diff --git a/app/assets/javascripts/expand-endpoint.js b/app/assets/javascripts/expand-endpoint.js index 287c65db..477bd19e 100644 --- a/app/assets/javascripts/expand-endpoint.js +++ b/app/assets/javascripts/expand-endpoint.js @@ -5,7 +5,6 @@ var lastPart = url.split("#").pop(); var endpoint = document.getElementById(lastPart + "-details"); if (endpoint != null) { - var endpoint = document.getElementById(lastPart + "-details"); var att = document.createAttribute("open"); att.value = ""; endpoint.setAttributeNode(att); @@ -37,10 +36,8 @@ var clickedEndpoint = e.target.id var parentEndpoint = document.getElementById(clickedEndpoint + "-details"); if (parentEndpoint.hasAttribute("open")) { - var parentEndpoint = document.getElementById(clickedEndpoint + "-details"); parentEndpoint.removeAttribute("open"); } else { - var parentEndpoint = document.getElementById(clickedEndpoint + "-details"); var att = document.createAttribute("open"); att.value = ""; parentEndpoint.setAttributeNode(att); @@ -70,14 +67,17 @@ window.addEventListener('load', function () { expandEnpoint() - var allLinks = document.querySelector("#endpoints").querySelectorAll('a[href^="#"]'); - for (var i = 0; i < allLinks.length; i++) { - allLinks[i].addEventListener('click', function (e) { - e.preventDefault(); - document.querySelector(this.getAttribute('href')).scrollIntoView({ - behavior: 'smooth' + var endpoints = document.querySelector("#endpoints") + if (endpoints) { + var allLinks = endpoints.querySelectorAll('a[href^="#"]'); + for (var i = 0; i < allLinks.length; i++) { + allLinks[i].addEventListener('click', function (e) { + e.preventDefault(); + document.querySelector(this.getAttribute('href')).scrollIntoView({ + behavior: 'smooth' + }); }); - }); + } } }); })(); diff --git a/app/uk/gov/hmrc/apidocumentation/views/AuthorisationAppRestrictedEndpointsView.scala.html b/app/uk/gov/hmrc/apidocumentation/views/AuthorisationAppRestrictedEndpointsView.scala.html index 6c88ae20..5f2face5 100644 --- a/app/uk/gov/hmrc/apidocumentation/views/AuthorisationAppRestrictedEndpointsView.scala.html +++ b/app/uk/gov/hmrc/apidocumentation/views/AuthorisationAppRestrictedEndpointsView.scala.html @@ -53,7 +53,7 @@

Application-restricted endpoints

generate an access token.

- If the endpoint requires a scope, + If the endpoint requires a scope, your application must include this scope when creating the access token.

Read the API documentation for authorisation rules for specific API endpoints.

@@ -117,7 +117,7 @@

1. Generate an access token

scope A space-delimited list of - scopes + scopes you want permission to access. A scope is optional for some endpoints. If a scope is required, check the API documentation for details. @@ -207,7 +207,7 @@

1. Generate an access token

2. Call an API

You can now call an API using the access_token we issued. Do this with an Authorization header containing this access_token as an OAuth 2.0 Bearer - Token with the correct API scope. + Token with the correct API scope.

Example request

curl -X GET @{applicationConfig.sandboxApiBaseUrl}/hello/application \
diff --git a/app/uk/gov/hmrc/apidocumentation/views/AuthorisationUserRestrictedEndpointsView.scala.html b/app/uk/gov/hmrc/apidocumentation/views/AuthorisationUserRestrictedEndpointsView.scala.html
index aba9529f..aeadd944 100644
--- a/app/uk/gov/hmrc/apidocumentation/views/AuthorisationUserRestrictedEndpointsView.scala.html
+++ b/app/uk/gov/hmrc/apidocumentation/views/AuthorisationUserRestrictedEndpointsView.scala.html
@@ -54,7 +54,7 @@ 

User-restricted endpoints

HMRC on their behalf, without sharing their access credentials.

-

The end user authenticates directly with us using their Government Gateway account, and grants authority for specific scopes.

+

The end user authenticates directly with us using their Government Gateway account, and grants authority for specific scopes.

We then issue an OAuth 2.0 access token that’s specific to the end user. Your application passes the access token in subsequent API requests to user-restricted endpoints.

@@ -91,7 +91,7 @@

1. Request authorisation

  • We prompt the user to sign in using their Government Gateway account.
  • The user is taken through 2-Step Verification (2SV).
  • The user may be asked to confirm their identity. This depends on the user type, the specific API scopes being requested and whether or not the user has previously confirmed their identity.
  • -
  • The user is asked to grant your application the authority to access certain scopes.
  • +
  • The user is asked to grant your application the authority to access certain scopes.
  • The following diagram illustrates the process:

    diff --git a/app/uk/gov/hmrc/apidocumentation/views/OpenApiPreviewRedoc.scala.html b/app/uk/gov/hmrc/apidocumentation/views/OpenApiPreviewRedoc.scala.html index f191ba39..d99914bf 100644 --- a/app/uk/gov/hmrc/apidocumentation/views/OpenApiPreviewRedoc.scala.html +++ b/app/uk/gov/hmrc/apidocumentation/views/OpenApiPreviewRedoc.scala.html @@ -14,21 +14,23 @@ * limitations under the License. *@ +@import views.html.helper.CSPNonce + @this() -@(uri: String) +@(uri: String)(implicit requestHeader: RequestHeader)
    - - + + @* To fix this issue: https://github.com/Redocly/redoc/issues/1108#issuecomment-585990742 *@ - - + + @* To fix this issue: https://github.com/Redocly/redoc/issues/1108#issuecomment-585990742 *@ - + diff --git a/app/uk/gov/hmrc/apidocumentation/views/include/main.scala.html b/app/uk/gov/hmrc/apidocumentation/views/include/main.scala.html index d8be9e8d..e918deff 100644 --- a/app/uk/gov/hmrc/apidocumentation/views/include/main.scala.html +++ b/app/uk/gov/hmrc/apidocumentation/views/include/main.scala.html @@ -26,6 +26,7 @@ @import uk.gov.hmrc.apidocumentation.views.templates.FooterLinks @import play.twirl.api.HtmlFormat +@import views.html.helper.CSPNonce @this( govukTemplate: GovukTemplate, @@ -45,7 +46,7 @@ additionalTopContent: Option[Html] = None, fullWidthContent: Boolean = false, bodyEndBlock: Option[Html] = None - )(mainContent: Html = HtmlFormat.empty)(implicit applicationConfig: ApplicationConfig, messages: Messages, request: play.api.mvc.Request[Any]) + )(mainContent: Html = HtmlFormat.empty)(implicit applicationConfig: ApplicationConfig, messages: Messages, request: play.api.mvc.Request[Any], requestHeader: RequestHeader) @head = { @@ -53,8 +54,8 @@ } @scripts = { - - + + } @@ -65,7 +66,7 @@ } @scriptElem = { - + } @footerBlock = { diff --git a/app/uk/gov/hmrc/apidocumentation/views/openapispec/ParentPageView.scala.html b/app/uk/gov/hmrc/apidocumentation/views/openapispec/ParentPageView.scala.html index e0e8eaad..6380a938 100644 --- a/app/uk/gov/hmrc/apidocumentation/views/openapispec/ParentPageView.scala.html +++ b/app/uk/gov/hmrc/apidocumentation/views/openapispec/ParentPageView.scala.html @@ -22,10 +22,12 @@ @import uk.gov.hmrc.apidocumentation.services._ @import uk.gov.hmrc.apidocumentation.config.ApplicationConfig @import uk.gov.hmrc.apidocumentation.models.apispecification.DocumentationItem +@import views.html.helper.CSPNonce @this(applicationConfig: ApplicationConfig) -@(markdownBlocks: List[DocumentationItem], title: String, maybeVersion: Option[ExtendedAPIVersion], maybeApi: Option[ExtendedAPIDefinition], loggedIn: Boolean = false) +@(markdownBlocks: List[DocumentationItem], title: String, maybeVersion: Option[ExtendedAPIVersion], maybeApi: Option[ExtendedAPIDefinition], loggedIn: Boolean = false +)(implicit requestHeader: RequestHeader) @renderGetApiVersionForm = { @for(api <- maybeApi) { @@ -138,4 +140,4 @@

    } - + diff --git a/app/uk/gov/hmrc/apidocumentation/views/templates/GovUkWrapper.scala.html b/app/uk/gov/hmrc/apidocumentation/views/templates/GovUkWrapper.scala.html index 3f41d2c2..b1ce5ccf 100644 --- a/app/uk/gov/hmrc/apidocumentation/views/templates/GovUkWrapper.scala.html +++ b/app/uk/gov/hmrc/apidocumentation/views/templates/GovUkWrapper.scala.html @@ -24,6 +24,7 @@ @import uk.gov.hmrc.apidocumentation.views.html.include @import uk.gov.hmrc.apidocumentation.views.html.partials @import uk.gov.hmrc.apidocumentation.views.html.templates._ +@import views.html.helper.CSPNonce @this( govukTemplate: GovukTemplate, @@ -44,7 +45,7 @@ navLinks: Seq[NavLink] = Seq.empty, leftNav: Option[Html] = None, feedbackBanner: Option[FeedbackBanner] = Some(GenericFeedbackBanner) -)(contentBlock: Html)(implicit applicationConfig: ApplicationConfig, messages: Messages, request: play.api.mvc.Request[Any]) +)(contentBlock: Html)(implicit applicationConfig: ApplicationConfig, messages: Messages, request: play.api.mvc.Request[Any], requestHeader: RequestHeader) @head = { @hmrcTrackingConsentSnippet() @@ -52,9 +53,9 @@ } @scripts = { - - - + + + } @@ -103,7 +104,7 @@ @siteHelper() - + } diff --git a/app/uk/gov/hmrc/apidocumentation/views/templates/LayoutHomePage.scala.html b/app/uk/gov/hmrc/apidocumentation/views/templates/LayoutHomePage.scala.html index e1c13c1d..89d4df22 100644 --- a/app/uk/gov/hmrc/apidocumentation/views/templates/LayoutHomePage.scala.html +++ b/app/uk/gov/hmrc/apidocumentation/views/templates/LayoutHomePage.scala.html @@ -22,6 +22,7 @@ @import uk.gov.hmrc.apidocumentation.views.templates.FooterLinks @import uk.gov.hmrc.govukfrontend.views.viewmodels.pagelayout.PageLayout @import uk.gov.hmrc.apidocumentation.views.html.FullWidthContent +@import views.html.helper.CSPNonce @this( govukTemplate: GovukTemplate, @@ -46,8 +47,8 @@ } @scripts = { - - + + } @bodyEndDefault = { diff --git a/conf/application.conf b/conf/application.conf index 09732211..7d8f22c6 100644 --- a/conf/application.conf +++ b/conf/application.conf @@ -87,12 +87,7 @@ platform { } } -play.filters.csp.directives.default-src = "'unsafe-inline' 'self' localhost:* https://www.google-analytics.com" -play.filters.csp.directives.script-src = "'unsafe-inline' 'self' localhost:12345 localhost:9032 https://www.google-analytics.com https://www.googletagmanager.com https://tagmanager.google.com" -play.filters.csp.directives.style-src = "'unsafe-inline' 'self' localhost:9032 https://tagmanager.google.com https://fonts.googleapis.com" -play.filters.csp.directives.img-src = "data: 'self' localhost:9032 https://ssl.gstatic.com https://www.gstatic.com https://www.google-analytics.com https://www.googletagmanager.com" -play.filters.csp.directives.font-src = "'self' https://ssl.gstatic.com https://www.gstatic.com https://fonts.gstatic.com https://fonts.googleapis.com" -play.filters.csp.directives.worker-src = "'self' blob:" +play.filters.csp.directives.script-src = ${play.filters.csp.nonce.pattern} "'strict-dynamic' 'unsafe-inline' https: http:" retryCount = 3 retryDelayMilliseconds = 500 diff --git a/project/AppDependencies.scala b/project/AppDependencies.scala index 55d076fd..61308f23 100644 --- a/project/AppDependencies.scala +++ b/project/AppDependencies.scala @@ -6,7 +6,7 @@ object AppDependencies { def apply(): Seq[ModuleID] = compile ++ test lazy val playJsonVersion = "2.9.2" - lazy val bootstrapVersion = "7.12.0" + lazy val bootstrapVersion = "7.14.0" lazy val seleniumVersion = "4.2.0" lazy val compile = Seq( @@ -14,8 +14,8 @@ object AppDependencies { caffeine, "uk.gov.hmrc" %% "bootstrap-frontend-play-28" % bootstrapVersion, "uk.gov.hmrc" %% "http-metrics" % "2.7.0", - "uk.gov.hmrc" %% "play-partials" % "8.3.0-play-28", - "uk.gov.hmrc" %% "play-frontend-hmrc" % "6.2.0-play-28", + "uk.gov.hmrc" %% "play-partials" % "8.4.0-play-28", + "uk.gov.hmrc" %% "play-frontend-hmrc" % "7.0.0-play-28", "org.typelevel" %% "cats-core" % "2.6.1", "org.commonjava.googlecode.markdown4j" % "markdown4j" % "2.2-cj-1.1", "com.typesafe.play" %% "play-json" % playJsonVersion, diff --git a/project/plugins.sbt b/project/plugins.sbt index b8971778..aa60a935 100644 --- a/project/plugins.sbt +++ b/project/plugins.sbt @@ -3,7 +3,7 @@ resolvers += Resolver.url("HMRC-open-artefacts-ivy", url("https://open.artefacts addSbtPlugin("uk.gov.hmrc" % "sbt-auto-build" % "3.9.0") addSbtPlugin("uk.gov.hmrc" % "sbt-distributables" % "2.2.0") -addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.8.18") +addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.8.19") addSbtPlugin("org.scoverage" % "sbt-scoverage" % "1.9.3") addSbtPlugin("org.irundaia.sbt" % "sbt-sassify" % "1.5.1") addSbtPlugin("net.ground5hark.sbt" % "sbt-concat" % "0.2.0") diff --git a/test/uk/gov/hmrc/apidocumentation/views/CommonViewSpec.scala.scala b/test/uk/gov/hmrc/apidocumentation/views/CommonViewSpec.scala.scala index 6b780f1f..8743e94d 100644 --- a/test/uk/gov/hmrc/apidocumentation/views/CommonViewSpec.scala.scala +++ b/test/uk/gov/hmrc/apidocumentation/views/CommonViewSpec.scala.scala @@ -19,15 +19,16 @@ package uk.gov.hmrc.apidocumentation.views import java.util.Locale import org.scalatest.OptionValues -import org.scalatestplus.play.guice.GuiceOneAppPerSuite import org.scalatestplus.play.WsScalaTestClient +import org.scalatestplus.play.guice.GuiceOneAppPerSuite + import play.api.i18n._ -import play.api.mvc.{AnyContent, Request} +import play.api.mvc.request.RequestAttrKey +import play.api.test.FakeRequest + import uk.gov.hmrc.apidocumentation.common.utils.AsyncHmrcSpec trait CommonViewSpec extends AsyncHmrcSpec with OptionValues with WsScalaTestClient with GuiceOneAppPerSuite { implicit val messagesProvider: MessagesProvider = MessagesImpl(Lang(Locale.ENGLISH), new DefaultMessagesApi()) - implicit val request = mock[Request[AnyContent]] - - when(request.uri).thenReturn("/fake/uri") + implicit val request = FakeRequest("GET", "/fake/uri").addAttr(RequestAttrKey.CSPNonce, "fake-nonce") }