ELI-404: Fix Error message returned for authorisation failure

Author: shweta-nhs

src/eligibility_signposting_api/common/api_error_response.py

@@ -26,7 +26,7 @@ class FHIRIssueCode(str, Enum):
 
 
 class FHIRSpineErrorCode(str, Enum):
-    INVALID_NHS_NUMBER = "INVALID_NHS_NUMBER"
+    ACCESS_DENIED = "ACCESS_DENIED"
     INVALID_PARAMETER = "INVALID_PARAMETER"
     BAD_REQUEST = "BAD_REQUEST"
     INTERNAL_SERVER_ERROR = "INTERNAL_SERVER_ERROR"
@@ -144,8 +144,8 @@ def log_and_generate_response(
     fhir_issue_code=FHIRIssueCode.FORBIDDEN,
     fhir_issue_severity=FHIRIssueSeverity.ERROR,
     fhir_coding_system="https://fhir.nhs.uk/STU3/ValueSet/Spine-ErrorOrWarningCode-1",
-    fhir_error_code=FHIRSpineErrorCode.INVALID_NHS_NUMBER,
-    fhir_display_message="The provided NHS number does not match the record.",
+    fhir_error_code=FHIRSpineErrorCode.ACCESS_DENIED,
+    fhir_display_message="Access has been denied to process this request.",
 )
 
 

src/eligibility_signposting_api/common/request_validator.py

@@ -67,10 +67,8 @@ def wrapper(event: LambdaEvent, context: LambdaContext) -> dict[str, Any] | None
                 )
 
             if not validate_nhs_number(path_nhs_no, header_nhs_no):
-                message = f"NHS Number {path_nhs_no or ''} does not match the header NHS Number {header_nhs_no or ''}"
-                return NHS_NUMBER_MISMATCH_ERROR.log_and_generate_response(
-                    log_message=message, diagnostics=message, location_param="id"
-                )
+                message = "You are not authorised to request information for the supplied NHS Number"
+                return NHS_NUMBER_MISMATCH_ERROR.log_and_generate_response(log_message=message, diagnostics=message)
 
             query_params = event.get("queryStringParameters")
             if query_params:

tests/integration/lambda/test_app_running_as_lambda.py

@@ -303,14 +303,13 @@ def test_given_nhs_number_in_path_does_not_match_with_nhs_number_in_headers_resu
                         has_entries(
                             severity="error",
                             code="forbidden",
-                            diagnostics=f"NHS Number {persisted_person} does "
-                            f"not match the header NHS Number 123{persisted_person!s}",
+                            diagnostics="You are not authorised to request information for the supplied NHS Number",
                             details={
                                 "coding": [
                                     {
                                         "system": "https://fhir.nhs.uk/STU3/ValueSet/Spine-ErrorOrWarningCode-1",
-                                        "code": "INVALID_NHS_NUMBER",
-                                        "display": "The provided NHS number does not match the record.",
+                                        "code": "ACCESS_DENIED",
+                                        "display": "Access has been denied to process this request.",
                                     }
                                 ]
                             },
@@ -350,13 +349,13 @@ def test_given_nhs_number_not_present_in_headers_results_in_error_response(
                         has_entries(
                             severity="error",
                             code="forbidden",
-                            diagnostics=f"NHS Number {persisted_person} does not match the header NHS Number ",
+                            diagnostics="You are not authorised to request information for the supplied NHS Number",
                             details={
                                 "coding": [
                                     {
                                         "system": "https://fhir.nhs.uk/STU3/ValueSet/Spine-ErrorOrWarningCode-1",
-                                        "code": "INVALID_NHS_NUMBER",
-                                        "display": "The provided NHS number does not match the record.",
+                                        "code": "ACCESS_DENIED",
+                                        "display": "Access has been denied to process this request.",
                                     }
                                 ]
                             },

tests/unit/common/test_request_validator.py

@@ -79,7 +79,9 @@ def test_validate_request_params_nhs_mismatch(self, caplog):
         response_body = json.loads(response["body"])
         issue = response_body["issue"][0]
         assert issue["code"] == "forbidden"
-        assert issue["diagnostics"] == ("NHS Number 0987654321 does not match the header NHS Number 1234567890")
+        assert issue["details"]["coding"][0]["code"] == "ACCESS_DENIED"
+        assert issue["details"]["coding"][0]["display"] == "Access has been denied to process this request."
+        assert issue["diagnostics"] == "You are not authorised to request information for the supplied NHS Number"
 
     def test_validate_request_params_nhs_missing_in_path(self, caplog):
         mock_handler = MagicMock()