Stop sending API key with API requests

forms-admin does not require an API key for requests as the /api/
endpoints are only accessible from within the VPC in our deployed
environments.

Stop sending the API key with requests and remove the configuration
setting as forms-runner now makes requests to forms-admin rather than
forms-api.

Author: stephencdaly

.review_apps/ecs_task_definition.tf

@@ -22,7 +22,6 @@ locals {
     { name = "SETTINGS__ANALYTICS_ENABLED", value = "false" },
     { name = "SETTINGS__CLOUDWATCH_METRICS_ENABLED", value = "false" },
     { name = "SETTINGS__FORMS_ADMIN__BASE_URL", value = "https://${local.admin_app_hostname}" },
-    { name = "SETTINGS__FORMS_API__AUTH_KEY", value = "unsecured_api_key_for_review_apps_only" },
     { name = "SETTINGS__FORMS_API__BASE_URL", value = "http://localhost:9292" },
     { name = "SETTINGS__FORMS_ENV", value = "review" },
 
@@ -40,7 +39,6 @@ locals {
     { name = "RAILS_DEVELOPMENT_HOSTS", value = "localhost:9292" },
     { name = "RAILS_ENV", value = "production" },
     { name = "SECRET_KEY_BASE", value = "unsecured_secret_key_material" },
-    { name = "SETTINGS__FORMS_API__AUTH_KEY", value = "unsecured_api_key_for_review_apps_only" },
     { name = "SETTINGS__FORMS_ENV", value = "review" },
   ]
 

app/resources/api/v2/form_document_resource.rb

@@ -3,7 +3,6 @@ class Api::V2::FormDocumentResource < ActiveResource::Base
   self.site = Settings.forms_api.base_url
   self.prefix = "/api/v2/"
   self.include_format_in_path = false
-  headers["X-API-Token"] = Settings.forms_api.auth_key
 
   class Step < ActiveResource::Base
     self.site = Settings.forms_api.base_url

config/settings.yml

@@ -6,8 +6,6 @@ forms_admin:
   base_url: http://localhost:3000
 
 forms_api:
-  # Authentication key to authenticate forms-runner to forms-api
-  auth_key: development_key
   # URL to form-admin API endpoints
   base_url: http://localhost:3000
 

spec/config/settings_spec.rb

@@ -29,7 +29,6 @@
   describe ".forms_api" do
     forms_api = settings[:forms_api]
 
-    include_examples expected_value_test, :auth_key, forms_api, "development_key"
     include_examples expected_value_test, :base_url, forms_api, "http://localhost:3000"
   end
 

spec/features/email_confirmation_spec.rb

@@ -6,18 +6,8 @@
   let(:question_text) { Faker::Lorem.question }
   let(:text_answer) { Faker::Lorem.sentence }
 
-  let(:req_headers) do
-    {
-      "X-API-Token" => Settings.forms_api.auth_key,
-      "Accept" => "application/json",
-    }
-  end
-  let(:post_headers) do
-    {
-      "X-API-Token" => Settings.forms_api.auth_key,
-      "Content-Type" => "application/json",
-    }
-  end
+  let(:req_headers) { { "Accept" => "application/json" } }
+  let(:post_headers) { { "Content-Type" => "application/json" } }
 
   before do
     ActiveResource::HttpMock.respond_to do |mock|

spec/features/fill_in_and_submit_form_spec.rb

@@ -7,19 +7,8 @@
   let(:answer_text) { "Answer text" }
   let(:reference) { Faker::Alphanumeric.alphanumeric(number: 8).upcase }
 
-  let(:req_headers) do
-    {
-      "X-API-Token" => Settings.forms_api.auth_key,
-      "Accept" => "application/json",
-    }
-  end
-
-  let(:post_headers) do
-    {
-      "X-API-Token" => Settings.forms_api.auth_key,
-      "Content-Type" => "application/json",
-    }
-  end
+  let(:req_headers) { { "Accept" => "application/json" } }
+  let(:post_headers) { { "Content-Type" => "application/json" } }
 
   before do
     ActiveResource::HttpMock.respond_to do |mock|

spec/features/fill_in_and_submit_form_with_csv_spec.rb

@@ -9,12 +9,7 @@
   end
   let(:form) { build :v2_form_document, :live?, id: 1, name: "Fill in this form", steps:, start_page: steps.first.id, submission_type: "email_with_csv" }
   let(:reference) { Faker::Alphanumeric.alphanumeric(number: 8).upcase }
-  let(:req_headers) do
-    {
-      "X-API-Token" => Settings.forms_api.auth_key,
-      "Accept" => "application/json",
-    }
-  end
+  let(:req_headers) { { "Accept" => "application/json" } }
 
   before do
     ActiveResource::HttpMock.respond_to do |mock|

spec/features/fill_in_autocomplete_question_spec.rb

@@ -8,19 +8,8 @@
   let(:answer_text) { "Answer 1" }
   let(:reference) { Faker::Alphanumeric.alphanumeric(number: 8).upcase }
 
-  let(:req_headers) do
-    {
-      "X-API-Token" => Settings.forms_api.auth_key,
-      "Accept" => "application/json",
-    }
-  end
-
-  let(:post_headers) do
-    {
-      "X-API-Token" => Settings.forms_api.auth_key,
-      "Content-Type" => "application/json",
-    }
-  end
+  let(:req_headers) { { "Accept" => "application/json" } }
+  let(:post_headers) { { "Content-Type" => "application/json" } }
 
   before do
     ActiveResource::HttpMock.respond_to do |mock|

spec/features/fill_in_file_upload_question_spec.rb

@@ -9,19 +9,8 @@
   let(:answer_text) { "Answer 1" }
   let(:reference) { Faker::Alphanumeric.alphanumeric(number: 8).upcase }
 
-  let(:req_headers) do
-    {
-      "X-API-Token" => Settings.forms_api.auth_key,
-      "Accept" => "application/json",
-    }
-  end
-
-  let(:post_headers) do
-    {
-      "X-API-Token" => Settings.forms_api.auth_key,
-      "Content-Type" => "application/json",
-    }
-  end
+  let(:req_headers) { { "Accept" => "application/json" } }
+  let(:post_headers) { { "Content-Type" => "application/json" } }
 
   let(:test_file) { "tmp/a-file.txt" }
   let(:test_file_content) { "some content" }

spec/features/fill_in_form_with_exit_page_spec.rb

@@ -7,19 +7,8 @@
   let(:question_text) { Faker::Lorem.question }
   let(:reference) { Faker::Alphanumeric.alphanumeric(number: 8).upcase }
 
-  let(:req_headers) do
-    {
-      "X-API-Token" => Settings.forms_api.auth_key,
-      "Accept" => "application/json",
-    }
-  end
-
-  let(:post_headers) do
-    {
-      "X-API-Token" => Settings.forms_api.auth_key,
-      "Content-Type" => "application/json",
-    }
-  end
+  let(:req_headers) { { "Accept" => "application/json" } }
+  let(:post_headers) { { "Content-Type" => "application/json" } }
 
   before do
     ActiveResource::HttpMock.respond_to do |mock|