BCDA-9669: Correct OpOutcome response body in v3 (#1294)

## 🎫 Ticket

https://jira.cms.gov/browse/BCDA-9669

## 🛠 Changes

Updated `getRespWriter` conditional in auth/web/logging middleware to
check for v3.
 
## ℹ️ Context

V3 has details.coding removed since we are not following the the
valueset or codes in the operation-outcome specification. For more
details, see this ticket: https://jira.cms.gov/browse/BCDA-8927

<!-- If any of the following security implications apply, this PR must
not be merged without Stephen Walter's approval. Explain in this section
and add @SJWalter11 as a reviewer.
  - Adds a new software dependency or dependencies.
  - Modifies or invalidates one or more of our security controls.
  - Stores or transmits data that was not stored or transmitted before.
- Requires additional review of security implications for other reasons.
-->

## 🧪 Validation

Tests added and passing.

Author: laurenkrugen-navapbc

bcda/auth/middleware.go

@@ -20,6 +20,7 @@ import (
 	"github.com/CMSgov/bcda-app/bcda/models/postgres"
 	responseutils "github.com/CMSgov/bcda-app/bcda/responseutils"
 	responseutilsv2 "github.com/CMSgov/bcda-app/bcda/responseutils/v2"
+	responseutilsv3 "github.com/CMSgov/bcda-app/bcda/responseutils/v3"
 	"github.com/CMSgov/bcda-app/log"
 )
 
@@ -58,7 +59,7 @@ func (m AuthMiddleware) ParseToken(next http.Handler) http.Handler {
 			return
 		}
 
-		rw := getRespWriter(r.URL.Path)
+		rw := GetRespWriter(r.URL.Path)
 
 		authRegexp := regexp.MustCompile(`^Bearer (\S+)$`)
 		authSubmatches := authRegexp.FindStringSubmatch(authHeader)
@@ -170,7 +171,7 @@ func handleTokenVerificationError(ctx context.Context, w http.ResponseWriter, rw
 // This depends on ParseToken being called beforehand in the routing middleware.
 func RequireTokenAuth(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		rw := getRespWriter(r.URL.Path)
+		rw := GetRespWriter(r.URL.Path)
 		ctx := r.Context()
 
 		token := ctx.Value(TokenContextKey)
@@ -193,7 +194,7 @@ func RequireTokenAuth(next http.Handler) http.Handler {
 // CheckBlacklist checks the auth data is associated with a blacklisted entity
 func CheckBlacklist(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		rw := getRespWriter(r.URL.Path)
+		rw := GetRespWriter(r.URL.Path)
 		ctx := r.Context()
 
 		ad, ok := ctx.Value(AuthDataContextKey).(AuthData)
@@ -223,7 +224,7 @@ func CheckBlacklist(next http.Handler) http.Handler {
 func (m AuthMiddleware) RequireTokenJobMatch(db *sql.DB) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		fn := func(w http.ResponseWriter, r *http.Request) {
-			rw := getRespWriter(r.URL.Path)
+			rw := GetRespWriter(r.URL.Path)
 			ctx := r.Context()
 
 			ad, ok := ctx.Value(AuthDataContextKey).(AuthData)
@@ -295,13 +296,13 @@ type fhirResponseWriter interface {
 	OpOutcome(context.Context, http.ResponseWriter, int, string, string)
 }
 
-func getRespWriter(path string) fhirResponseWriter {
+func GetRespWriter(path string) fhirResponseWriter {
 	if strings.Contains(path, "/v1/") {
 		return responseutils.NewFhirResponseWriter()
 	} else if strings.Contains(path, "/v2/") {
 		return responseutilsv2.NewFhirResponseWriter()
 	} else if strings.Contains(path, fmt.Sprintf("/%s/", constants.V3Version)) {
-		return responseutilsv2.NewFhirResponseWriter() // TODO: V3
+		return responseutilsv3.NewFhirResponseWriter()
 	} else {
 		// CommonAuth is used in requests not exclusive to v1 or v2 (ie data requests or /_version).
 		// In the cases we cannot discern a version we default to v1

bcda/auth/middleware_test.go

@@ -567,6 +567,34 @@ func (s *MiddlewareTestSuite) TestCheckBlacklist() {
 
 }
 
+func TestGetRespWriter(t *testing.T) {
+	ctx := context.Background()
+	tests := []struct {
+		name string
+		path string
+	}{
+		{"v1", constants.V1Path},
+		{"v2", constants.V2Path},
+		{"v3", constants.V3Path},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			rr := httptest.NewRecorder()
+			rw := auth.GetRespWriter(tt.path)
+			rw.OpOutcome(ctx, rr, http.StatusUnauthorized, responseutils.TokenErr, responseutils.TokenErr)
+			resp := rr.Body.String()
+			switch tt.name {
+			case "v1":
+				assert.NotContains(t, resp, "coding")
+			case "v2":
+				assert.Contains(t, resp, "coding")
+			case "v3":
+				assert.NotContains(t, resp, "coding")
+			}
+		})
+	}
+}
+
 func TestMiddlewareTestSuite(t *testing.T) {
 	suite.Run(t, new(MiddlewareTestSuite))
 }

bcda/logging/middleware.go

@@ -19,6 +19,7 @@ import (
 	"github.com/CMSgov/bcda-app/bcda/responseutils"
 
 	responseutilsv2 "github.com/CMSgov/bcda-app/bcda/responseutils/v2"
+	responseutilsv3 "github.com/CMSgov/bcda-app/bcda/responseutils/v3"
 	"github.com/CMSgov/bcda-app/bcda/servicemux"
 	"github.com/CMSgov/bcda-app/log"
 	appMiddleware "github.com/CMSgov/bcda-app/middleware"
@@ -156,7 +157,7 @@ func getRespWriter(path string) fhirResponseWriter {
 	} else if strings.Contains(path, "/v2/") {
 		return responseutilsv2.NewFhirResponseWriter()
 	} else if strings.Contains(path, fmt.Sprintf("/%s/", constants.V3Version)) {
-		return responseutilsv2.NewFhirResponseWriter() // TODO: V3
+		return responseutilsv3.NewFhirResponseWriter()
 	} else {
 		return responseutils.NewFhirResponseWriter()
 	}

bcda/logging/middleware_test.go

@@ -22,6 +22,7 @@ import (
 	"github.com/CMSgov/bcda-app/bcda/constants"
 	"github.com/CMSgov/bcda-app/bcda/logging"
 	"github.com/CMSgov/bcda-app/bcda/models"
+	"github.com/CMSgov/bcda-app/bcda/responseutils"
 	"github.com/CMSgov/bcda-app/bcda/testUtils"
 	"github.com/CMSgov/bcda-app/conf"
 	"github.com/CMSgov/bcda-app/log"
@@ -268,3 +269,31 @@ func TestMiddlewareTransactionCtx(t *testing.T) {
 	handlerToTest.ServeHTTP(httptest.NewRecorder(), req)
 
 }
+
+func TestGetRespWriter(t *testing.T) {
+	ctx := context.Background()
+	tests := []struct {
+		name string
+		path string
+	}{
+		{"v1", constants.V1Path},
+		{"v2", constants.V2Path},
+		{"v3", constants.V3Path},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			rr := httptest.NewRecorder()
+			rw := auth.GetRespWriter(tt.path)
+			rw.OpOutcome(ctx, rr, http.StatusUnauthorized, responseutils.TokenErr, responseutils.TokenErr)
+			resp := rr.Body.String()
+			switch tt.name {
+			case "v1":
+				assert.NotContains(t, resp, "coding")
+			case "v2":
+				assert.Contains(t, resp, "coding")
+			case "v3":
+				assert.NotContains(t, resp, "coding")
+			}
+		})
+	}
+}

bcda/web/middleware/validation.go

@@ -13,6 +13,7 @@ import (
 	"github.com/CMSgov/bcda-app/bcda/constants"
 	responseutils "github.com/CMSgov/bcda-app/bcda/responseutils"
 	responseutilsv2 "github.com/CMSgov/bcda-app/bcda/responseutils/v2"
+	responseutilsv3 "github.com/CMSgov/bcda-app/bcda/responseutils/v3"
 	"github.com/CMSgov/bcda-app/log"
 	"github.com/sirupsen/logrus"
 )
@@ -405,7 +406,7 @@ func getRespWriter(version string) (fhirResponseWriter, error) {
 	case "v2":
 		return responseutilsv2.NewFhirResponseWriter(), nil
 	case constants.V3Version:
-		return responseutilsv2.NewFhirResponseWriter(), nil
+		return responseutilsv3.NewFhirResponseWriter(), nil
 	default:
 		return nil, fmt.Errorf("unexpected API version: %s", version)
 	}

bcda/web/middleware/validation_test.go

@@ -8,7 +8,9 @@ import (
 	"testing"
 	"time"
 
+	"github.com/CMSgov/bcda-app/bcda/auth"
 	"github.com/CMSgov/bcda-app/bcda/constants"
+	"github.com/CMSgov/bcda-app/bcda/responseutils"
 	"github.com/CMSgov/bcda-app/log"
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
@@ -263,3 +265,31 @@ func TestValidateTypeFilterTagCodes(t *testing.T) {
 		})
 	}
 }
+
+func TestGetRespWriter(t *testing.T) {
+	ctx := context.Background()
+	tests := []struct {
+		name string
+		path string
+	}{
+		{"v1", constants.V1Path},
+		{"v2", constants.V2Path},
+		{"v3", constants.V3Path},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			rr := httptest.NewRecorder()
+			rw := auth.GetRespWriter(tt.path)
+			rw.OpOutcome(ctx, rr, http.StatusUnauthorized, responseutils.TokenErr, responseutils.TokenErr)
+			resp := rr.Body.String()
+			switch tt.name {
+			case "v1":
+				assert.NotContains(t, resp, "coding")
+			case "v2":
+				assert.Contains(t, resp, "coding")
+			case "v3":
+				assert.NotContains(t, resp, "coding")
+			}
+		})
+	}
+}