ConsumerDataStandardsAustralia / standards-maintenance

This repository houses the interactions, consultations and work management to support the maintenance of baselined components of the Consumer Data Right API Standards and Information Security profile.

41 stars 9 forks source link

BankingProduct productId should not include & or / or other characters that can't be in a URI #523

Closed ajduncanson closed 1 year ago

ajduncanson commented 2 years ago

Description

Several Banking Data Holders are using characters in their productId strings that make it impossible to use them in a call to Get Product Details.

Area Affected

Schema

Change Proposed

Change schema for BankingProduct to ensure that productId does not contain characters that can't be used in the URI of a call to the Get Product Details endpoint.

ajduncanson commented 2 years ago

Specifically:

BankVic (&)
MOVE Bank (&)
Goulburn Murray Credit Union (/)

CDR-API-Stream commented 1 year ago

@ajduncanson, IDs in the CDR standards are open with regards to characters that are able to be used. The expectation for IDs that are included in URLs as path parameters (like ProductID, AccountId, ServicePointID, etc) are that they should be URL encoded. For example a / should be replaced with %2F.

If the banks do not respond successfully to a URL encoded ID provided as a path parameter then they would already be considered non-standards compliant. They have provided a product ID which cannot be used to obtain the associated product detail.

perlboy commented 1 year ago

Looks like 2 of the 3 listed above have fixed this issue. @ajduncanson it is a specific core banking vendor who has very poor input/output control on results. It allows printing of unescaped productId but doesn't de-escape it when requested directly (resulting in 404s). You could contact the individual holder if you were inclined although I presume the regulator could do that too....

@CDR-API-Stream Banking Product Comparator doesn't appear to handle UTF-8 escaping either and is passing requests verbatim to the endpoint.

Perhaps the DSB should fix this:

nils-work commented 1 year ago

As the comment above notes, this issue is not expected to result in a change to the Standards. Unless there are further comments, this issue will be closed on 30 June 2023.

The comment regarding the operation of the Product Comparator demo will be reviewed.

For any further assistance with compliance and data quality issues, the ACCC recently published Clarification of specific Data Quality obligations which includes a section on Reporting Data Quality Issues.

nils-work commented 11 months ago

Hi @ajduncanson, @perlboy Thanks for raising this issue. The Product Comparator (demo) now encodes the productId path parameter in a request to Get Product Detail.