NPA-4513 Replace Auth Error

JackPlowman · JackPlowman · commit c2143f35a25f · 2025-03-13T07:37:24.000Z
diff --git a/proxies/live/apiproxy/policies/RaiseFault.403Forbidden.xml b/proxies/live/apiproxy/policies/RaiseFault.403Forbidden.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!--
+ This policy raises a 401 error response for an invalid or missing access token.
+
+ Raisefault policies stop the execution of the current flow and move to the error flow, which returns the error response defined here to the requesting application.
+
+ For more information on RaiseFault policies within Apigee see the following resource:
+    * https://docs.apigee.com/api-platform/reference/policies/raise-fault-policy
+-->
+<RaiseFault async="false" continueOnError="false" enabled="true" name="RaiseFault.403Forbidden">
+    <DisplayName>RaiseFault.403Forbidden</DisplayName>
+    <Properties/>
+    <FaultResponse>
+        <Set>
+            <Headers>
+              <Header name="Content-Type">application/fhir+json</Header>
+            </Headers>
+            <StatusCode>403</StatusCode>
+            <ReasonPhrase>Forbidden</ReasonPhrase>
+            <Payload>
+                {
+                  "issue": [
+                      {
+                          "code": "forbidden",
+                          "details": {
+                              "coding": [
+                                  {
+                                      "code": "FORBIDDEN",
+                                      "display": "Access Denied",
+                                      "system": "https://fhir.nhs.uk/R4/CodeSystem/ValidatedRelationships-ErrorOrWarningCode",
+                                      "version": "1",
+                                  }
+                              ]
+                          },
+                          "diagnostics": "Access denied to resource.",
+                          "severity": "error",
+                      }
+                  ],
+                  "resourceType": "OperationOutcome",
+              }
+            </Payload>
+        </Set>
+    </FaultResponse>
+    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+</RaiseFault>
diff --git a/proxies/live/apiproxy/targets/target.xml b/proxies/live/apiproxy/targets/target.xml
@@ -21,11 +21,11 @@
                 <Name>AddUserAuthHeaders</Name>
             </Step>
             <Step>
-                <Name>RaiseFault.401Unauthorized</Name>
+                <Name>RaiseFault.403Forbidden</Name>
                 <Condition>accesstoken.auth_level != "aal3" and proxy.pathsuffix = "/FHIR/R4/Consent" and request.verb = "POST"</Condition>
             </Step>
             <Step>
-                <Name>RaiseFault.401Unauthorized</Name>
+                <Name>RaiseFault.403Forbidden</Name>
                 <Condition>accesstoken.auth_level != "p9" and (proxy.pathsuffix != "/FHIR/R4/Consent" or request.verb != "POST")</Condition>
             </Step>
             <Step>
