Follow-up from #1466.
The License API has 10 endpoints using a separate Cognito user pool (ProviderUsersPoolAuthorizer) for provider/licensee users. The ZAP scan currently uses a staff user credential, so all provider endpoints return 401.
Endpoints not being scanned:
POST /v1/purchases/privilegesGET /v1/provider-users/meGET /v1/compacts/{compact}/attestations/{attestationId}GET /v1/purchases/privileges/optionsGET /v1/provider-users/me/jurisdiction/{jurisdiction}/licenseType/{licenseType}/historyPUT /v1/provider-users/me/home-jurisdictionPOST /v1/provider-users/me/military-affiliationPATCH /v1/provider-users/me/military-affiliationPATCH /v1/provider-users/me/emailPOST /v1/provider-users/me/email/verify
What's needed:
- Provision a test provider user in the test environment's provider Cognito pool
- Add provider-specific secrets to the GitHub repo (
TEST_COGNITO_PROVIDER_POOL_ID, etc.)
- Update the workflow to obtain a second token and either run a second scan or configure a second ZAP context
Follow-up from #1466.
The License API has 10 endpoints using a separate Cognito user pool (
ProviderUsersPoolAuthorizer) for provider/licensee users. The ZAP scan currently uses a staff user credential, so all provider endpoints return 401.Endpoints not being scanned:
POST /v1/purchases/privilegesGET /v1/provider-users/meGET /v1/compacts/{compact}/attestations/{attestationId}GET /v1/purchases/privileges/optionsGET /v1/provider-users/me/jurisdiction/{jurisdiction}/licenseType/{licenseType}/historyPUT /v1/provider-users/me/home-jurisdictionPOST /v1/provider-users/me/military-affiliationPATCH /v1/provider-users/me/military-affiliationPATCH /v1/provider-users/me/emailPOST /v1/provider-users/me/email/verifyWhat's needed:
TEST_COGNITO_PROVIDER_POOL_ID, etc.)