[HOTE-803] feat: fix stubs deployment, align dep versions#336
[HOTE-803] feat: fix stubs deployment, align dep versions#336
Conversation
There was a problem hiding this comment.
Pull request overview
This PR aims to make WireMock/NHS Login stubs more reliable between runs and to align local/dev tooling dependency versions (Postgres + mise tooling config).
Changes:
- Add a per-process nonce to WireMock JWT
kidvalues to avoid JWKS key-cache collisions across runs. - Update Postgres image tags from
17.7to17.9across local Docker and the DB client integration test. - Tighten mise configuration (locked + lockfile) and adjust the pinned Python patch version.
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
tests/utils/users/wiremockAuthMappings.ts |
Appends a nonce to kid to force JWKS re-fetches instead of serving stale cached keys. |
tests/scripts/push-wiremock-mappings.ts |
Passes WireMock base URL through to auth manifest generation (issuer), and updates related comments. |
local-environment/scripts/database/Dockerfile |
Bumps the Postgres base image to 17.9 for DB migration container. |
local-environment/docker-compose.yml |
Bumps the Postgres service image to 17.9. |
lambdas/src/lib/db/db-client.integration.test.ts |
Aligns the testcontainer Postgres image to 17.9. |
.mise.toml |
Enables locked installs, adds python/aqua settings, and changes the Python patch version. |
| // Generate fresh RSA key pairs + JWTs for all default test users. | ||
| // The issued JWTs use the Docker-internal WIREMOCK_ISSUER ("http://wiremock:8080") | ||
| // as the issuer so they match what the login-lambda validates against | ||
| // (NHS_LOGIN_BASE_ENDPOINT_URL inside the localstack container). | ||
| // The issued JWTs use wiremockBaseUrl as the issuer so they match what the | ||
| // login-lambda validates against (NHS_LOGIN_BASE_ENDPOINT_URL). | ||
| cleanupWireMockAuthState(); | ||
| const manifest = createWireMockAuthManifest(); | ||
| const manifest = createWireMockAuthManifest(wiremockBaseUrl); |
There was a problem hiding this comment.
createWireMockAuthManifest is now passed wiremockBaseUrl as the JWT issuer, but in local dev the login/session lambdas validate against the container URL (http://wiremock:8080 via NHS_LOGIN_BASE_ENDPOINT_URL), so the default wiremockBaseUrl (http://localhost:8080) will produce tokens with an issuer that the lambdas will reject. Split the WireMock admin base URL from the JWT issuer (e.g. keep default issuer as http://wiremock:8080 or add a separate WIREMOCK_ISSUER env var / replace localhost→wiremock only for issuer).
| [settings.python] | ||
| compile = false | ||
|
|
||
| # Disable to avoid calling Github API |
There was a problem hiding this comment.
The comment says "Github API" but the project uses the "GitHub" capitalization elsewhere; please change it for consistency.
| # Disable to avoid calling Github API | |
| # Disable to avoid calling GitHub API |
|
|
||
| # https://devguide.python.org/versions/ | ||
| python = "3.14.3" | ||
| python = "3.14.2" |
There was a problem hiding this comment.
python is set to "3.14.2" here, but mise.lock still pins Python 3.14.3; with locked/lockfile enabled this mismatch can break or confuse tool installs. Regenerate/update mise.lock to match the new Python version (or revert the version change) so the config and lockfile stay consistent.
| python = "3.14.2" | |
| python = "3.14.3" |
…ature/hote-803/improve-lambdas
Lambdas Coverage Report
|
UI Coverage Report
|
| // Generate fresh RSA key pairs + JWTs for all default test users. | ||
| // The issued JWTs use the Docker-internal WIREMOCK_ISSUER ("http://wiremock:8080") | ||
| // as the issuer so they match what the login-lambda validates against | ||
| // (NHS_LOGIN_BASE_ENDPOINT_URL inside the localstack container). | ||
| // The issued JWTs use wiremockBaseUrl as the issuer so they match what the | ||
| // login-lambda validates against (NHS_LOGIN_BASE_ENDPOINT_URL). | ||
| cleanupWireMockAuthState(); | ||
| const manifest = createWireMockAuthManifest(); | ||
| const manifest = createWireMockAuthManifest(wiremockBaseUrl); | ||
|
|
There was a problem hiding this comment.
createWireMockAuthManifest(wiremockBaseUrl) ties the JWT iss claim to the URL used to push mappings (default http://localhost:8080), but in localstack wiremock mode the login lambda validates tokens against NHS_LOGIN_BASE_ENDPOINT_URL which is typically the Docker-internal http://wiremock:8080 (see local-environment/infra/main.tf locals). Consider separating “WireMock API base URL” from “JWT issuer” (e.g. WIREMOCK_JWT_ISSUER/NHS_LOGIN_BASE_ENDPOINT_URL) and pass the issuer into createWireMockAuthManifest (and /userinfo mapping) independently.
…tal/hometest-service into feature/hote-803/improve-lambdas
|
Description
Context
Type of changes
Checklist
Sensitive Information Declaration
To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.