Chore: [AEA-5508] - Validate ODS code (#2267)

wildjames · tstephen-nhs · anthony-nhs · web-flow · commit 43329b22a3ed · 2025-10-13T12:12:53.000Z
## Summary

- Routine Change

### Details

When we get ODS codes, makes sure that they are:
- capitalised
- trimmed of whitespace

Then, checks that the ODS codes submitted for all data items are:
- non-empty
- consist of only numbers and capital letters

if either of those two checks don't pass, then an error is returned.

---------

Co-authored-by: tstephen-nhs &lt;231503406+tstephen-nhs@users.noreply.github.com&gt;
Co-authored-by: anthony-nhs &lt;121869075+anthony-nhs@users.noreply.github.com&gt;
diff --git a/packages/nhsNotifyLambda/src/utils/auth.ts b/packages/nhsNotifyLambda/src/utils/auth.ts
@@ -19,7 +19,7 @@ export async function tokenExchange(
   ])
 
   const API_KEY = apiKeyRaw?.toString().trim()
-  const PRIVATE_KEY = privateKeyRaw?.toString()
+  const PRIVATE_KEY = privateKeyRaw?.toString().trim()
   const KID = kidRaw?.toString().trim()
 
   if (!API_KEY || !PRIVATE_KEY || !KID) {
diff --git a/packages/nhsNotifyUpdateCallback/src/helpers.ts b/packages/nhsNotifyUpdateCallback/src/helpers.ts
@@ -61,8 +61,8 @@ export async function fetchSecrets(logger: Logger): Promise<void> {
     throw new Error("Failed to get secret values from the AWS secret manager")
   }
 
-  APP_ID = appIdValue.toString()
-  API_KEY = apiKeyValue.toString()
+  APP_ID = appIdValue.toString().trim()
+  API_KEY = apiKeyValue.toString().trim()
 
   // Check again to catch empty strings
   if (!appIdValue || !apiKeyValue) {
diff --git a/packages/updatePrescriptionStatus/src/updatePrescriptionStatus.ts b/packages/updatePrescriptionStatus/src/updatePrescriptionStatus.ts
@@ -111,6 +111,20 @@ const lambdaHandler = async (event: APIGatewayProxyEvent): Promise<APIGatewayPro
 
   const dataItems = buildDataItems(requestEntries, xRequestID, applicationName)
 
+  // If the dataItems contain any invalid ODS codes, then return an error
+  const invalidODSCodes = dataItems
+    .filter(item => {
+      const odsCode = item.PharmacyODSCode
+      if (!odsCode || !/^[A-Z0-9]+$/.test(odsCode)) return true
+      return false
+    })
+    .map(it => it.PharmacyODSCode)
+  if (invalidODSCodes.length) {
+    logger.error("Received invalid ODS codes", {invalidODSCodes})
+    responseEntries = [badRequest(`Received invalid ODS codes: ${JSON.stringify(invalidODSCodes)}`)]
+    return response(400, responseEntries)
+  }
+
   // AEA-4317 (AEA-4365) - Intercept INT test prescriptions
   let testPrescription1Forced201 = false
   let testPrescriptionForcedError = false
@@ -318,7 +332,7 @@ export function buildDataItems(
       LastModified: task.lastModified!,
       LineItemID: task.focus!.identifier!.value!.toUpperCase(),
       PatientNHSNumber: task.for!.identifier!.value!,
-      PharmacyODSCode: task.owner!.identifier!.value!.toUpperCase(),
+      PharmacyODSCode: task.owner!.identifier!.value!.toUpperCase().trim(),
       PrescriptionID: task.basedOn![0].identifier!.value!.toUpperCase(),
       ...(repeatNo !== undefined && {RepeatNo: repeatNo}),
       RequestID: xRequestID,
diff --git a/packages/updatePrescriptionStatus/tests/testHandler.test.ts b/packages/updatePrescriptionStatus/tests/testHandler.test.ts
@@ -217,6 +217,33 @@ describe("Integration tests for updatePrescriptionStatus handler", () => {
     )
   })
 
+  const testInvalidODSCode = async (invalidODSCode: string, expectedErrorCode: string) => {
+    const body = generateBody()
+    const entryResource: any = body.entry?.[0]?.resource
+    if (entryResource?.owner?.identifier) {
+      entryResource.owner.identifier.value = invalidODSCode
+    }
+
+    const event: APIGatewayProxyEvent = generateMockEvent(body)
+
+    const response: APIGatewayProxyResult = await handler(event, {})
+
+    expect(response.statusCode).toBe(400)
+    expect(JSON.parse(response.body)).toEqual(
+      bundleWrap([
+        badRequest(`Received invalid ODS codes: ["${expectedErrorCode}"]`)
+      ])
+    )
+  }
+
+  it("When the ODS code contains a special character, the handler returns a 400 error", async () => {
+    await testInvalidODSCode("AB1$%2", "AB1$%2")
+  })
+
+  it("When the ODS code is a space character, the handler returns a 400 error", async () => {
+    await testInvalidODSCode(" ", "")
+  })
+
   it("when dynamo call fails, expect 500 status code and internal server error message", async () => {
     const event = generateMockEvent(requestDispatched)
     dynamoDBMockSend.mockRejectedValue(new Error() as never)

Original file line number	Diff line number	Diff line change
`@@ -61,8 +61,8 @@ export async function fetchSecrets(logger: Logger): Promise<void> {`
`61`	`61`	`throw new Error("Failed to get secret values from the AWS secret manager")`
`62`	`62`	`}`
`63`	`63`
`64`		`- APP_ID = appIdValue.toString()`
`65`		`- API_KEY = apiKeyValue.toString()`
	`64`	`+ APP_ID = appIdValue.toString().trim()`
	`65`	`+ API_KEY = apiKeyValue.toString().trim()`
`66`	`66`
`67`	`67`	`// Check again to catch empty strings`
`68`	`68`	`if (!appIdValue \|\| !apiKeyValue) {`