

src/config/index.ts

@@ -268,14 +268,6 @@ export const config = convict({
     nullable: true,
     default: undefined,
     env: 'PAYMENT_PROVIDER_API_KEY_TEST'
-  } as SchemaObj<string | undefined>,
-
-  paymentProviderApiKeyLive: {
-    doc: 'A live API key for integrating with a payment provider',
-    format: String,
-    nullable: true,
-    default: undefined,
-    env: 'PAYMENT_PROVIDER_API_KEY_LIVE'
   } as SchemaObj<string | undefined>
 })
 

src/server/plugins/engine/components/PaymentField.ts

@@ -25,6 +25,7 @@ import {
   type FormSubmissionError,
   type FormSubmissionState
 } from '~/src/server/plugins/engine/types.js'
+import { getPaymentApiKey } from '~/src/server/plugins/payment/helper.js'
 import { PaymentService } from '~/src/server/plugins/payment/service.js'
 
 export class PaymentField extends FormComponent {
@@ -48,7 +49,8 @@ export class PaymentField extends FormComponent {
         amount: joi.number().required(),
         description: joi.string().required(),
         uuid: joi.string().uuid().required(),
-        isLive: joi.boolean().required(),
+        formId: joi.string().required(),
+        isLivePayment: joi.boolean().required(),
         preAuth: joi
           .object({
             status: joi
@@ -157,8 +159,11 @@ export class PaymentField extends FormComponent {
     h: FormResponseToolkit,
     args: PaymentDispatcherArgs
   ): Promise<unknown> {
-    const { isLive } = args
-    const paymentService = new PaymentService({ isLive })
+    const isLivePayment = args.isLive && !args.isPreview
+    const formId = args.controller.model.formId
+    const apiKeyValue = getPaymentApiKey(isLivePayment, formId)
+
+    const paymentService = new PaymentService(apiKeyValue)
 
     // 1. Generate UUID token
     const uuid = randomUUID()
@@ -171,7 +176,6 @@ export class PaymentField extends FormComponent {
     const amount = options.amount ?? 0
     const description = options.description ?? ''
 
-    const formId = model.formId
     const slug = `/${model.basePath}`
 
     // 2. Build the return URL for GOV.UK Pay
@@ -196,14 +200,15 @@ export class PaymentField extends FormComponent {
     // 4. Store session data for the return route to use
     const sessionData: PaymentSessionData = {
       uuid,
+      formId,
       reference,
       amount,
       description,
       paymentId: payment.paymentId,
       componentName,
       returnUrl: summaryUrl,
       failureUrl: paymentPageUrl,
-      isLive
+      isLivePayment
     }
 
     request.yar.set(`payment-${uuid}`, sessionData)
@@ -237,8 +242,9 @@ export class PaymentField extends FormComponent {
       return
     }
 
-    const { paymentId, isLive } = paymentState
-    const paymentService = new PaymentService({ isLive })
+    const { paymentId, isLivePayment, formId } = paymentState
+    const apiKey = getPaymentApiKey(isLivePayment, formId)
+    const paymentService = new PaymentService(apiKey)
 
     // Verify payment is still in capturable state
     const status = await paymentService.getPaymentStatus(paymentId)
@@ -309,19 +315,21 @@ export interface PaymentDispatcherArgs {
   component: PaymentField
   sourceUrl: string
   isLive: boolean
+  isPreview: boolean
 }
 
 /**
  * Session data stored when dispatching to GOV.UK Pay
  */
 export interface PaymentSessionData {
   uuid: string
+  formId: string
   reference: string
   amount: number
   description: string
   paymentId: string
   componentName: string
   returnUrl: string
   failureUrl: string
-  isLive: boolean
+  isLivePayment: boolean
 }

src/server/plugins/engine/components/PaymentField.types.ts

@@ -7,7 +7,8 @@ export interface PaymentState {
   amount: number
   description: string
   uuid: string
-  isLive: boolean
+  formId: string
+  isLivePayment: boolean
   capture?: {
     status: 'success' | 'failed'
     createdAt: string

src/server/plugins/engine/pageControllers/QuestionPageController.ts

@@ -619,15 +619,16 @@ export class QuestionPageController extends PageController {
     request.yar.clear(EXTERNAL_STATE_APPENDAGE)
 
     // Determine if this is a live form (not preview/draft)
-    const { state } = checkFormStatus(request.params)
+    const { state, isPreview } = checkFormStatus(request.params)
     const isLive = state === FormStatus.Live
 
     return await selectedComponent.dispatcher(request, h, {
       component,
       controller: this,
       sourceUrl: request.url.toString(),
       actionArgs: args,
-      isLive
+      isLive,
+      isPreview
     })
   }
 

src/server/plugins/engine/routes/payment.js

@@ -3,6 +3,7 @@ import { StatusCodes } from 'http-status-codes'
 import Joi from 'joi'
 
 import { EXTERNAL_STATE_APPENDAGE } from '~/src/server/constants.js'
+import { getPaymentApiKey } from '~/src/server/plugins/payment/helper.js'
 import { PaymentService } from '~/src/server/plugins/payment/service.js'
 
 export const PAYMENT_RETURN_PATH = '/payment-callback'
@@ -22,7 +23,8 @@ function flashComponentState(request, session, paymentId) {
     amount: session.amount,
     description: session.description,
     uuid: session.uuid,
-    isLive: session.isLive,
+    formId: session.formId,
+    isLivePayment: session.isLivePayment,
     preAuth: {
       status: 'success',
       createdAt: new Date().toISOString()
@@ -69,13 +71,14 @@ function getReturnRoute() {
       }
 
       // 2. Get payment status from GOV.UK Pay
-      const { paymentId, isLive } = session
+      const { paymentId, isLivePayment, formId } = session
 
       if (!paymentId) {
         throw Boom.badRequest('No paymentId in session')
       }
 
-      const paymentService = new PaymentService({ isLive })
+      const apiKey = getPaymentApiKey(isLivePayment, formId)
+      const paymentService = new PaymentService(apiKey)
       const paymentStatus = await paymentService.getPaymentStatus(paymentId)
 
       // 3. Handle different payment states based on GOV.UK Pay status lifecycle
@@ -151,14 +154,15 @@ function getReturnRoute() {
  * Payment session data stored when dispatching to GOV.UK Pay
  * @typedef {object} PaymentSessionData
  * @property {string} uuid - unique identifier for this payment attempt
+ * @property {string} formId - id of the form
  * @property {string} reference - form reference number
  * @property {number} amount - amount in pounds
  * @property {string} description - payment description
  * @property {string} paymentId - GOV.UK Pay payment ID
  * @property {string} componentName - name of the PaymentField component
  * @property {string} returnUrl - URL to redirect to after successful payment
  * @property {string} failureUrl - URL to redirect to after failed/cancelled payment
- * @property {boolean} isLive - whether the payment is using live API key
+ * @property {boolean} isLivePayment - whether the payment is using live API key
  */
 
 /**

src/server/plugins/engine/types.ts

@@ -399,6 +399,7 @@ export interface ExternalArgs {
   sourceUrl: string
   actionArgs: Record<string, string>
   isLive: boolean
+  isPreview: boolean
 }
 
 export interface PostcodeLookupExternalArgs extends ExternalArgs {

src/server/plugins/payment/helper.js

@@ -0,0 +1,22 @@
+import { config } from '~/src/config/index.js'
+
+/**
+ * Determine which payment API key value to use.
+ * If a non-live non-preview form, use the TEST API key value.
+ * If a live (non-preview) form, read the API key value specific to that form.
+ * @param {boolean} isLivePayment - true if this is a live payment (as opposed to a test one)
+ * @param {string} formId - id of the form
+ * @returns {string}
+ */
+export function getPaymentApiKey(isLivePayment, formId) {
+  const apiKeyValue = isLivePayment
+    ? process.env[`PAYMENT_PROVIDER_API_KEY_LIVE_${formId}`]
+    : config.get('paymentProviderApiKeyTest')
+
+  if (!apiKeyValue) {
+    throw new Error(
+      `Missing payment api key for ${isLivePayment ? 'live' : 'test'} form id ${formId}`
+    )
+  }
+  return apiKeyValue
+}

src/server/plugins/payment/service.js

@@ -1,4 +1,3 @@
-import { config } from '~/src/config/index.js'
 import { createLogger } from '~/src/server/common/helpers/logging/logger.js'
 import { get, post, postJson } from '~/src/server/services/httpService.js'
 
@@ -17,30 +16,15 @@ function getAuthHeaders(apiKey) {
   }
 }
 
-/**
- * Gets the fallback API key from global config
- * @param {boolean} isLive
- * @returns {string}
- */
-function getFallbackApiKey(isLive) {
-  return /** @type {string} */ (
-    isLive
-      ? config.get('paymentProviderApiKeyLive')
-      : config.get('paymentProviderApiKeyTest')
-  )
-}
-
 export class PaymentService {
   /** @type {string} */
   #apiKey
 
   /**
-   * @param {object} options
-   * @param {string} [options.apiKey] - API key to use (if not provided, falls back to global config)
-   * @param {boolean} [options.isLive] - whether to use live API key (only used if apiKey not provided)
+   * @param {string} apiKey - API key to use (global config for test value, per-form config for live value)
    */
-  constructor({ apiKey, isLive = false } = {}) {
-    this.#apiKey = apiKey ?? getFallbackApiKey(isLive)
+  constructor(apiKey) {
+    this.#apiKey = apiKey
   }
 
   /**