Merge pull request #155 from NHSDigital/dev/NPA-4513_Update_Status_Codes

JackPlowman · web-flow · commit ea890f7c4718 · 2025-03-12T11:44:36.000Z
NPA-4513 Update POST /FHIR/R4/Consent 4XX Status Codes
diff --git a/sandbox/api/app.py b/sandbox/api/app.py
@@ -150,7 +150,7 @@ def post_consent() -> Union[dict, tuple]:
 
         # Invalid access level
         elif patient_identifier == "9000000025":
-            response = generate_response_from_example(POST_CONSENT__INVALID_ACCESS_LEVEL_ERROR, 400)
+            response = generate_response_from_example(POST_CONSENT__INVALID_ACCESS_LEVEL_ERROR, 403)
 
         # Missing required evidence
         elif patient_identifier == "9000000033":
@@ -166,7 +166,7 @@ def post_consent() -> Union[dict, tuple]:
 
         # Invalid performer NHS number
         elif patient_identifier == "9000000000":
-            response = generate_response_from_example(POST_CONSENT__PERFORMER_IDENTIFIER_ERROR, 400)
+            response = generate_response_from_example(POST_CONSENT__PERFORMER_IDENTIFIER_ERROR, 422)
 
         else:
             # Out of scope errors
diff --git a/sandbox/api/tests/test_app.py b/sandbox/api/tests/test_app.py
@@ -201,11 +201,11 @@ def test_get_consent(
             201,
             "https://sandbox.api.service.nhs.uk/validated-relationships/FHIR/R4/Consent/9000000017",
         ),
-        ("9000000000", POST_CONSENT__PERFORMER_IDENTIFIER_ERROR, 400, None),
+        ("9000000000", POST_CONSENT__PERFORMER_IDENTIFIER_ERROR, 422, None),
         ("9000000049", POST_CONSENT__DUPLICATE_RELATIONSHIP_ERROR, 409, None),
         ("9000000041", POST_CONSENT__INVALID_PATIENT_AGE_ERROR, 422, None),
         ("9000000033", POST_CONSENT__INVALID_EVIDENCE_ERROR, 422, None),
-        ("9000000025", POST_CONSENT__INVALID_ACCESS_LEVEL_ERROR, 400, None),
+        ("9000000025", POST_CONSENT__INVALID_ACCESS_LEVEL_ERROR, 403, None),
     ],
 )
 @patch(f"{APP_FILE_PATH}.generate_response_from_example")
diff --git a/specification/validated-relationships-service-api.yaml b/specification/validated-relationships-service-api.yaml
@@ -438,8 +438,8 @@ paths:
 
             | HTTP status | Error code                  | Description                                                                                                                               |
             | ----------- | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
-            | 400         | `MISSING_VALUE`             | Missing header or parameter. For details, see the `diagnostics` field.                                                                       |
-            | 400         | `INVALID_VALUE`             | Invalid header. For details, see the `diagnostics` field.                                                                       |
+            | 400         | `MISSING_VALUE`             | Missing header or parameter. For details, see the `diagnostics` field.                                                                    |
+            | 400         | `INVALID_VALUE`             | Invalid header. For details, see the `diagnostics` field.                                                                                 |
             | 400         | `MISSING_IDENTIFIER_VALUE`  | Missing performer NHS number.                                                                                                             |
             | 400         | `NOT_SUPPORTED`             | The request is not currently supported.                                                                                                   |
             | 401         | `ACCESS_DENIED`             | Missing or invalid OAuth 2.0 bearer token in request.                                                                                     |
@@ -450,7 +450,7 @@ paths:
             | 408         | `TIMEOUT`                   | Request timed out.                                                                                                                        |
             | 422         | `INVALID_IDENTIFIER_SYSTEM` | Invalid identifier system.                                                                                                                |
             | 422         | `INVALID_IDENTIFIER_VALUE`  | Malformed performer NHS number.                                                                                                           |
-            | 422         | `INVALID_PARAMETER`         | Invalid parameter. For details, see the `diagnostics` field.                                                                                                                                                              |
+            | 422         | `INVALID_PARAMETER`         | Invalid parameter. For details, see the `diagnostics` field.                                                                              |
             | 429         | `THROTTLED`                 | You have exceeded your application's [rate limit](https://digital.nhs.uk/developer/guides-and-documentation/reference-guide#rate-limits). |
 
           content:
@@ -507,8 +507,8 @@ paths:
         | --------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- |
         | Successful parent-child proxy creation  | Valid request with a legal basis of parental responsibility, with performer identifier value of 9000000009 | HTTP Status 201 and OperationOutcome response             |
         | Successful adult-adult proxy creation   | Valid request with legal basis of consent, with performer identifier value of 9000000017                   | HTTP Status 201 and OperationOutcome response             |
-        | Invalid performer NHS number            | Request with invalid NHS number format, with performer identifier value of 9000000000                      | HTTP Status 400 and INVALID_NHS_NUMBER error response     |
-        | Invalid access level                    | Request with undefined access level code, with performer identifier value of 9000000025                    | HTTP Status 400 and INVALID_ACCESS_LEVEL error response   |
+        | Invalid access level                    | Request with undefined access level code, with performer identifier value of 9000000025                    | HTTP Status 403 and INVALID_ACCESS_LEVEL error response   |
+        | Invalid performer NHS number            | Request with invalid NHS number format, with performer identifier value of 9000000000                      | HTTP Status 422 and INVALID_NHS_NUMBER error response     |
         | Missing required evidence               | Request without evidence of responsibility, with performer identifier value of 9000000033                  | HTTP Status 422 and MISSING_EVIDENCE error response       |
         | Patient age validation failure          | Request for child proxy where child is over 16, with performer identifier value of 9000000041              | HTTP Status 422 and INVALID_PATIENT_AGE error response    |
         | Duplicate relationship                  | Request for relationship that already exists, with performer identifier value of 9000000049                | HTTP Status 409 and DUPLICATE_RELATIONSHIP error response |
@@ -545,8 +545,23 @@ paths:
               examples:
                 postConsentSuccess:
                   $ref: "./examples/responses/POST_Consent/success.yaml#/PostConsentSuccess"
-        "400":
-          description: Invalid request
+        "4XX":
+          description: |
+            Errors will be returned for the first error encountered in the request. An error occurred as follows:
+
+            | HTTP status | Error code                  | Description                                                                                                                               |
+            | ----------- | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
+            | 401         | `ACCESS_DENIED`             | Missing or invalid OAuth 2.0 bearer token in request.                                                                                     |
+            | 403         | `FORBIDDEN`                 | Access denied to resource.                                                                                                                |
+            | 403         | `INVALID_ACCESS_LEVEL`      | Invalid authorisation access level                                                                                                        |
+            | 404         | `INVALIDATED_RESOURCE`      | Resource that has been marked as invalid was requested - invalid resources cannot be retrieved                                            |
+            | 408         | `TIMEOUT`                   | Request timed out.                                                                                                                        |
+            | 409         | `DUPLICATE_RELATIONSHIP`    | Conflict with requested proxy role.                                                                                                       |
+            | 422         | `INVALID_NHS_NUMBER`        | Invalid NHS number.                                                                                                                |
+            | 422         | `INVALID_PATIENT_AGE`       | Patient age is invalid.                                                                                                                   |
+            | 422         | `MISSING_EVIDENCE`          | Evidence of responsibility is missing.                                                                                                    |
+            | 429         | `THROTTLED`                 | You have exceeded your application's [rate limit](https://digital.nhs.uk/developer/guides-and-documentation/reference-guide#rate-limits). |
+
           content:
             application/fhir+json:
               schema:
@@ -556,24 +571,10 @@ paths:
                   $ref: "./examples/responses/POST_Consent/errors/invalid_performer_identifier_error.yaml#/PostConsentInvalidPerformerIdentifierError"
                 postConsentInvalidAccessLevel:
                   $ref: "./examples/responses/POST_Consent/errors/invalid_access_level_error.yaml#/PostConsentInvalidAccessLevelError"
-        "422":
-          description: Business rule validation failed
-          content:
-            application/fhir+json:
-              schema:
-                $ref: "#/components/schemas/OperationOutcome"
-              examples:
                 postConsentMissingEvidence:
                   $ref: "./examples/responses/POST_Consent/errors/invalid_evidence_error.yaml#/PostConsentInvalidEvidenceError"
                 postConsentInvalidPatientAge:
                   $ref: "./examples/responses/POST_Consent/errors/invalid_patient_age_error.yaml#/PostConsentInvalidPatientAgeError"
-        "409":
-          description: "Conflict with requested proxy role"
-          content:
-            application/fhir+json:
-              schema:
-                $ref: "#/components/schemas/OperationOutcome"
-              examples:
                 postConsentDuplicateRelationship:
                   $ref: "./examples/responses/POST_Consent/errors/duplicate_relationship_error.yaml#/PostConsentDuplicateRelationshipError"
 
