Return 200 even if user is not found on B2C email verification endpoint

build.gradle

@@ -290,6 +290,7 @@ dependencies {
 
   implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: log4JVersion
   implementation group: 'org.apache.logging.log4j', name: 'log4j-to-slf4j', version: log4JVersion
+  implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: log4JVersion
   implementation group: 'org.apache.commons', name: 'commons-exec', version: '1.5.0'
 
   implementation group: 'net.logstash.logback', name: 'logstash-logback-encoder', version: '8.1'

src/functionalTest/java/uk/gov/hmcts/reform/preapi/controllers/B2cControllerFT.java

@@ -5,8 +5,7 @@
 import uk.gov.hmcts.reform.preapi.dto.VerifyEmailRequestDTO;
 import uk.gov.hmcts.reform.preapi.util.FunctionalTestBase;
 
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.springframework.http.HttpStatus.BAD_REQUEST;
+import static org.springframework.http.HttpStatus.NO_CONTENT;
 
 public class B2cControllerFT extends FunctionalTestBase {
 
@@ -20,8 +19,6 @@ void emailValidationError() throws JsonProcessingException {
             OBJECT_MAPPER.writeValueAsString(request),
             null);
 
-        assertResponseCode(response, BAD_REQUEST.value());
-        assertThat(response.body().jsonPath().getString("userMessage"))
-            .isEqualTo("Unable to send email verification");
+        assertResponseCode(response, NO_CONTENT.value());
     }
 }

src/main/java/uk/gov/hmcts/reform/preapi/controllers/B2CController.java

@@ -2,6 +2,7 @@
 
 import io.swagger.v3.oas.annotations.Operation;
 import jakarta.validation.Valid;
+import lombok.extern.log4j.Log4j2;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
@@ -19,6 +20,7 @@
 
 @RestController
 @RequestMapping("/b2c")
+@Log4j2
 @ConditionalOnExpression("${feature-flags.enable-v2-b2c:true}")
 public class B2CController {
 
@@ -51,7 +53,9 @@ public void postEmailVerification(@Valid @RequestBody VerifyEmailRequestDTO requ
                 request.getVerificationCode()
             );
         } catch (NotFoundException e) {
-            throw new B2CControllerException("Unable to send email verification");
+            // don't leak the which email addresses are present in the db
+            // return 200 and log the error
+            log.warn(e.getMessage());
         } catch (Exception e) {
             throw new B2CControllerException("Failed to send email verification", e);
         }

src/test/java/uk/gov/hmcts/reform/preapi/controller/B2CControllerTest.java

@@ -3,9 +3,12 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.boot.test.system.CapturedOutput;
+import org.springframework.boot.test.system.OutputCaptureExtension;
 import org.springframework.http.MediaType;
 import org.springframework.test.context.bean.override.mockito.MockitoBean;
 import org.springframework.test.web.servlet.MockMvc;
@@ -30,6 +33,7 @@
 
 @WebMvcTest(B2CController.class)
 @AutoConfigureMockMvc(addFilters = false)
+@ExtendWith(OutputCaptureExtension.class)
 @SuppressWarnings({"PMD.LinguisticNaming"})
 class B2CControllerTest {
 
@@ -107,10 +111,10 @@ void sendEmailVerificationEmailNoSuchEmailService() throws Exception {
         request.setVerificationCode("123456");
 
         var response = mockMvc.perform(post(TEST_URL + "/b2c/email-verification")
-                            .with(csrf())
-                            .content(OBJECT_MAPPER.writeValueAsString(request))
-                            .contentType(MediaType.APPLICATION_JSON_VALUE)
-                            .accept(MediaType.APPLICATION_JSON_VALUE))
+                                           .with(csrf())
+                                           .content(OBJECT_MAPPER.writeValueAsString(request))
+                                           .contentType(MediaType.APPLICATION_JSON_VALUE)
+                                           .accept(MediaType.APPLICATION_JSON_VALUE))
             .andExpect(status().is4xxClientError())
             .andReturn();
         assertThat(response.getResponse().getContentAsString())
@@ -219,7 +223,7 @@ void errorMessagesShouldBeFormattedCorrectlyForB2CToUnderstand() throws Exceptio
 
     @DisplayName("Should return ambiguous error when user not found")
     @Test
-    void userNotFoundAmbiguousError() throws Exception {
+    void userNotFoundAmbiguousError(CapturedOutput output) throws Exception {
 
         var email = "[email protected]";
 
@@ -232,19 +236,15 @@ void userNotFoundAmbiguousError() throws Exception {
         request.setEmail(email);
         request.setVerificationCode("123456");
 
-        var response = mockMvc.perform(post(TEST_URL + "/b2c/email-verification")
-                                           .with(csrf())
-                                           .content(OBJECT_MAPPER.writeValueAsString(request))
-                                           .contentType(MediaType.APPLICATION_JSON_VALUE)
-                                           .accept(MediaType.APPLICATION_JSON_VALUE))
-            .andExpect(status().is4xxClientError())
-            .andReturn();
-
-        var errorResponse = OBJECT_MAPPER.readTree(response.getResponse().getContentAsString());
-        assertThat(errorResponse.toString()).isEqualTo(
-            "{\"version\":\"1.0.0\",\"status\":409,\"userMessage\":\"Unable to send email verification\"}"
-        );
-
+        mockMvc.perform(post(TEST_URL + "/b2c/email-verification")
+                            .with(csrf())
+                            .content(OBJECT_MAPPER.writeValueAsString(request))
+                            .contentType(MediaType.APPLICATION_JSON_VALUE)
+                            .accept(MediaType.APPLICATION_JSON_VALUE))
+            .andExpect(status().is2xxSuccessful());
 
+        // Verify that log.warn was called with the expected message
+        assertThat(output.getOut()).contains("WARN");
+        assertThat(output.getOut()).contains(email);
     }
 }