ES-2739 - Update CSRF token endpoint in eSignet API

[prathmeshj12]

1. Update CSRF token endpoint in eSignet API
2. Add Test Coverage in eSignet API for "consentAction": "NOCAPTURE" Scenario

Summary by CodeRabbit

• New Features

  • Added a Consent No Capture flow with five end-to-end scenarios: OAuth consent, authentication, authorization code, token exchange, and userinfo retrieval.

• Tests

  • Added test cases, templates and result scaffolds to validate the Consent No Capture flows and wired them into the end-to-end suite.

• Chores

  • Added CSRF token retrieval into test execution, introduced a CSRF endpoint config, removed an obsolete CSRF property, refined test data cleanup queries, and bumped project version.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

CSRF token fetching was added before test execution in MosipTestRunner; a csrfTokenEndpoint property was added; XSRFTOKEN removed from application.properties; DB cleanup SQL was hardened; and a ConsentNoCapture end-to-end test workflow (templates, YAMLs, and TestNG entries) was added.

Changes

Cohort / File(s)	Summary
CSRF Token Integration api-test/src/main/java/.../MosipTestRunner.java, api-test/src/main/resources/config/application.properties, api-test/src/main/resources/config/esignet.properties	Inserted calls to AdminTestUtil.fetchAndStoreCsrfToken() before startTestRunner() in three branches; removed XSRFTOKEN from application.properties; added csrfTokenEndpoint=/v1/esignet/csrf/token.
Database Cleanup Queries api-test/src/main/resources/config/pmsDataDeleteQueries.txt	Replaced template ${currentModule}-111997 with hard-coded esignet-111997, normalized SQL (semicolons/whitespace), and converted partner_policy deletion to a join-based delete.
ConsentNoCapture — OAuth api-test/src/main/resources/esignet/.../OAuthConsentNoCapture/*	Added OAuth consent input template, YAML test definition, and empty result template for verified-claims flow.
ConsentNoCapture — Authenticate (OTP) api-test/src/main/resources/esignet/.../AuthenticateConsentNoCapture/*	Added OTP authenticate YAML, request template, and result template (NOCAPTURE flow referencing send-OTP templates).
ConsentNoCapture — Authorization Code api-test/src/main/resources/esignet/.../AuthCodeConsentNoCapture/*	Added authorization-code request YAML and request/result Handlebars templates (acceptedClaims payload).
ConsentNoCapture — Token Exchange api-test/src/main/resources/esignet/.../GenTokenConsentNoCapture/*	Added token exchange YAML and request/result templates (form-encoded token request, token_type result).
ConsentNoCapture — UserInfo api-test/src/main/resources/esignet/.../UserinfoConsentNoCapture/*	Added userinfo YAML and template expecting idpAccessToken input and empty result template.
Test Suite Registration api-test/testNgXmlFiles/esignetSuite.xml	Appended five end-to-end test cases for the ConsentNoCapture flow with corresponding runners and idKeyName mappings.
Version / POM api-test/pom.xml	Bumped project/version artifacts from 1.7.1-SNAPSHOT to 1.8.0-SNAPSHOT and updated dependent apitest-commons version.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Runner as MosipTestRunner
participant Util as AdminTestUtil
participant CSRF as CSRF Endpoint
participant NG as TestNG Runner

Runner->>Util: fetchAndStoreCsrfToken()
Util->>CSRF: GET /v1/esignet/csrf/token
CSRF-->>Util: CSRF token
Util-->>Runner: store token (header/cookie)
Runner->>NG: startTestRunner() (tests run using stored CSRF token)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• updating project version to 1.8.0 #1561 — Project version bump to 1.8.0 related to aligning module versions.

Suggested reviewers

• mohanachandran-s
• ase-101

Poem

🐰 A rabbit hops through consent flows,
Fetching tokens where the cool wind blows,
Templates stitched in YAML light,
Auth codes, tokens — tests take flight,
Hops of joy in morning's bytes.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title specifically and accurately describes the primary change: updating the CSRF token endpoint in eSignet API, which is reflected in the esignet.properties file addition and the Java code changes that integrate CSRF token fetching.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@api-test/src/main/resources/config/application.properties`:
- Around line 82-83: Remove the hardcoded token strings in the commented
properties (keys "XSRFTOKEN" and "XSRF-TOKEN") and replace them with
non-sensitive placeholders (e.g. XSRFTOKEN=<placeholder> or a property reference
like ${XSRF_TOKEN}) so no real token appears in the repo; move actual token
values to environment variables or local override files and document the
expected env/property name for local setup.

🧹 Nitpick comments (1)

api-test/src/main/resources/esignet/OTPAuthFactorFlow/ConsentNoCapture/AuthenticateConsentNoCapture/AuthenticateConsentNoCapture.yml (1)

11-33: Inconsistent indentation in embedded JSON reduces readability.

The JSON strings embedded in input and output have inconsistent indentation:

• Lines 12-17 use 8-space indentation
• Lines 18-26 (sendOtp block) use 4-space indentation
• Lines 29-32 (output) use mixed 2-space and 4-space indentation

While this doesn't affect YAML parsing (since they're quoted strings), it hampers maintainability.

🔧 Suggested fix for consistent formatting

      input: '{
-        "encodedHash": "$ID:OAuthDetailsRequest_NoCapture_AuthToken_Xsrf_Smoke_sid_encodedResp$",
-        "requestTime": "$TIMESTAMP$",
-        "transactionId": "$ID:OAuthDetailsRequest_NoCapture_AuthToken_Xsrf_Smoke_sid_transactionId$",
-        "individualId": "$ID:AddIdentity_For_OTPFlow_VerifiedClaims_smoke_Pos_UIN$",
-        "authFactorType" : "OTP",
-        "challenge" : "$ID:AddIdentity_For_OTPFlow_VerifiedClaims_smoke_Pos_EMAIL$",
-        "sendOtp":{
-    "encodedHash": "$ID:OAuthDetailsRequest_NoCapture_AuthToken_Xsrf_Smoke_sid_encodedResp$",
-    "requestTime": "$TIMESTAMP$",
-    "transactionId": "$ID:OAuthDetailsRequest_NoCapture_AuthToken_Xsrf_Smoke_sid_transactionId$",
-    "individualId": "$ID:AddIdentity_For_OTPFlow_VerifiedClaims_smoke_Pos_UIN$",
-    "otpChannels": [{"channel": "email"},{"channel": "phone"}],
-    "sendOtpReqTemplate": "esignet/SendOtp/SendOtp",
-    "sendOtpEndPoint": "/v1/esignet/authorization/send-otp"
-    }
-    }'
+        "encodedHash": "$ID:OAuthDetailsRequest_NoCapture_AuthToken_Xsrf_Smoke_sid_encodedResp$",
+        "requestTime": "$TIMESTAMP$",
+        "transactionId": "$ID:OAuthDetailsRequest_NoCapture_AuthToken_Xsrf_Smoke_sid_transactionId$",
+        "individualId": "$ID:AddIdentity_For_OTPFlow_VerifiedClaims_smoke_Pos_UIN$",
+        "authFactorType": "OTP",
+        "challenge": "$ID:AddIdentity_For_OTPFlow_VerifiedClaims_smoke_Pos_EMAIL$",
+        "sendOtp": {
+          "encodedHash": "$ID:OAuthDetailsRequest_NoCapture_AuthToken_Xsrf_Smoke_sid_encodedResp$",
+          "requestTime": "$TIMESTAMP$",
+          "transactionId": "$ID:OAuthDetailsRequest_NoCapture_AuthToken_Xsrf_Smoke_sid_transactionId$",
+          "individualId": "$ID:AddIdentity_For_OTPFlow_VerifiedClaims_smoke_Pos_UIN$",
+          "otpChannels": [{"channel": "email"}, {"channel": "phone"}],
+          "sendOtpReqTemplate": "esignet/SendOtp/SendOtp",
+          "sendOtpEndPoint": "/v1/esignet/authorization/send-otp"
+        }
+      }'
      output: '{
-          "consentAction": "NOCAPTURE",
-  "sendOtpResp":{
-        "sendOtpResTemplate":"esignet/SendOtp/SendOtpResult"
-    }
-}'
+        "consentAction": "NOCAPTURE",
+        "sendOtpResp": {
+          "sendOtpResTemplate": "esignet/SendOtp/SendOtpResult"
+        }
+      }'

[mohanachandran-s]

CheckErrorsOnlyInResponse should be used