From b9c740e7bc14e48ef80f849ab0942284334e98c8 Mon Sep 17 00:00:00 2001
From: Santeri Hurnanen <santeri.hurnanen@fame.fi>
Date: Wed, 19 Nov 2025 18:20:20 +0200
Subject: [PATCH 1/3] UHF-12517: Add api key to hakuvahti

---
 compose.override.yaml                                |  1 +
 .../config/schema/helfi_hakuvahti.schema.yml         |  2 ++
 .../modules/custom/helfi_hakuvahti/src/Hakuvahti.php | 12 ++++++------
 public/sites/default/all.settings.php                |  1 +
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/compose.override.yaml b/compose.override.yaml
index 7e9b924d..d6c74a40 100644
--- a/compose.override.yaml
+++ b/compose.override.yaml
@@ -2,6 +2,7 @@ services:
   app:
     environment:
       HAKUVAHTI_URL: 'http://hakuvahti:3000'
+      HAKUVAHTI_API_KEY: '123'
 networks:
   hakuvahti-network:
     external: true
diff --git a/public/modules/custom/helfi_hakuvahti/config/schema/helfi_hakuvahti.schema.yml b/public/modules/custom/helfi_hakuvahti/config/schema/helfi_hakuvahti.schema.yml
index 793353ae..67b7f516 100644
--- a/public/modules/custom/helfi_hakuvahti/config/schema/helfi_hakuvahti.schema.yml
+++ b/public/modules/custom/helfi_hakuvahti/config/schema/helfi_hakuvahti.schema.yml
@@ -16,5 +16,7 @@ helfi_hakuvahti.settings:
   type: config_object
   label: 'Helfi hakuvahti settings'
   mapping:
+    api_key:
+      type: string
     base_url:
       type: string
diff --git a/public/modules/custom/helfi_hakuvahti/src/Hakuvahti.php b/public/modules/custom/helfi_hakuvahti/src/Hakuvahti.php
index bf4d2db1..0f5afc6c 100644
--- a/public/modules/custom/helfi_hakuvahti/src/Hakuvahti.php
+++ b/public/modules/custom/helfi_hakuvahti/src/Hakuvahti.php
@@ -51,19 +51,19 @@ public function unsubscribe(string $hash, string $subscription): void {
    * @throws \Drupal\helfi_hakuvahti\HakuvahtiException
    */
   private function makeRequest(string $method, string $url, array $options = []): ResponseInterface {
-    if (!$baseUrl = $this->configFactory->get('helfi_hakuvahti.settings')->get('base_url')) {
+    $settings = $this->configFactory->get('helfi_hakuvahti.settings');
+    if (!$baseUrl = $settings->get('base_url')) {
       throw new HakuvahtiException('Hakuvahti base url is not configured.');
     }
 
-    // @todo hakuvahti has no use for Drupal tokens https://github.com/City-of-Helsinki/helfi-hakuvahti/blob/main/src/plugins/token.ts#L19.
-    // Maybe this value could be kind of api-key, so
-    // that only allowed services can talk to hakuvahti?
-    $token = '123';
+    $apiKey = $settings->get('api_key');
 
     try {
       return $this->client->request($method, "$baseUrl$url", NestedArray::mergeDeep([
         RequestOptions::HEADERS => [
-          'token' => $token,
+          'Authorization' => "api-key $apiKey",
+          // @todo remove this when we have fully migrated to new Hakuvahti.
+          'token' => '123',
         ],
         RequestOptions::TIMEOUT => 5,
       ], $options));
diff --git a/public/sites/default/all.settings.php b/public/sites/default/all.settings.php
index f4b29488..9751ce0e 100644
--- a/public/sites/default/all.settings.php
+++ b/public/sites/default/all.settings.php
@@ -21,6 +21,7 @@
   ];
 }
 
+$config['helfi_hakuvahti.settings']['api_key'] = getenv('HAKUVAHTI_API_KEY');
 $config['helfi_hakuvahti.settings']['base_url'] = getenv('HAKUVAHTI_URL');
 
 // Elastic proxy URL.

From 78ac57cc40c54e033b6b8df21cb34c67ea99c3cc Mon Sep 17 00:00:00 2001
From: Santeri Hurnanen <santeri.hurnanen@fame.fi>
Date: Mon, 24 Nov 2025 09:02:08 +0200
Subject: [PATCH 2/3] UHF-12517: hakuvahti-network is no longer used

For development, hakuvahti is exposed in stonehenge network.
---
 compose.override.yaml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/compose.override.yaml b/compose.override.yaml
index d6c74a40..24c8ad8f 100644
--- a/compose.override.yaml
+++ b/compose.override.yaml
@@ -3,6 +3,3 @@ services:
     environment:
       HAKUVAHTI_URL: 'http://hakuvahti:3000'
       HAKUVAHTI_API_KEY: '123'
-networks:
-  hakuvahti-network:
-    external: true

From 3c0f8e060d179b713200ac64abd24e1311ccd6b1 Mon Sep 17 00:00:00 2001
From: Santeri Hurnanen <santeri.hurnanen@fame.fi>
Date: Mon, 24 Nov 2025 11:02:04 +0200
Subject: [PATCH 3/3] UHF-12517: Do not expose error messages to end users

---
 .../src/Controller/HelfiHakuvahtiSubscribeController.php        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/modules/custom/helfi_hakuvahti/src/Controller/HelfiHakuvahtiSubscribeController.php b/public/modules/custom/helfi_hakuvahti/src/Controller/HelfiHakuvahtiSubscribeController.php
index 5cd82e4a..d14478e0 100644
--- a/public/modules/custom/helfi_hakuvahti/src/Controller/HelfiHakuvahtiSubscribeController.php
+++ b/public/modules/custom/helfi_hakuvahti/src/Controller/HelfiHakuvahtiSubscribeController.php
@@ -61,7 +61,7 @@ public function post(Request $request): JsonResponse {
     catch (\InvalidArgumentException | \JsonException $e) {
       // The frontend should not send invalid requests.
       $this->logger?->error('Hakuvahti initial subscription failed: ' . $e->getMessage());
-      return new JsonResponse(['success' => FALSE, 'error' => $e->getMessage()], Response::HTTP_BAD_REQUEST);
+      return new JsonResponse(['success' => FALSE, 'error' => 'Error while handling the request.'], Response::HTTP_BAD_REQUEST);
     }
 
     // Allows other modules to alter the request.