From c42f0862050264b54056d7c023c79034b02c9eb0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mili=C4=87?= <marko@tesobe.com>
Date: Mon, 3 Feb 2025 17:47:39 +0100
Subject: [PATCH] feature/Tweak Berlin Group Consent Flow

---
 .../code/snippet/BerlinGroupConsent.scala      | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/obp-api/src/main/scala/code/snippet/BerlinGroupConsent.scala b/obp-api/src/main/scala/code/snippet/BerlinGroupConsent.scala
index 827a70c7a..9b8956ef9 100644
--- a/obp-api/src/main/scala/code/snippet/BerlinGroupConsent.scala
+++ b/obp-api/src/main/scala/code/snippet/BerlinGroupConsent.scala
@@ -48,12 +48,13 @@ import scala.collection.immutable
 class BerlinGroupConsent extends MdcLoggable with RestHelper with APIMethods510 with APIMethods500 with APIMethods310 {
   protected implicit override def formats: Formats = CustomJsonFormats.formats
 
-  private object otpValue extends RequestVar("123456")
+  private object otpValue extends SessionVar("123")
   private object redirectUriValue extends SessionVar("")
 
   def confirmBerlinGroupConsentRequest: CssSel = {
     callGetConsentByConsentId() match {
       case Full(consent) =>
+        otpValue.set(consent.challenge)
         val json: GetConsentResponseJson = createGetConsentResponseJson(consent)
         val consumer = Consumers.consumers.vend.getConsumerByConsumerId(consent.consumerId)
         val consentJwt: Box[ConsentJWT] = JwtUtil.getSignedPayloadAsJson(consent.jsonWebToken).map(parse(_)
@@ -117,15 +118,20 @@ class BerlinGroupConsent extends MdcLoggable with RestHelper with APIMethods510
   }
   private def confirmConsentRequestProcessSca() = {
     val consentId = ObpS.param("CONSENT_ID") openOr ("")
-    Consents.consentProvider.vend.updateConsentStatus(consentId, ConsentStatus.valid)
-    S.redirectTo(
-      s"$redirectUriValue?CONSENT_ID=${consentId}"
-    )
+    Consents.consentProvider.vend.getConsentByConsentId(consentId) match {
+      case Full(consent) if otpValue.is == consent.challenge =>
+        Consents.consentProvider.vend.updateConsentStatus(consentId, ConsentStatus.valid)
+        S.redirectTo(
+          s"$redirectUriValue?CONSENT_ID=${consentId}"
+        )
+      case _ =>
+        S.error("Wrong OTP value")
+    }
   }
 
 
   def confirmBgConsentRequest: CssSel = {
-    "#otp-value" #> SHtml.textElem(otpValue) &
+    "#otp-value" #> SHtml.text(otpValue, otpValue(_)) &
       "type=submit" #> SHtml.onSubmitUnit(confirmConsentRequestProcessSca)
   }