@mojaloop/central-services-shared 18.36.0-snapshot.4 → 18.36.1

package/.circleci/config.yml

@@ -20,7 +20,7 @@ version: 2.1
 setup: true
 
 orbs:
-  build: mojaloop/build@1.1.9
+  build: mojaloop/build@1.1.15
 
 workflows:
   setup:

package/.grype.yaml

@@ -1,40 +1,18 @@
-# Grype vulnerability scanning configuration for central-services-shared
-# This is a library project without Docker images, so we use source scanning
 scan-type: source
-
-# Enable vulnerability scanning
 disabled: false
-
-# Vulnerability ignore rules
-# Add specific CVEs here if they are false positives or acceptable risks
 ignore:
-  # Example format for ignoring specific vulnerabilities:
-  # - vulnerability: "CVE-2023-xxxxx"
-  #   reason: "False positive in dev dependency that doesn't affect production"
-  # - vulnerability: "GHSA-xxxx-xxxx-xxxx"
-  #   package:
-  #     name: "package-name"
-  #     version: "1.0.0"
-  #   reason: "Not exploitable in our usage context"
-
-# Output formats for scan results
+  - vulnerability: GHSA-rpr9-rxv7-x643
+    include-aliases: true
+    reason: "[05-16-2026][Critical][sanitize-html 2.12.1] No available fix. Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html"
 output:
-  - "table"  # Human-readable table format
-  - "json"   # Machine-readable JSON for further processing
-
-# Grype configuration options
-quiet: false                    # Show progress and status messages
-check-for-app-update: false     # Don't check for Grype updates during CI
-only-fixed: false               # Show all vulnerabilities, not just those with fixes
-add-cpes-if-none: false         # Don't add CPEs if none are found
-by-cve: false                   # Group by vulnerability rather than CVE
-
-# Database settings
+  - table
+  - json
+quiet: false
+check-for-app-update: false
+only-fixed: false
+add-cpes-if-none: false
+by-cve: false
 db:
-  auto-update: true             # Auto-update the vulnerability database
-  validate-age: true            # Validate the age of the vulnerability database
-  max-allowed-built-age: 120h   # Maximum age of the vulnerability database (5 days)
-
-# Severity thresholds (handled by the orb, but documented here for clarity)
-# The build will fail on Critical, High, or Medium severity vulnerabilities
-# Low and Negligible severities are reported but won't fail the build
+  auto-update: true
+  validate-age: true
+  max-allowed-built-age: 120h

package/.ncurc.yaml

@@ -2,5 +2,5 @@
 reject: [
   # TODO: Added "@hapi/catbox-memory" to ncurc for dep:check to ignore updates due to breaking changes which should be handled by another story
   "@hapi/catbox-memory",
-  "ioredis" # version 5.7.0 caused failures of unit-tests in QS
+  "ioredis", # version 5.7.0 caused failures of unit-tests in QS
 ]

package/.nvmrc

@@ -1 +1 @@
-22.15.1
+22.22.2

package/CHANGELOG.md

@@ -2,6 +2,49 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [18.36.1](https://github.com/mojaloop/central-services-shared/compare/v18.36.0...v18.36.1) (2026-05-18)
+
+
+### Bug Fixes
+
+* issue 4297 aligning tpp accounts request naming ([#521](https://github.com/mojaloop/central-services-shared/issues/521)) ([da0335d](https://github.com/mojaloop/central-services-shared/commit/da0335d46fabe5547ba622c9d9a3f446936827e0))
+
+## [18.36.0](https://github.com/mojaloop/central-services-shared/compare/v18.35.7...v18.36.0) (2026-05-13)
+
+
+### Features
+
+* add new endpoints for tppConsentRequest ([#519](https://github.com/mojaloop/central-services-shared/issues/519)) ([635a383](https://github.com/mojaloop/central-services-shared/commit/635a3830b22ee1e01914b9a17be6df802772dc3c))
+* add tppConsents request endpoints ([#520](https://github.com/mojaloop/central-services-shared/issues/520)) ([5fb9873](https://github.com/mojaloop/central-services-shared/commit/5fb98739f330736ca74d3a9934dbf971d4c46c0b))
+
+### [18.35.7](https://github.com/mojaloop/central-services-shared/compare/v18.35.6...v18.35.7) (2026-04-07)
+
+
+### Bug Fixes
+
+* require Accept header for initiating methods per FSPIOP spec ([#516](https://github.com/mojaloop/central-services-shared/issues/516)) ([4d29c23](https://github.com/mojaloop/central-services-shared/commit/4d29c23464ceaf31961991fa82d6ac986d47e4d4)), closes [mojaloop/project#4183](https://github.com/mojaloop/project/issues/4183)
+
+### [18.35.6](https://github.com/mojaloop/central-services-shared/compare/v18.35.5...v18.35.6) (2026-02-26)
+
+
+### Chore
+
+* rm circular dependency on sdk-standard-components ([#510](https://github.com/mojaloop/central-services-shared/issues/510)) ([7346920](https://github.com/mojaloop/central-services-shared/commit/7346920e3c3e0996aeebfd7cce4e24ac54d59313))
+
+### [18.35.5](https://github.com/mojaloop/central-services-shared/compare/v18.35.4...v18.35.5) (2026-02-20)
+
+
+### Chore
+
+* update orb and dep ver ([#509](https://github.com/mojaloop/central-services-shared/issues/509)) ([7293cff](https://github.com/mojaloop/central-services-shared/commit/7293cffea15145d115b25625eb4352ceb651bb35))
+
+### [18.35.4](https://github.com/mojaloop/central-services-shared/compare/v18.35.3...v18.35.4) (2026-02-19)
+
+
+### Chore
+
+* update dependencies, node.js 22.22.0, and security patches ([#508](https://github.com/mojaloop/central-services-shared/issues/508)) ([51281d8](https://github.com/mojaloop/central-services-shared/commit/51281d8eaaa8b9da53214f2b6543d1aef165a682))
+
 ### [18.35.3](https://github.com/mojaloop/central-services-shared/compare/v18.35.2...v18.35.3) (2026-02-06)
 
 

package/audit-ci.jsonc

@@ -4,6 +4,10 @@
   // Only use one of ["low": true, "moderate": true, "high": true, "critical": true]
   "moderate": true,
   "allowlist": [ // NOTE: Please add as much information as possible to any items added to the allowList
-    // e.g. Currently no fixes available for the following
+    /** 
+      [05-16-2026] - No fix available for this vulnerability
+      Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
+    **/
+    "GHSA-rpr9-rxv7-x643"
   ]
-}
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mojaloop/central-services-shared",
-  "version": "18.36.0-snapshot.4",
+  "version": "18.36.1",
   "description": "Shared code for mojaloop central services",
   "license": "Apache-2.0",
   "author": "ModusBox",
@@ -48,7 +48,6 @@
     "test:endpoints": "npx tape 'test/unit/util/endpoints.test.js'",
     "test:mysql": "npx tape 'test/unit/mysql/**/*.test.js'",
     "test:participants": "npx tape 'test/unit/util/participants.test.js'",
-    "test:request": "npx tape 'test/unit/util/request.test.js'",
     "test:trans": "npx tape 'test/unit/util/headers/transformer.test.js'",
     "test:unit": "npx tape 'test/unit/**/*.test.js' | tap-spec",
     "test:xunit": "npx tape 'test/unit/**/**.test.js' | tap-xunit > ./test/results/xunit.xml",
@@ -68,26 +67,25 @@
   "dependencies": {
     "@hapi/catbox": "12.1.1",
     "@hapi/catbox-memory": "5.0.1",
-    "@hapi/hapi": "21.4.4",
+    "@hapi/hapi": "21.4.9",
     "@hapi/joi-date": "2.0.1",
-    "@mojaloop/inter-scheme-proxy-cache-lib": "2.9.0",
-    "@opentelemetry/api": "1.9.0",
-    "@opentelemetry/semantic-conventions": "1.39.0",
+    "@mojaloop/inter-scheme-proxy-cache-lib": "2.10.0",
+    "@opentelemetry/api": "1.9.1",
     "async-exit-hook": "2.0.1",
     "async-retry": "1.3.3",
-    "axios": "1.13.4",
+    "axios": "1.16.1",
     "clone": "2.1.2",
-    "convict": "^6.2.4",
-    "dotenv": "17.2.4",
+    "convict": "6.2.5",
+    "dotenv": "17.4.2",
     "env-var": "7.5.0",
     "event-stream": "4.0.1",
     "fast-safe-stringify": "2.1.1",
-    "immutable": "5.1.4",
+    "immutable": "5.1.5",
     "ioredis": "5.6.1",
-    "joi": "18.0.2",
-    "lodash": "4.17.23",
+    "joi": "18.2.1",
+    "lodash": "4.18.1",
     "mustache": "4.2.0",
-    "openapi-backend": "5.15.0",
+    "openapi-backend": "5.17.0",
     "raw-body": "3.0.2",
     "rc": "1.2.8",
     "redlock": "5.0.0-beta.2",
@@ -95,30 +93,29 @@
     "ulidx": "2.4.1",
     "uuid4": "2.0.3",
     "widdershins": "4.0.1",
-    "yaml": "2.8.2"
+    "yaml": "2.9.0"
   },
   "devDependencies": {
-    "@mojaloop/central-services-error-handling": "13.1.5",
-    "@mojaloop/central-services-logger": "11.11.0-snapshot.0",
-    "@mojaloop/central-services-metrics": "12.8.3",
-    "@mojaloop/event-sdk": "14.8.2",
-    "@mojaloop/sdk-standard-components": "19.18.7",
-    "@opentelemetry/auto-instrumentations-node": "^0.69.0",
+    "@mojaloop/central-services-error-handling": "13.1.6",
+    "@mojaloop/central-services-logger": "11.10.4",
+    "@mojaloop/central-services-metrics": "12.8.5",
+    "@mojaloop/event-sdk": "14.8.4",
+    "@opentelemetry/auto-instrumentations-node": "^0.76.0",
     "@types/hapi__joi": "17.1.15",
-    "ajv": "^8.17.1",
+    "ajv": "8.20.0",
     "ajv-formats": "^3.0.1",
     "ajv-keywords": "^5.1.0",
     "audit-ci": "7.1.0",
     "base64url": "3.0.1",
     "chance": "1.1.13",
-    "npm-check-updates": "19.3.2",
-    "nyc": "17.1.0",
+    "npm-check-updates": "22.2.0",
+    "nyc": "18.0.0",
     "portfinder": "1.0.38",
-    "pre-commit": "1.2.2",
+    "pre-commit": "2.0.0",
     "proxyquire": "2.1.3",
     "replace": "1.2.2",
     "rewire": "9.0.1",
-    "sinon": "21.0.1",
+    "sinon": "22.0.0",
     "standard": "17.1.2",
     "standard-version": "9.5.0",
     "tap-spec": "5.0.0",
@@ -127,15 +124,13 @@
     "tapes": "4.1.0"
   },
   "overrides": {
-    "@mojaloop/central-services-logger": "$@mojaloop/central-services-logger",
-    "axios": "1.13.4",
-    "qs": "6.14.1",
-    "brace-expansion": "2.0.2",
-    "form-data": "4.0.4",
-    "nanoid": "5.1.5",
-    "postcss": {
-      "nanoid": "5.1.5"
-    },
+    "axios": "1.16.1",
+    "qs": "6.14.2",
+    "brace-expansion": "1.1.13",
+    "form-data": "4.0.5",
+    "convict": "6.2.5",
+    "nanoid": "3.3.11",
+    "postcss": "8.5.10",
     "shins": {
       "ejs": "3.1.10",
       "sanitize-html": "2.12.1",
@@ -148,15 +143,22 @@
       "swagger2openapi": "7.0.8"
     },
     "markdown-it": "12.3.2",
-    "fast-xml-parser": "5.3.4",
+    "fast-xml-parser": "5.7.0",
     "trim": "0.0.3",
     "cross-spawn": "7.0.6",
     "yargs-parser": "21.1.1",
     "jws": "3.2.3",
     "validator": "13.15.22",
-    "lodash": "4.17.23",
-    "lodash-es": "4.17.23",
-    "undici": "7.18.2"
+    "lodash": "4.18.1",
+    "lodash-es": "4.18.1",
+    "undici": "6.25.0",
+    "@hapi/content": "6.0.1",
+    "replace": {
+      "minimatch": "3.1.4"
+    },
+    "path-to-regexp": "0.1.13",
+    "picomatch": "2.3.2",
+    "yaml": "2.9.0"
   },
   "peerDependencies": {
     "@mojaloop/central-services-error-handling": "13.x.x",

package/src/config.js

@@ -9,13 +9,6 @@ const config = convict({
     env: 'SHARED_CACHE_LOG_LEVEL'
   },
 
-  httpLogLevel: {
-    doc: 'Log level for HTTP wrapper.',
-    format: logLevelValues,
-    default: logLevelsMap.warn,
-    env: 'LOG_LEVEL_HTTP'
-  },
-
   defaultTtlSec: {
     doc: 'Default cache TTL.',
     format: Number,

package/src/enums/endpoints.js

@@ -102,12 +102,22 @@ const FspEndpointTypes = {
   TP_CB_URL_SERVICES_GET: 'TP_CB_URL_SERVICES_GET',
   TP_CB_URL_SERVICES_PUT: 'TP_CB_URL_SERVICES_PUT',
   TP_CB_URL_SERVICES_PUT_ERROR: 'TP_CB_URL_SERVICES_PUT_ERROR',
-  TPP_CB_URL_ACCOUNT_REQUEST_POST: 'TPP_CB_URL_ACCOUNT_REQUEST_POST',
-  TPP_CB_URL_ACCOUNT_REQUEST_PUT: 'TPP_CB_URL_ACCOUNT_REQUEST_PUT',
-  TPP_CB_URL_ACCOUNT_REQUEST_PUT_ERROR: 'TPP_CB_URL_ACCOUNT_REQUEST_PUT_ERROR',
-  TPP_CB_URL_ACCOUNT_REQUEST_GET: 'TPP_CB_URL_ACCOUNT_REQUEST_GET',
+  TPP_CB_URL_ACCOUNTS_REQUEST_POST: 'TPP_CB_URL_ACCOUNTS_REQUEST_POST',
+  TPP_CB_URL_ACCOUNTS_REQUEST_PUT: 'TPP_CB_URL_ACCOUNTS_REQUEST_PUT',
+  TPP_CB_URL_ACCOUNTS_REQUEST_PUT_ERROR: 'TPP_CB_URL_ACCOUNTS_REQUEST_PUT_ERROR',
+  TPP_CB_URL_ACCOUNTS_REQUEST_GET: 'TPP_CB_URL_ACCOUNTS_REQUEST_GET',
   TPP_CB_URL_ACCOUNTS_GET: 'TPP_CB_URL_ACCOUNTS_GET',
-  TPP_CB_URL_ACCOUNTS_PUT: 'TPP_CB_URL_ACCOUNTS_PUT'
+  TPP_CB_URL_ACCOUNTS_PUT: 'TPP_CB_URL_ACCOUNTS_PUT',
+  TPP_CB_URL_CONSENT_REQUEST_POST: 'TPP_CB_URL_CONSENT_REQUEST_POST',
+  TPP_CB_URL_CONSENT_REQUEST_GET: 'TPP_CB_URL_CONSENT_REQUEST_GET',
+  TPP_CB_URL_CONSENT_REQUEST_PUT: 'TPP_CB_URL_CONSENT_REQUEST_PUT',
+  TPP_CB_URL_CONSENT_REQUEST_PATCH: 'TPP_CB_URL_CONSENT_REQUEST_PATCH',
+  TPP_CB_URL_CONSENT_REQUEST_PUT_ERROR: 'TPP_CB_URL_CONSENT_REQUEST_PUT_ERROR',
+  TPP_CB_URL_CONSENTS_POST: 'TPP_CB_URL_CONSENTS_POST',
+  TPP_CB_URL_CONSENTS_GET: 'TPP_CB_URL_CONSENTS_GET',
+  TPP_CB_URL_CONSENTS_PUT: 'TPP_CB_URL_CONSENTS_PUT',
+  TPP_CB_URL_CONSENTS_PUT_ERROR: 'TPP_CB_URL_CONSENTS_PUT_ERROR',
+  TPP_CB_URL_CONSENTS_DELETE: 'TPP_CB_URL_CONSENTS_DELETE'
 }
 
 const FspEndpointTemplates = {
@@ -170,13 +180,23 @@ const FspEndpointTemplates = {
   TP_SERVICES_GET: '/services/{{ServiceType}}',
   TP_SERVICES_PUT: '/services/{{ServiceType}}',
   TP_SERVICES_PUT_ERROR: '/services/{{ServiceType}}/error',
-  TPP_ACCOUNT_REQUEST_POST: '/tppAccountRequest',
-  TPP_ACCOUNT_REQUEST_PUT: '/tppAccountRequest/{{ID}}',
-  TPP_ACCOUNT_REQUEST_PUT_ERROR: '/tppAccountRequest/{{ID}}/error',
-  TPP_ACCOUNT_REQUEST_GET: '/tppAccountRequest/{{ID}}',
+  TPP_ACCOUNTS_REQUEST_POST: '/tppAccountsRequest',
+  TPP_ACCOUNTS_REQUEST_PUT: '/tppAccountsRequest/{{ID}}',
+  TPP_ACCOUNTS_REQUEST_PUT_ERROR: '/tppAccountsRequest/{{ID}}/error',
+  TPP_ACCOUNTS_REQUEST_GET: '/tppAccountsRequest/{{ID}}',
   TPP_ACCOUNTS_GET: '/tppAccounts/{{ID}}/{{SignedChallenge}}',
   TPP_ACCOUNTS_PUT: '/tppAccounts/{{ID}}',
-  TPP_ACCOUNTS_PUT_ERROR: '/tppAccounts/{{ID}}/error'
+  TPP_ACCOUNTS_PUT_ERROR: '/tppAccounts/{{ID}}/error',
+  TPP_CONSENT_REQUEST_POST: '/tppConsentRequests',
+  TPP_CONSENT_REQUEST_GET: '/tppConsentRequests/{{ID}}',
+  TPP_CONSENT_REQUEST_PUT: '/tppConsentRequests/{{ID}}',
+  TPP_CONSENT_REQUEST_PATCH: '/tppConsentRequests/{{ID}}',
+  TPP_CONSENT_REQUEST_PUT_ERROR: '/tppConsentRequests/{{ID}}/error',
+  TPP_CONSENTS_POST: '/tppConsents',
+  TPP_CONSENTS_GET: '/tppConsents/{{ID}}',
+  TPP_CONSENTS_PUT: '/tppConsents/{{ID}}',
+  TPP_CONSENTS_PUT_ERROR: '/tppConsents/{{ID}}/error',
+  TPP_CONSENTS_DELETE: '/tppConsents/{{ID}}'
 }
 
 module.exports = {

package/src/index.d.ts

@@ -1,7 +1,6 @@
 import { Utils as HapiUtil, Server } from '@hapi/hapi'
 import { ILogger } from '@mojaloop/central-services-logger/src/contextLogger'
 import { Knex } from 'knex';
-import { AxiosRequestConfig, AxiosResponse, ResponseType as AxiosResponseType } from 'axios'
 import IORedis from 'ioredis';
 
 declare namespace CentralServicesShared {
@@ -116,10 +115,10 @@ declare namespace CentralServicesShared {
     TP_CB_URL_SERVICES_GET = 'TP_CB_URL_SERVICES_GET',
     TP_CB_URL_SERVICES_PUT = 'TP_CB_URL_SERVICES_PUT',
     TP_CB_URL_SERVICES_PUT_ERROR = 'TP_CB_URL_SERVICES_PUT_ERROR',
-    TP_CB_URL_ACCOUNT_REQUEST_POST = 'TP_CB_URL_ACCOUNT_REQUEST_POST',
-    TP_CB_URL_ACCOUNT_REQUEST_PUT = 'TP_CB_URL_ACCOUNT_REQUEST_PUT',
-    TP_CB_URL_ACCOUNT_REQUEST_PUT_ERROR = 'TP_CB_URL_ACCOUNT_REQUEST_PUT_ERROR',
-    TP_CB_URL_ACCOUNT_REQUEST_GET = 'TP_CB_URL_ACCOUNT_REQUEST_GET',
+    TP_CB_URL_ACCOUNTS_REQUEST_POST = 'TP_CB_URL_ACCOUNTS_REQUEST_POST',
+    TP_CB_URL_ACCOUNTS_REQUEST_PUT = 'TP_CB_URL_ACCOUNTS_REQUEST_PUT',
+    TP_CB_URL_ACCOUNTS_REQUEST_PUT_ERROR = 'TP_CB_URL_ACCOUNTS_REQUEST_PUT_ERROR',
+    TP_CB_URL_ACCOUNTS_REQUEST_GET = 'TP_CB_URL_ACCOUNTS_REQUEST_GET',
   }
   interface EndPointsEnum {
     EndpointType: {
@@ -192,10 +191,10 @@ declare namespace CentralServicesShared {
       TP_CB_URL_SERVICES_GET: FspEndpointTypesEnum.TP_CB_URL_SERVICES_GET;
       TP_CB_URL_SERVICES_PUT: FspEndpointTypesEnum.TP_CB_URL_SERVICES_PUT;
       TP_CB_URL_SERVICES_PUT_ERROR: FspEndpointTypesEnum.TP_CB_URL_SERVICES_PUT_ERROR;
-      TP_CB_URL_ACCOUNT_REQUEST_POST: FspEndpointTypesEnum.TP_CB_URL_ACCOUNT_REQUEST_POST;
-      TP_CB_URL_ACCOUNT_REQUEST_PUT: FspEndpointTypesEnum.TP_CB_URL_ACCOUNT_REQUEST_PUT;
-      TP_CB_URL_ACCOUNT_REQUEST_PUT_ERROR: FspEndpointTypesEnum.TP_CB_URL_ACCOUNT_REQUEST_PUT_ERROR;
-      TP_CB_URL_ACCOUNT_REQUEST_GET: FspEndpointTypesEnum.TP_CB_URL_ACCOUNT_REQUEST_GET;
+      TP_CB_URL_ACCOUNTS_REQUEST_POST: FspEndpointTypesEnum.TP_CB_URL_ACCOUNTS_REQUEST_POST;
+      TP_CB_URL_ACCOUNTS_REQUEST_PUT: FspEndpointTypesEnum.TP_CB_URL_ACCOUNTS_REQUEST_PUT;
+      TP_CB_URL_ACCOUNTS_REQUEST_PUT_ERROR: FspEndpointTypesEnum.TP_CB_URL_ACCOUNTS_REQUEST_PUT_ERROR;
+      TP_CB_URL_ACCOUNTS_REQUEST_GET: FspEndpointTypesEnum.TP_CB_URL_ACCOUNTS_REQUEST_GET;
     };
     FspEndpointTemplates: {
       TRANSACTION_REQUEST_POST: string;
@@ -764,27 +763,9 @@ declare namespace CentralServicesShared {
     accept: string
   }
 
-  type RequestParams = {
-    url: string,
-    headers: HapiUtil.Dictionary<string>,
-    source: string,
-    destination?: string,
-    hubNameRegex: RegExp,
-    method?: RestMethodsEnum,
-    payload?: any,
-    params?: AxiosRequestConfig['params'],
-    responseType?: AxiosResponseType,
-    span?: any,
-    jwsSigner?: any,
-    protocolVersions?: ProtocolVersionsType,
-    apiType?: ApiTypeValues,
-    axiosRequestOptionsOverride?: Partial<AxiosRequestConfig>,
-    logger?: ILogger,
-    peerService?: string
-  }
-  export interface Request {
-    sendRequest(params: RequestParams): Promise<AxiosResponse>
-    sendBaseRequest(params?: AxiosRequestConfig & { logger?: ILogger, peerService?: string }): Promise<AxiosResponse>
+  type RequestParams = { url: string, headers: HapiUtil.Dictionary<string>, source: string, destination: string, hubNameRegex: RegExp, method?: RestMethodsEnum, payload?: any, responseType?: string, span?: any, jwsSigner?: any, protocolVersions?: ProtocolVersionsType }
+  interface Request {
+    sendRequest(params: RequestParams): Promise<any>
   }
 
   interface Kafka {

package/src/util/hapi/plugins/headerValidation.js

@@ -81,9 +81,10 @@ const plugin = {
 
       if (needProxySourceValidation) validateProxySourceHeaders(request.headers)
 
-      // Always validate the accept header for a get request, or optionally if it has been
-      // supplied
-      if (request.method.toLowerCase() === 'get' || request.headers.accept) {
+      // Require accept header for request-initiating methods (GET, POST, DELETE)
+      // per FSPIOP API spec. PUT/PATCH callbacks do not require Accept.
+      const methodRequiresAccept = ['get', 'post', 'delete'].includes(request.method.toLowerCase())
+      if (methodRequiresAccept || request.headers.accept) {
         if (request.headers.accept === undefined) {
           throw createFSPIOPError(Enums.FSPIOPErrorCodes.MISSING_ELEMENT, errorMessages.REQUIRE_ACCEPT_HEADER)
         }

package/src/util/hapi/plugins/loggingPlugin.js

@@ -30,7 +30,6 @@
 const { env } = require('node:process')
 const { asyncStorage } = require('@mojaloop/central-services-logger/src/contextLogger')
 const { logger } = require('../../../logger')
-const { incomingRequestAttributesDto } = require('../../otelDto')
 
 const INTERNAL_ROUTES = env.LOG_INTERNAL_ROUTES ? env.LOG_INTERNAL_ROUTES.split(',') : ['/health', '/metrics', '/live']
 const TRACE_ID_HEADER = env.LOG_TRACE_ID_HEADER ?? 'traceid'
@@ -62,11 +61,13 @@ const loggingPlugin = {
     server.ext({
       type: 'onRequest',
       method: (request, h) => {
-        const requestId = request.info.id = `${request.info.id}__${request.headers[traceIdHeader]}`
+        const { path, method, headers, payload, query } = request
+        const { remoteAddress } = request.info
+        const requestId = request.info.id = `${request.info.id}__${headers[traceIdHeader]}`
         asyncStorage.enterWith({ requestId })
 
-        if (shouldLog(request.path)) {
-          logRequest(request, log)
+        if (shouldLog(path)) {
+          log.info(`[==> req] ${method.toUpperCase()} ${path}`, { headers, payload, query, remoteAddress })
         }
         return h.continue
       }
@@ -76,7 +77,16 @@ const loggingPlugin = {
       type: 'onPreResponse',
       method: (request, h) => {
         if (shouldLog(request.path)) {
-          logResponse(request, log)
+          const { path, method, payload, response } = request
+          const { received } = request.info
+
+          const statusCode = response instanceof Error
+            ? response.output?.statusCode
+            : response.statusCode
+          const { output } = response
+          const respTimeSec = ((Date.now() - received) / 1000).toFixed(1)
+
+          log.info(`[<== ${statusCode}] ${method.toUpperCase()} ${path} [${respTimeSec} sec]`, { payload, output })
         }
         return h.continue
       }
@@ -84,69 +94,4 @@ const loggingPlugin = {
   }
 }
 
-/**
- * @param {import('@hapi/hapi').Request} request
- * @param {ILogger} log
- * @returns OTelAttributes
- */
-const logRequest = (request, log) => {
-  log.info(`[==> req] ${request.method.toUpperCase()} ${request.path} `, {
-    headers: extractHeadersForLogs(request.headers),
-    // payload is not parsed yet
-    ...extractAttributes({ request })
-  })
-}
-
-/**
- * @param {import('@hapi/hapi').Request} request
- * @param {ILogger} log
- * @returns OTelAttributes
- */
-const logResponse = (request, log) => {
-  const { method, path, response } = request
-
-  const statusCode = response instanceof Error
-    ? response.output?.statusCode
-    : response?.statusCode
-
-  const errorType = response instanceof Error
-    ? response.output?.payload?.error
-    : undefined
-
-  const durationSec = (Date.now() - request.info.received) / 1000
-
-  log.info(`[<== ${statusCode}] ${method.toUpperCase()} ${path}  [${durationSec} s]`, {
-    headers: extractHeadersForLogs(response?.output?.headers),
-    payload: response?.output?.payload, // think if we need to log payload only with debug severity
-    ...extractAttributes({ request, durationSec, statusCode, errorType })
-  })
-}
-
-const extractAttributes = ({ request, durationSec, statusCode, errorType }) => {
-  return incomingRequestAttributesDto({
-    method: request.method,
-    path: request.path,
-    url: getFullUrl(request),
-    route: request.route.path,
-    serverAddress: request.info.hostname,
-    clientAddress: request.info.remoteAddress,
-    userAgent: request.headers['user-agent'],
-    requestId: request.info.id,
-    durationSec,
-    statusCode,
-    errorType
-  })
-}
-
-/** @param {import('@hapi/hapi').Request} req */
-const getFullUrl = (req) => {
-  const search = req.url?.search || ''
-  return `${req.server.info.protocol}://${req.info.host}${req.path}${search}`
-}
-
-const extractHeadersForLogs = (headers = {}) => {
-  // todo: add impl.
-  return headers
-}
-
 module.exports = loggingPlugin

package/src/util/request.js

@@ -30,31 +30,29 @@
 'use strict'
 
 const http = require('node:http')
-const axios = require('axios')
+const request = require('axios')
 const stringify = require('fast-safe-stringify')
 const EventSdk = require('@mojaloop/event-sdk')
 const ErrorHandler = require('@mojaloop/central-services-error-handling')
 const Metrics = require('@mojaloop/central-services-metrics')
-
-const { logger: globalLogger } = require('../logger')
+const Headers = require('./headers/transformer')
+const enums = require('../enums')
+const { logger } = require('../logger')
 const { API_TYPES } = require('../constants')
 const config = require('../config')
-const enums = require('../enums')
-const Headers = require('./headers/transformer')
-const { outgoingRequestAttributesDto } = require('./otelDto')
 
 const MISSING_FUNCTION_PARAMETERS = 'Missing parameters for function'
 
 // Delete the default headers that the `axios` module inserts as they can brake our conventions.
 // By default it would insert `"Accept":"application/json, text/plain, */*"`.
-delete axios.defaults.headers.common.Accept
+delete request.defaults.headers.common.Accept
 
 const keepAlive = (process.env.HTTP_AGENT_KEEP_ALIVE ?? 'true') === 'true'
-globalLogger.verbose('http keepAlive:', { keepAlive })
+logger.verbose('http keepAlive:', { keepAlive })
 
 // Enable keepalive for http
-axios.defaults.httpAgent = new http.Agent({ keepAlive })
-axios.defaults.httpAgent.toJSON = () => ({})
+request.defaults.httpAgent = new http.Agent({ keepAlive })
+request.defaults.httpAgent.toJSON = () => ({})
 
 /**
  * @function sendRequest
@@ -79,12 +77,11 @@ axios.defaults.httpAgent.toJSON = () => ({})
  * @param {SendRequestProtocolVersions | undefined} protocolVersions the config for Protocol versions to be used
  * @param {'fspiop' | 'iso20022'} apiType the API type of the request being sent
  * @param {object} axiosRequestOptionsOverride axios request options to override https://axios-http.com/docs/req_config
- * @param {ILogger} [logger] ContextLogger instance with specific context
- * @param {string} [peerService] Logical service name to call (for OTel)
  * @param {regex} hubNameRegex hubName Regex
  *
  *@return {Promise<any>} The response for the request being sent or error object with response included
  */
+
 const sendRequest = async ({
   url,
   headers,
@@ -99,8 +96,6 @@ const sendRequest = async ({
   protocolVersions = undefined,
   apiType = API_TYPES.fspiop,
   axiosRequestOptionsOverride = {},
-  logger = createHttpLogger(),
-  peerService = '',
   hubNameRegex
 }) => {
   const histTimerEnd = Metrics.getHistogram(
@@ -118,9 +113,6 @@ const sendRequest = async ({
     // think, if we can just avoid checking "destination"
     throw ErrorHandler.Factory.createInternalServerFSPIOPError(MISSING_FUNCTION_PARAMETERS)
   }
-
-  const log = logger.child({ component: 'httpRequest' })
-
   try {
     const transformedHeaders = Headers.transformHeaders(headers, {
       httpMethod: method,
@@ -134,10 +126,9 @@ const sendRequest = async ({
       url,
       method,
       headers: transformedHeaders,
-      data: payload,
+      data: payload, // todo: think, if it's better to transform to ISO format here (based on apiType)
       params,
       responseType,
-      peerService,
       timeout: config.get('httpRequestTimeoutMs'),
       ...axiosRequestOptionsOverride
     }
@@ -158,18 +149,14 @@ const sendRequest = async ({
       }
       span.audit({ ...rest, payload }, EventSdk.AuditEventAction.egress)
     }
-
-    const response = await sendBaseRequest({
-      ...requestOptions,
-      logger: log,
-      peerService
-    })
+    logger.debug('sendRequest::requestOptions:', { requestOptions })
+    const response = await request(requestOptions)
 
     !!sendRequestSpan && await sendRequestSpan.finish()
     histTimerEnd({ success: true, source, destination, method })
     return response
   } catch (error) {
-    log.error('error in request.sendRequest:', {
+    logger.error('error in request.sendRequest:', {
       code: error.code,
       message: error.message,
       stack: error.stack,
@@ -260,62 +247,6 @@ const sendRequest = async ({
   }
 }
 
-// todo: think better name
-//       it's for http calls without params validation and transformHeaders
-const sendBaseRequest = async ({
-  logger = createHttpLogger(),
-  peerService = '',
-  ...reqOptions
-} = {}) => {
-  const log = logger.child({ component: 'sendBaseRequest' })
-  const { method, url } = reqOptions
-  const methodUrl = `${method?.toUpperCase()} ${url}`
-  const startTime = Date.now()
-
-  let statusCode
-  let errorType
-
-  try {
-    log.debug(`[-->] options for ${methodUrl}: `, { reqOptions })
-
-    const response = await axios(reqOptions)
-
-    statusCode = response?.status
-    log.verbose(`[<--] details of ${methodUrl}: `, {
-      data: response?.data,
-      headers: response?.headers, // todo: extract only needed headers
-      statusCode,
-      reqOptions
-    })
-
-    return response
-  } catch (error) {
-    statusCode = error.response?.status
-    errorType = error.code
-    throw error // todo: think, if we need to rethrow our custom error here
-  } finally {
-    const severity = typeof statusCode === 'number'
-      ? (statusCode >= 200 && statusCode < 300 ? 'info' : 'warn')
-      : 'error'
-    const durationSec = (Date.now() - startTime) / 1000
-    log[severity](`[<-- ${statusCode || errorType || ''}] ${methodUrl}  [${durationSec} s]:`, outgoingRequestAttributesDto({
-      method,
-      url,
-      statusCode,
-      durationSec,
-      errorType,
-      peerService
-    }))
-  }
-}
-
-const createHttpLogger = () => {
-  const logger = globalLogger.child()
-  logger.setLevel(config.get('httpLogLevel'))
-  return logger
-}
-
 module.exports = {
-  sendRequest,
-  sendBaseRequest
+  sendRequest
 }

package/test/unit/util/hapi/plugins/headerValidation.test.js

@@ -151,7 +151,8 @@ Test('headerValidation plugin test', async (pluginTest) => {
     t.end()
   })
 
-  pluginTest.test('accept validation is not performed on post, put requests without an accept header', async t => {
+  pluginTest.test('accept validation is performed on post requests without an accept header', async t => {
+    const fspiopCode = ErrorHandling.Enums.FSPIOPErrorCodes.MISSING_ELEMENT
     const opts = {
       url: `/${resource}`,
       headers: {
@@ -159,11 +160,25 @@ Test('headerValidation plugin test', async (pluginTest) => {
         date: new Date().toUTCString()
       }
     }
-    await Promise.all(['post', 'put'].map(async method => {
-      const res = await server.inject({ ...opts, method })
-      t.is(res.payload, '')
-      t.is(res.statusCode, 202)
-    }))
+    const res = await server.inject({ ...opts, method: 'post' })
+    t.is(res.statusCode, fspiopCode.httpStatusCode)
+    const payload = JSON.parse(res.payload)
+    t.is(payload.apiErrorCode.code, fspiopCode.code)
+    t.is(payload.message, errorMessages.REQUIRE_ACCEPT_HEADER)
+    t.end()
+  })
+
+  pluginTest.test('accept validation is not required for put requests without an accept header', async t => {
+    const opts = {
+      url: `/${resource}`,
+      headers: {
+        'content-type': generateContentTypeHeader(resource, 1),
+        date: new Date().toUTCString()
+      }
+    }
+    const res = await server.inject({ ...opts, method: 'put' })
+    t.is(res.payload, '')
+    t.is(res.statusCode, 202)
     t.end()
   })
 

package/test/unit/util/hapi/plugins/loggingPlugin.test.js

@@ -134,7 +134,7 @@ Tape('loggingPlugin Tests -->', (pluginTests) => {
     t.true(statusCode === 500, 'handler failed')
     t.true(log.info.callCount === 2, 'log request/response')
     t.true(log.info.lastCall.firstArg.startsWith('[<== 500]'), 'error code is logged')
-    t.ok(log.info.lastCall.lastArg.payload, 'error output is logged')
+    t.ok(log.info.lastCall.lastArg.output.payload, 'error output is logged')
   }))
 
   pluginTests.test('should not log requests on internal routes', tryCatchEndTest(async t => {

package/test/unit/util/request.test.js

@@ -10,35 +10,6 @@ const Enum = require('../../../src/enums')
 const Helper = require('../../util/helper')
 const Metrics = require('@mojaloop/central-services-metrics')
 const Uuid = require('uuid4')
-const JwsSigner = require('@mojaloop/sdk-standard-components').Jws.signer
-
-const signingKey = `-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA0eJEh3Op5p6x137lRkAsvmEBbd32dbRChrCUItZbtxjf/qfB
-yD5k8Hn4n4vbqzP8XSGS0f6KmNC+iRaP74HVgzAqc4Uid4J8dtSBq3VmucYQYzLc
-101QjuvD+SKmZwlw/q0PtulmqlASI2SbMfwcAraMi6ab7v5W4EGNeIPLEIo3BXsQ
-DTCWqiZb7aXkHkcY7sOjAzK/2bNGYFmAthdYrHzvCkqnJ7LAHX3Oj7rJea5MqtuN
-B9POZYaD10n9JuYWdwPqLrw6/hVgPSFEy+ulrVbXf54ZH0dfMThAYRvFrT81yulk
-H95JhXWGdi6cTp6t8LVOKFhnNfxjWw0Jayj9xwIDAQABAoIBADB2u/Y/CgNbr5sg
-DRccqHhJdAgHkep59kadrYch0knEL6zg1clERxCUSYmlxNKSjXp/zyQ4T46b3PNQ
-x2m5pDDHxXWpT10jP1Q9G7gYwuCw0IXnb8EzdB+cZ0M28g+myXW1RoSo/nDjTlzn
-1UJEgb9Kocd5cFZOWocr+9vRKumlZULMsA8yiNwlAfJHcMBM7acsa3myCqVhLyWt
-4BQylVuLFa+A6QzpMXEwFCq8EOXf07gl1XVzC6LJ1fTa9gVM3N+YE+oEXKrsHCxG
-/ACgKsjepL27QjJ7qvecWPP0F2LxEZYOm5tbXaKJTobzQUJHgUokanZMhjYprDsZ
-zumLw9kCgYEA/DUWcnLeImlfq/EYdhejkl3J+WX3vhS23OqVgY1amu7CZzaai6vt
-H0TRc8Zsbi4jgmFDU8PFzytP6qz6Tgom4R736z6oBi7bjnGyN17/NSbf+DaRVcM6
-vnZr7jNC2FJlECmIN+dkwUA/YCr2SA7hxZXM9mIYSc+6+glDiIO5Cf0CgYEA1Qo/
-uQbVHhW+Cp8H0kdMuhwUbkBquRrxRZlXS1Vrf3f9me9JLUy9UPWb3y3sKVurG5+O
-SIlr4hDcZyXdE198MtDMhBIGqU9ORSjppJDNDVvtt+n2FD4XmWIU70vKBJBivX0+
-Bow6yduis+p12fuvpvpnKCz8UjOgOQJhLZ4GQBMCgYBP6gpozVjxkm4ML2LO2IKt
-+CXtbo/nnOysZ3BkEoQpH4pd5gFmTF3gUJAFnVPyPZBm2abZvejJ0jGKbLELVVAo
-eQWZdssK2oIbSo9r2CAJmX3SSogWorvUafWdDoUZwlHfoylUfW+BhHgQYsyS3JRR
-ZTwCveZwTPA0FgdeFE7niQKBgQCHaD8+ZFhbCejDqXb4MXdUJ3rY5Lqwsq491YwF
-huKPn32iNNQnJcqCxclv3iln1Cr6oLx34Fig1KSyLv/IS32OcuY635Y6UPznumxe
-u+aJIjADIILXNOwdAplZy6s4oWkRFaSx1rmbCa3tew2zImTv1eJxR76MpOGmupt3
-uiQw3wKBgFjBT/aVKdBeHeP1rIHHldQV5QQxZNkc6D3qn/oAFcwpj9vcGfRjQWjO
-ARzXM2vUWEet4OVn3DXyOdaWFR1ppehz7rAWBiPgsMg4fjAusYb9Mft1GMxMzuwT
-Oyqsp6pzAWFrCD3JAoTLxClV+j5m+SXZ/ItD6ziGpl/h7DyayrFZ
------END RSA PRIVATE KEY-----`
 
 Test('ParticipantEndpoint Model Test', modelTest => {
   let sandbox
@@ -483,10 +454,9 @@ Test('ParticipantEndpoint Model Test', modelTest => {
         method: 'post',
         headers: Helper.defaultHeaders(fsp, Enum.Http.HeaderResources.PARTICIPANTS, payeefsp)
       }
-      const jwsSigner = new JwsSigner({
-        logger: null,
-        signingKey
-      })
+      const jwsSigner = {
+        getSignature: () => 'mock-jws-signature'
+      }
       request = sandbox.stub().returns({ status: 200 })
       Model = proxyquire('../../../src/util/request', { axios: request })
       const signSpy = Sinon.spy(jwsSigner, 'getSignature')
@@ -517,10 +487,9 @@ Test('ParticipantEndpoint Model Test', modelTest => {
         method: 'post',
         headers: Helper.defaultHeaders(fsp, Enum.Http.HeaderResources.PARTICIPANTS, payeefsp)
       }
-      const jwsSigner = new JwsSigner({
-        logger: null,
-        signingKey
-      })
+      const jwsSigner = {
+        getSignature: () => 'mock-jws-signature'
+      }
       request = sandbox.stub().returns({ status: 200 })
       Model = proxyquire('../../../src/util/request', { axios: request })
       const signSpy = Sinon.spy(jwsSigner, 'getSignature')

package/src/util/otelDto.js

@@ -1,75 +0,0 @@
-/*****
- License
- --------------
- Copyright © 2020-2025 Mojaloop Foundation
- The Mojaloop files are made available by the Mojaloop Foundation under the Apache License, Version 2.0 (the "License") and you may not use these files except in compliance with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, the Mojaloop files are distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
-
- Contributors
- --------------
- This is the official list of the Mojaloop project contributors for this file.
- Names of the original copyright holders (individuals or organizations)
- should be listed with a '*' in the first column. People who have
- contributed from an organization can be listed under the organization
- that actually holds the copyright for their contributions (see the
- Mojaloop Foundation for an example). Those individuals should have
- their names indented and be marked with a '-'. Email address can be added
- optionally within square brackets <email>.
-
- * Mojaloop Foundation
- * Eugen Klymniuk <eugen.klymniuk@infitx.com>
-
- --------------
- ******/
-/* istanbul ignore file */
-
-const otel = require('@opentelemetry/semantic-conventions')
-
-const ATTR_SERVICE_PEER_NAME = 'service.peer.name' // using string literal because ATTR_SERVICE_PEER_NAME is only available in @opentelemetry/semantic-conventions/incubating as of now
-const CUSTOM_REQUEST_ID = 'request.id'
-
-/** @typedef { attributes: Record<string, any> } OTelAttributes */
-
-/** @returns OTelAttributes */
-const outgoingRequestAttributesDto = ({
-  method, url, durationSec, statusCode, errorType, peerService
-}) => ({
-  attributes: {
-    [otel.ATTR_HTTP_REQUEST_METHOD]: method,
-    [otel.ATTR_URL_FULL]: url,
-    [otel.METRIC_HTTP_CLIENT_REQUEST_DURATION]: durationSec, // 'duration.ms' is a custom attribute
-    ...(statusCode && { [otel.ATTR_HTTP_RESPONSE_STATUS_CODE]: statusCode }),
-    ...(errorType && { [otel.ATTR_ERROR_TYPE]: errorType }),
-    ...(peerService && { [ATTR_SERVICE_PEER_NAME]: peerService })
-    // peerService - logical service name, must be explicitly provided by caller (not derived from URL hostname)
-    //               think if we should extract it for internal http://... calls from url hostname
-  }
-})
-
-/** @returns OTelAttributes */
-const incomingRequestAttributesDto = ({
-  method, url, path, route,
-  serverAddress, clientAddress, userAgent, durationSec, requestId, statusCode, errorType
-}) => ({
-  attributes: {
-    [otel.ATTR_HTTP_REQUEST_METHOD]: method,
-    [otel.ATTR_URL_FULL]: url,
-    [otel.ATTR_URL_PATH]: path,
-    [otel.ATTR_HTTP_ROUTE]: route,
-    [otel.ATTR_SERVER_ADDRESS]: serverAddress,
-    [otel.ATTR_CLIENT_ADDRESS]: clientAddress,
-    [otel.ATTR_USER_AGENT_ORIGINAL]: userAgent,
-    [CUSTOM_REQUEST_ID]: requestId,
-    ...(durationSec && { [otel.METRIC_HTTP_SERVER_REQUEST_DURATION]: durationSec }), // 'duration.ms' is a custom attribute
-    ...(statusCode && { [otel.ATTR_HTTP_RESPONSE_STATUS_CODE]: statusCode }),
-    ...(errorType && { [otel.ATTR_ERROR_TYPE]: errorType })
-  }
-})
-
-module.exports = {
-  outgoingRequestAttributesDto,
-  incomingRequestAttributesDto
-}