Merge pull request #130 from NHSDigital/apm-5277-use-enhanced-verify-api-key

APM-5277 Use enhanced verify api key

Author: fayez166

proxies/live/apiproxy/policies/FlowCallout.EnhancedVerifyApiKey.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<FlowCallout async="false" continueOnError="false" enabled="true" name="FlowCallout.EnhancedVerifyApiKey">
+    <DisplayName>FlowCallout.EnhancedVerifyApiKey</DisplayName>
+    <FaultRules/>
+    <Properties/>
+    <SharedFlowBundle>EnhancedVerifyApiKey</SharedFlowBundle>
+</FlowCallout>

proxies/live/apiproxy/policies/VerifyApiKey.FromHeader.xml

@@ -1,3 +1,3 @@
-<VerifyAPIKey async="false" continueOnError="false" enabled="true" name="VerifyAPIKey.FromHeader">
+<VerifyAPIKey async="false" continueOnError="true" enabled="true" name="VerifyAPIKey.FromHeader">
     <APIKey ref="request.header.apikey"/>
 </VerifyAPIKey>

proxies/live/apiproxy/targets/target.xml

@@ -1,6 +1,12 @@
 <TargetEndpoint name="nhs-website-content-api-target">
   <PreFlow>
     <Request>
+      <!-- EnhancedVerifyApiKey shared flow checks apikeys with no associated products which is missed by Apigee's VerifyApiKey policy. -->
+      <Step>
+        <Name>FlowCallout.EnhancedVerifyApiKey</Name>
+      </Step>
+      <!-- VerifyAPIKey policy is still needed but set to continueOnError="true" to pass rate limiting info from the app to the
+      ApplyRateLimiting policy in the shared flow. -->
       <Step>
         <Name>VerifyAPIKey.FromHeader</Name>
       </Step>