Feature/DF-680 location maps auth (#1070)

davidjamesstone · web-flow · commit 0be05466d8dc · 2026-02-03T14:49:38.000Z
* Add ordnanceSurveyApiSecret configuration * Remove https://api.os.uk from CSP * Update forms-engine-plugin to v4.0.43
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -41,7 +41,7 @@
   "license": "SEE LICENSE IN LICENSE",
   "dependencies": {
     "@aws-sdk/client-sns": "^3.972.0",
-    "@defra/forms-engine-plugin": "^4.0.42",
+    "@defra/forms-engine-plugin": "^4.0.43",
     "@defra/forms-model": "^3.0.601",
     "@defra/hapi-tracing": "^1.30.0",
     "@elastic/ecs-pino-format": "^1.5.0",
diff --git a/src/config/index.ts b/src/config/index.ts
@@ -308,6 +308,14 @@ export const config = convict({
     env: 'ORDNANCE_SURVEY_API_KEY'
   } as SchemaObj<string | undefined>,
 
+  ordnanceSurveyApiSecret: {
+    doc: 'The ordnance survey api secret used by the maps plugin',
+    format: String,
+    nullable: true,
+    default: undefined,
+    env: 'ORDNANCE_SURVEY_API_SECRET'
+  } as SchemaObj<string | undefined>,
+
   useMapsFeature: {
     doc: 'Feature flag to control maps',
     format: Boolean,
diff --git a/src/server/index.ts b/src/server/index.ts
@@ -185,7 +185,8 @@ export const configureEnginePlugin = async ({
         SummaryPageWithConfirmationEmailController,
         FeedbackPageController
       },
-      ordnanceSurveyApiKey: config.get('ordnanceSurveyApiKey')
+      ordnanceSurveyApiKey: config.get('ordnanceSurveyApiKey'),
+      ordnanceSurveyApiSecret: config.get('ordnanceSurveyApiSecret')
     }
   }
   const routeOptions = {
diff --git a/src/server/plugins/blankie.test.ts b/src/server/plugins/blankie.test.ts
@@ -11,11 +11,7 @@ describe('Server Blankie Plugin', () => {
       defaultSrc: ['self'],
       fontSrc: ['self', 'data:'],
       frameSrc: ['self', 'data:'],
-      connectSrc: [
-        'self',
-        'https://api.os.uk',
-        'https://test-uploader.cdp-int.defra.cloud'
-      ],
+      connectSrc: ['self', 'https://test-uploader.cdp-int.defra.cloud'],
       scriptSrc: ['self', 'strict-dynamic', 'unsafe-inline'],
       styleSrc: ['self', 'unsafe-inline'],
       imgSrc: ['self', 'data:'],
@@ -35,7 +31,6 @@ describe('Server Blankie Plugin', () => {
       frameSrc: ['self', 'data:'],
       connectSrc: [
         'self',
-        'https://api.os.uk',
         'https://*.google-analytics.com',
         'https://*.analytics.google.com',
         'https://*.googletagmanager.com',
@@ -76,6 +71,6 @@ describe('Server Blankie Plugin', () => {
 
     const { options } = configureBlankiePlugin()
 
-    expect(options?.connectSrc).toEqual(['self', 'https://api.os.uk'])
+    expect(options?.connectSrc).toEqual(['self'])
   })
 })
diff --git a/src/server/plugins/blankie.ts b/src/server/plugins/blankie.ts
@@ -29,7 +29,6 @@ export const configureBlankiePlugin = (): ServerRegisterPluginObject<
       fontSrc: ['self', 'data:'],
       connectSrc: [
         ['self'],
-        ['https://api.os.uk'],
         gaTrackingId ? googleAnalyticsOptions.connectSrc : [],
         uploaderUrl ? [uploaderUrl] : []
       ].flat(),

Original file line number	Diff line number	Diff line change
`@@ -185,7 +185,8 @@ export const configureEnginePlugin = async ({`
`185`	`185`	`SummaryPageWithConfirmationEmailController,`
`186`	`186`	`FeedbackPageController`
`187`	`187`	`},`
`188`		`- ordnanceSurveyApiKey: config.get('ordnanceSurveyApiKey')`
	`188`	`+ ordnanceSurveyApiKey: config.get('ordnanceSurveyApiKey'),`
	`189`	`+ ordnanceSurveyApiSecret: config.get('ordnanceSurveyApiSecret')`
`189`	`190`	`}`
`190`	`191`	`}`
`191`	`192`	`const routeOptions = {`