ml-testing-toolkit 18.13.0

package/src/lib/mocking/transformers/fspiopToISO20022.js

@@ -0,0 +1,230 @@
+/*****
+ License
+ --------------
+ Copyright © 2020-2025 Mojaloop Foundation
+ The Mojaloop files are made available by the Mojaloop Foundation under the Apache License, Version 2.0 (the "License") and you may not use these files except in compliance with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, the Mojaloop files are distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+
+ Contributors
+ --------------
+ This is the official list of the Mojaloop project contributors for this file.
+ Names of the original copyright holders (individuals or organizations)
+ should be listed with a '*' in the first column. People who have
+ contributed from an organization can be listed under the organization
+ that actually holds the copyright for their contributions (see the
+ Mojaloop Foundation for an example). Those individuals should have
+ their names indented and be marked with a '-'. Email address can be added
+ optionally within square brackets <email>.
+
+ * Mojaloop Foundation
+ - Name Surname <name.surname@mojaloop.io>
+
+ * Infitx
+ * Vijaya Kumar Guthi <vijaya.guthi@infitx.com> (Original Author)
+ --------------
+ ******/
+
+const { TransformFacades } = require('@mojaloop/ml-schema-transformer-lib')
+const { getHeader, headersToLowerCase } = require('../../utils')
+
+const _replaceAcceptOrContentTypeHeader = (inputStr, isReverse) => {
+  if (isReverse) {
+    return inputStr.replace('application/vnd.interoperability.iso20022.', 'application/vnd.interoperability.')
+  } else {
+    return inputStr.replace('application/vnd.interoperability.', 'application/vnd.interoperability.iso20022.')
+  }
+}
+const _replaceHeaders = (headers, isReverse) => {
+  // Replace headers considering the case sensitivity
+  const newHeaders = {
+    ...headers
+  }
+  Object.keys(headers).forEach((key) => {
+    if (key.toLowerCase() === 'content-type' || key.toLowerCase() === 'accept') {
+      newHeaders[key] = _replaceAcceptOrContentTypeHeader(headers[key], isReverse)
+    } else {
+      newHeaders[key] = headers[key]
+    }
+  })
+  return newHeaders
+}
+
+const _transformGetResource = (_resource, options, isReverse) => {
+  const headers = _replaceHeaders(options.headers, isReverse)
+
+  return {
+    ...options,
+    headers
+  }
+}
+
+const _transformPostResource = async (resource, options, isReverse) => {
+  const headers = _replaceHeaders(options.headers, isReverse)
+  let result
+  if (isReverse) {
+    TransformFacades.FSPIOPISO20022.configure({ isTestingMode: true })
+    result = await TransformFacades.FSPIOPISO20022[resource].post({ body: options.body, headers: options.headers })
+  } else {
+    TransformFacades.FSPIOP.configure({ isTestingMode: true })
+    result = await TransformFacades.FSPIOP[resource].post({ body: options.body, headers: options.headers })
+  }
+
+  return {
+    ...options,
+    headers,
+    body: result?.body
+  }
+}
+
+const _transformPutResource = async (resource, options, isError, isReverse) => {
+  const headers = _replaceHeaders(options.headers, isReverse)
+  let result
+  if (isReverse) {
+    TransformFacades.FSPIOPISO20022.configure({ isTestingMode: true })
+    result = await TransformFacades.FSPIOPISO20022[resource][isError ? 'putError' : 'put']({
+      body: options.body,
+      headers: headersToLowerCase(headers),
+      params: options.params
+    })
+  } else {
+    TransformFacades.FSPIOP.configure({ isTestingMode: true })
+    result = await TransformFacades.FSPIOP[resource][isError ? 'putError' : 'put']({
+      body: options.body,
+      headers: headersToLowerCase(headers),
+      params: options.params
+    })
+  }
+
+  return {
+    ...options,
+    headers,
+    body: result?.body
+  }
+}
+
+const _transformPatchResource = async (resource, options, isReverse) => {
+  const headers = _replaceHeaders(options.headers, isReverse)
+  let result
+  if (isReverse) {
+    TransformFacades.FSPIOPISO20022.configure({ isTestingMode: true })
+    result = await TransformFacades.FSPIOPISO20022[resource].patch({
+      body: options.body,
+      headers: headersToLowerCase(headers),
+      params: options.params
+    })
+  } else {
+    TransformFacades.FSPIOP.configure({ isTestingMode: true })
+    result = await TransformFacades.FSPIOP[resource].patch({
+      body: options.body,
+      headers: headersToLowerCase(headers),
+      params: options.params
+    })
+  }
+
+  return {
+    ...options,
+    headers,
+    body: result?.body
+  }
+}
+
+const _transform = async (options, isReverse = false) => {
+  if (isReverse) {
+    if (!getHeader(options.headers, 'content-type')?.startsWith('application/vnd.interoperability.iso20022.')) {
+      return options
+    }
+  } else {
+    if (!getHeader(options.headers, 'content-type')?.startsWith('application/vnd.interoperability.')) {
+      return options
+    }
+  }
+  try {
+    switch (options.method) {
+      case 'get':
+        if (options.path.startsWith('/parties')) {
+          return _transformGetResource('parties', options, isReverse)
+        } else if (options.path.startsWith('/quotes')) {
+          return _transformGetResource('quotes', options, isReverse)
+        } else if (options.path.startsWith('/transfers')) {
+          return _transformGetResource('transfers', options, isReverse)
+        } else if (options.path.startsWith('/fxQuotes')) {
+          return _transformGetResource('fxQuotes', options, isReverse)
+        } else if (options.path.startsWith('/fxTransfers')) {
+          return _transformGetResource('fxTransfers', options, isReverse)
+        } else if (options.path.startsWith('/participants')) {
+          return _transformGetResource('participants', options, isReverse)
+        }
+        break
+      case 'post':
+        if (options.path.startsWith('/quotes')) {
+          return await _transformPostResource('quotes', options, isReverse)
+        } else if (options.path.startsWith('/transfers')) {
+          return await _transformPostResource('transfers', options, isReverse)
+        } else if (options.path.startsWith('/fxQuotes')) {
+          return await _transformPostResource('fxQuotes', options, isReverse)
+        } else if (options.path.startsWith('/fxTransfers')) {
+          return await _transformPostResource('fxTransfers', options, isReverse)
+        } else if (options.path.startsWith('/participants')) {
+          // POST /participants - Only the headers need to be transformed
+          const headers = _replaceHeaders(options.headers, isReverse)
+          return {
+            ...options,
+            headers
+          }
+        }
+        break
+      case 'put': {
+        let isError = false
+        if (options.path.endsWith('/error')) {
+          isError = true
+        }
+        if (options.path.startsWith('/parties')) {
+          return await _transformPutResource('parties', options, isError, isReverse)
+        } else if (options.path.startsWith('/quotes')) {
+          return await _transformPutResource('quotes', options, isError, isReverse)
+        } else if (options.path.startsWith('/transfers')) {
+          return await _transformPutResource('transfers', options, isError, isReverse)
+        } else if (options.path.startsWith('/fxQuotes')) {
+          return await _transformPutResource('fxQuotes', options, isError, isReverse)
+        } else if (options.path.startsWith('/fxTransfers')) {
+          return await _transformPutResource('fxTransfers', options, isError, isReverse)
+        } else if (options.path.startsWith('/participants')) {
+          // PUT /participants - Only the headers need to be transformed
+          const headers = _replaceHeaders(options.headers, isReverse)
+          return {
+            ...options,
+            headers
+          }
+        }
+        break
+      }
+      case 'patch': {
+        if (options.path.startsWith('/transfers')) {
+          return await _transformPatchResource('transfers', options, isReverse)
+        } else if (options.path.startsWith('/fxTransfers')) {
+          return await _transformPatchResource('fxTransfers', options, isReverse)
+        }
+        break
+      }
+    }
+  } catch (err) {
+    console.log('Error transforming request', err)
+  }
+  return options
+}
+
+const forwardTransform = async (options) => {
+  return _transform(options)
+}
+
+const reverseTransform = async (options) => {
+  return _transform(options, true)
+}
+
+module.exports = {
+  forwardTransform,
+  reverseTransform
+}

package/src/lib/mocking/transformers/index.js

@@ -0,0 +1,41 @@
+/*****
+ License
+ --------------
+ Copyright © 2020-2025 Mojaloop Foundation
+ The Mojaloop files are made available by the Mojaloop Foundation under the Apache License, Version 2.0 (the "License") and you may not use these files except in compliance with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, the Mojaloop files are distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+
+ Contributors
+ --------------
+ This is the official list of the Mojaloop project contributors for this file.
+ Names of the original copyright holders (individuals or organizations)
+ should be listed with a '*' in the first column. People who have
+ contributed from an organization can be listed under the organization
+ that actually holds the copyright for their contributions (see the
+ Mojaloop Foundation for an example). Those individuals should have
+ their names indented and be marked with a '-'. Email address can be added
+ optionally within square brackets <email>.
+
+ * Mojaloop Foundation
+ - Name Surname <name.surname@mojaloop.io>
+
+ * Infitx
+ * Vijaya Kumar Guthi <vijaya.guthi@infitx.com> (Original Author)
+ --------------
+ ******/
+
+const getTransformer = (transformerName) => {
+  if (transformerName === 'none' || transformerName === 'NONE' || transformerName === 'no' || transformerName === 'NO') {
+    return null
+  } else {
+    const transformerModule = require(`./${transformerName}`)
+    return transformerModule
+  }
+}
+
+module.exports = {
+  getTransformer
+}

package/src/lib/notificationEmitter.js

@@ -0,0 +1,64 @@
+/*****
+ License
+ --------------
+ Copyright © 2020-2025 Mojaloop Foundation
+ The Mojaloop files are made available by the Mojaloop Foundation under the Apache License, Version 2.0 (the "License") and you may not use these files except in compliance with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, the Mojaloop files are distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+
+ Contributors
+ --------------
+ This is the official list of the Mojaloop project contributors for this file.
+ Names of the original copyright holders (individuals or organizations)
+ should be listed with a '*' in the first column. People who have
+ contributed from an organization can be listed under the organization
+ that actually holds the copyright for their contributions (see the
+ Mojaloop Foundation for an example). Those individuals should have
+ their names indented and be marked with a '-'. Email address can be added
+ optionally within square brackets <email>.
+
+ * Mojaloop Foundation
+ - Name Surname <name.surname@mojaloop.io>
+
+ * ModusBox
+ * Vijaya Kumar Guthi <vijaya.guthi@modusbox.com> (Original Author)
+ --------------
+ ******/
+
+const SocketServer = require('./socket-server')
+
+const broadcast = (log, sessionID = null, type) => {
+  const io = SocketServer.getIO()
+  if (io) {
+    io.emit(type, log)
+    if (sessionID) {
+      io.emit(`${type}/` + sessionID, log)
+    }
+  }
+}
+
+const broadcastLog = (log, sessionID = null) => {
+  broadcast(log, sessionID, 'newLog')
+}
+
+const sendMessage = (message, sessionID = null) => {
+  broadcast(message, sessionID, 'pushMessage')
+}
+
+const broadcastOutboundLog = (log, sessionID = null) => {
+  broadcast(log, sessionID, 'newOutboundLog')
+}
+
+const broadcastOutboundProgress = (status, sessionID = null) => {
+  status.reportTime = new Date()
+  broadcast(status, sessionID, 'outboundProgress')
+}
+
+module.exports = {
+  broadcastLog,
+  broadcastOutboundLog,
+  broadcastOutboundProgress,
+  sendMessage
+}

package/src/lib/oauth/KeycloakHelper.js

@@ -0,0 +1,220 @@
+/*****
+ License
+ --------------
+ Copyright © 2020-2025 Mojaloop Foundation
+ The Mojaloop files are made available by the Mojaloop Foundation under the Apache License, Version 2.0 (the "License") and you may not use these files except in compliance with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, the Mojaloop files are distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+
+ Contributors
+ --------------
+ This is the official list of the Mojaloop project contributors for this file.
+ Names of the original copyright holders (individuals or organizations)
+ should be listed with a '*' in the first column. People who have
+ contributed from an organization can be listed under the organization
+ that actually holds the copyright for their contributions (see the
+ Mojaloop Foundation for an example). Those individuals should have
+ their names indented and be marked with a '-'. Email address can be added
+ optionally within square brackets <email>.
+
+ * Mojaloop Foundation
+ - Name Surname <name.surname@mojaloop.io>
+
+ * ModusBox
+ * Vijay Kumar Guthi <vijaya.guthi@modusbox.com> (Original Author)
+ --------------
+ ******/
+
+const Config = require('../config')
+const querystring = require('querystring')
+const axios = require('axios').default
+const objectStore = require('../objectStore/objectStoreInterface')
+const customLogger = require('../requestLogger')
+
+const getKeyCloakUsers = async (keycloakToken) => {
+  const systemConfig = Config.getSystemConfig()
+  const getUsersResp = await axios.get(systemConfig.KEYCLOAK.API_URL + `/auth/admin/realms/${systemConfig.KEYCLOAK.REALM}/users`, { headers: { Authorization: `Bearer ${keycloakToken.accessToken}` } })
+  if (getUsersResp.status === 200) {
+    const users = []
+    getUsersResp.data.forEach(user => {
+      if (user.username !== systemConfig.KEYCLOAK.USERNAME) {
+        let userId = user.attributes.dfspId
+        if (Array.isArray(user.attributes.dfspId)) {
+          userId = user.attributes.dfspId[0]
+        }
+        users.push({
+          id: userId,
+          name: `${user.firstName} ${user.lastName}`
+        })
+      }
+    })
+    return users
+  } else {
+    throw new Error(`Some error while getting users from as ${systemConfig.KEYCLOAK.USERNAME}`)
+  }
+}
+
+const getTokenInfo = async (authInfo) => {
+  const formData = {
+    client_id: authInfo.clientId,
+    client_secret: authInfo.clientSecret,
+    grant_type: 'client_credentials'
+  }
+  try {
+    const tokenResponse = await axios.post(authInfo.tokenEndpoint, querystring.stringify(formData), { headers: { 'Content-Type': 'application/x-www-form-urlencoded' } })
+    if (tokenResponse.status === 200) {
+      return tokenResponse.data
+    } else {
+      throw new Error('Some error while generating token')
+    }
+  } catch (error) {
+    throw new Error('Token generation failed', error.error)
+  }
+}
+
+const keycloakAuth = async () => {
+  let keycloakToken = await objectStore.get('KEYCLOAK_TOKEN')
+  // if token not set or expires in 1 min, then generate a new one
+  if (Object.keys(keycloakToken).length === 0 || Date.now() >= (keycloakToken.expiresAt - (60 * 1000))) {
+    const systemConfig = Config.getSystemConfig()
+    const loginFormData = {
+      grant_type: 'password',
+      client_id: systemConfig.KEYCLOAK.ADMIN_CLIENT_ID,
+      // client_secret: systemConfig.OAUTH.APP_OAUTH_CLIENT_SECRET,
+      username: systemConfig.KEYCLOAK.ADMIN_USERNAME,
+      password: systemConfig.KEYCLOAK.ADMIN_PASSWORD
+    }
+    const loginResp = await axios.post(systemConfig.KEYCLOAK.API_URL + `/auth/realms/${systemConfig.KEYCLOAK.ADMIN_REALM}/protocol/openid-connect/token`, querystring.stringify(loginFormData), { headers: { 'Content-Type': 'application/x-www-form-urlencoded' } })
+    if (loginResp.status === 200) {
+      await objectStore.set('KEYCLOAK_TOKEN', {
+        accessToken: loginResp.data.access_token,
+        expiresAt: Date.now() + (loginResp.data.expires_in * 1000)
+      })
+      keycloakToken = await objectStore.get('KEYCLOAK_TOKEN')
+    } else {
+      throw new Error(`Some error while login to the Keycloak as ${systemConfig.KEYCLOAK.ADMIN_USERNAME}`)
+    }
+  }
+  return keycloakToken
+}
+
+const getClientAuthInfo = async (user) => {
+  try {
+    const systemConfig = Config.getSystemConfig()
+    const keycloakToken = await keycloakAuth()
+    const clientId = user.dfspId
+    let clientInfo = await _findClient(clientId, keycloakToken)
+    if (!clientInfo) {
+      // No clients with the client ID, so create one
+      // TODO: Create a new client with the clientId
+      await _createClient(clientId, keycloakToken)
+      clientInfo = await _findClient(clientId, keycloakToken)
+    }
+    // Get the client secret
+    const clientKeycloakID = clientInfo.id
+    const clientSecretResp = await axios.get(systemConfig.KEYCLOAK.API_URL + `/auth/admin/realms/${systemConfig.KEYCLOAK.REALM}/clients/${clientKeycloakID}/client-secret`, { params: { clientId }, headers: { Authorization: `Bearer ${keycloakToken.accessToken}` } })
+    if (clientSecretResp.status === 200 && clientSecretResp.data.type && clientSecretResp.data.type === 'secret') {
+      return {
+        clientId,
+        clientSecret: clientSecretResp.data.value,
+        tokenEndpoint: systemConfig.OAUTH.OAUTH2_ISSUER
+      }
+    } else {
+      throw new Error('Client secret not found: Contact Hub operator')
+    }
+  } catch (error) {
+    customLogger.logMessage('error', error.stack, error, { notification: false })
+    if (error && error.statusCode === 400) {
+      throw new Error('Authentication failed', error.error)
+    }
+    throw error
+  }
+}
+
+const _findClient = async (clientId, keycloakToken) => {
+  try {
+    const systemConfig = Config.getSystemConfig()
+    const clientResp = await axios.get(systemConfig.KEYCLOAK.API_URL + `/auth/admin/realms/${systemConfig.KEYCLOAK.REALM}/clients`, { params: { clientId }, headers: { Authorization: `Bearer ${keycloakToken.accessToken}` } })
+    if (clientResp.status === 200) {
+      const clientsFound = clientResp.data
+      if (clientsFound.length > 0) {
+        // Pick the first client
+        return clientsFound[0]
+      } else {
+        return null
+      }
+    }
+    throw new Error('Can not get client list from keycloak')
+  } catch (error) {
+    customLogger.logMessage('error', error.stack, error, { notification: false })
+    if (error && error.statusCode === 400) {
+      throw new Error('Authentication failed', error.error)
+    }
+    throw error
+  }
+}
+
+const _createClient = async (clientId, keycloakToken) => {
+  const clientRepresentationObj = {
+    clientId,
+    enabled: true,
+    protocol: 'openid-connect',
+    rootUrl: '',
+    clientAuthenticatorType: 'client-secret',
+    surrogateAuthRequired: false,
+    alwaysDisplayInConsole: false,
+    redirectUris: ['http://ml-testing-toolkit-keycloak.local'],
+    bearerOnly: false,
+    consentRequired: false,
+    standardFlowEnabled: true,
+    implicitFlowEnabled: false,
+    directAccessGrantsEnabled: true,
+    serviceAccountsEnabled: true,
+    authorizationServicesEnabled: true,
+    publicClient: false,
+    frontchannelLogout: false,
+    attributes: {
+      'oauth2.device.authorization.grant.enabled': 'false',
+      'backchannel.logout.revoke.offline.tokens': 'false',
+      'use.refresh.tokens': 'true',
+      'oidc.ciba.grant.enabled': 'false',
+      'id.token.signed.response.alg': 'RS256',
+      'backchannel.logout.session.required': 'true',
+      'client_credentials.use_refresh_token': 'false',
+      'require.pushed.authorization.requests': 'false',
+      'id.token.as.detached.signature': 'false',
+      'access.token.signed.response.alg': 'RS256',
+      'exclude.session.state.from.auth.response': 'false',
+      'tls.client.certificate.bound.access.tokens': 'false',
+      'display.on.consent.screen': 'false'
+    },
+    fullScopeAllowed: true,
+    access: { view: true, configure: true, manage: true }
+  }
+
+  try {
+    const systemConfig = Config.getSystemConfig()
+    const clientCreateResp = await axios.post(systemConfig.KEYCLOAK.API_URL + `/auth/admin/realms/${systemConfig.KEYCLOAK.REALM}/clients`, clientRepresentationObj, { headers: { Authorization: `Bearer ${keycloakToken.accessToken}` } })
+    if (clientCreateResp.status === 201) {
+      // const clientsFound = clientResp.data
+      console.log(clientCreateResp.data)
+    } else {
+      throw new Error(`Can not create client in keycloak: ${clientCreateResp.status} ${clientCreateResp.statusText}`)
+    }
+  } catch (error) {
+    customLogger.logMessage('error', error.stack, error, { notification: false })
+    if (error && error.statusCode === 400) {
+      throw new Error('Authentication failed', error.error)
+    }
+    throw error
+  }
+}
+
+module.exports = {
+  getKeyCloakUsers,
+  getClientAuthInfo,
+  getTokenInfo,
+  keycloakAuth
+}

package/src/lib/oauth/LoginService.js

@@ -0,0 +1,133 @@
+/*****
+ License
+ --------------
+ Copyright © 2020-2025 Mojaloop Foundation
+ The Mojaloop files are made available by the Mojaloop Foundation under the Apache License, Version 2.0 (the "License") and you may not use these files except in compliance with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, the Mojaloop files are distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+
+ Contributors
+ --------------
+ This is the official list of the Mojaloop project contributors for this file.
+ Names of the original copyright holders (individuals or organizations)
+ should be listed with a '*' in the first column. People who have
+ contributed from an organization can be listed under the organization
+ that actually holds the copyright for their contributions (see the
+ Mojaloop Foundation for an example). Those individuals should have
+ their names indented and be marked with a '-'. Email address can be added
+ optionally within square brackets <email>.
+
+ * Mojaloop Foundation
+ - Name Surname <name.surname@mojaloop.io>
+
+ * ModusBox
+ * Georgi Logodazhki <georgi.logodazhki@modusbox.com> (Original Author)
+ --------------
+ ******/
+
+'use strict'
+const Config = require('../config')
+const Cookies = require('cookies')
+const jwt = require('jsonwebtoken')
+const wso2Client = require('./Wso2Client')
+const customLogger = require('../requestLogger')
+
+/**
+ * Logs the user in.
+ * If successful, sets the JWT token in a cookie and returns the token payload
+ */
+exports.loginUser = async function (username, password, req, res) {
+  const tokenObj = await this.getTokenInfo(username, password)
+  if (tokenObj === null) {
+    return {
+      ok: false,
+      token: {
+        payload: {
+          at_hash: null,
+          aud: null,
+          sub: null,
+          nbf: 0,
+          azp: null,
+          amr: [],
+          iss: null,
+          groups: [],
+          exp: 0,
+          iat: 0,
+          dfspId: null
+        }
+      }
+    }
+  }
+
+  const response = buildJWTResponse(tokenObj.decodedIdToken, tokenObj.access_token, tokenObj.expires_in, req, res)
+  return response
+}
+
+/**
+ * Gets the access token and decoded token
+ * If successful, sets the JWT token in a cookie and returns the token payload
+ */
+exports.getTokenInfo = async function (username, password) {
+  if (!Config.getSystemConfig().OAUTH.AUTH_ENABLED) {
+    return null
+  }
+  try {
+    const loginResponseObj = await wso2Client.getToken(username, password)
+    const decodedIdToken = jwt.decode(loginResponseObj.id_token)
+    return {
+      ...loginResponseObj,
+      decodedIdToken
+    }
+  } catch (error) {
+    customLogger.logMessage('error', 'login user failed', error, { notification: false })
+    if (error && error.statusCode === 400 && error.message.includes('Authentication failed')) {
+      throw new Error(`Authentication failed for user ${username}`, error.error)
+    }
+    throw error
+  }
+}
+
+const buildJWTResponse = (decodedIdToken, accessToken, expiresIn, req, res) => {
+  // If the user is a DFSP admin, set the dfspId so the UI can send it
+  let dfspId = null
+  if (decodedIdToken.dfspId != null) {
+    dfspId = decodedIdToken.dfspId
+  } else {
+    // Get the DFSP id from the Application/DFSP: group
+    const groups = decodedIdToken.groups
+    for (const group of groups) {
+      const groupMatchResult = group.match(/^Application\/DFSP:(.*)$/)
+      if (groupMatchResult == null || !Array.isArray(groupMatchResult)) {
+        continue
+      }
+      dfspId = groupMatchResult[1]
+      customLogger.logMessage('info', `${dfspId} found in ${group} group`, { notification: false })
+      break // FIXME only returns the first ( there should be only one ). May report an error if there's more than one Application/DFSP group ?
+    }
+  }
+
+  decodedIdToken.dfspId = dfspId
+
+  const cookies = new Cookies(req, res)
+  const cookieOptions = { maxAge: expiresIn * 1000, httpOnly: true, sameSite: 'strict' } // secure is automatic based on HTTP or HTTPS used
+  cookies.set('TTK-API_ACCESS_TOKEN', accessToken, cookieOptions)
+  return {
+    ok: true,
+    token: {
+      payload: {
+        maxAge: expiresIn,
+        ...decodedIdToken
+      }
+    }
+  }
+}
+
+/**
+ * Logs the user out.
+ */
+exports.logoutUser = async function (req, res) {
+  const cookies = new Cookies(req, res)
+  cookies.set('TTK-API_ACCESS_TOKEN')
+}