GOV.UK Pay Frontend application (Node.js)
- This requires the Pay CLI, which is not publicly available at present.
- You have set up your local development environment
- Clone this repo locally.
Copy .env.example
and rename to .env
. This contains the environment variables required to run the app, and contains
the URLs for other microservices that frontend makes requests to, which default to the URLs that apps run using pay
local are available on.
Start the Pay local environment
pay local launch --cluster card
Start frontend
npm install && npm run compile
npm run start:dev
Make a create payment request to the locally running Public API app, and visit the next_url
with the host changed
to http://127.0.0.1:3000.
- In VSCode, go to the
Debug
view (on MacOS, use shortcutCMD + shift + D
). - From the Run toolbar, select tne launch config
Frontend
. - Add breakpoints to any file you want to debug - click in the left hand column and a red dot will appear.
- Press The
green play
button (F5
MacOS):- This will run the app in debug mode.
- Uses
nodemon
so it will automatically restart on code changes.
You shouldn’t need to restart the app to see changes you make.
We use nodemon which watches for changes to files and restarts the node process.
If you’re making changes to client-side JS or Sass files (anything within /assets/
) then
running npm run watch-live-reload
will watch for changes and recompile. Nodemon does not do anything here as that’s
not necessary. If you install the livereload browser plugin then it will refresh
your page once the assets have been compiled to the /public
folder.
npm run compile && npm test
- Some integration tests do not work in debug mode. This is because the tests are dependent on other tests running before hand.
- Nevertheless, it is still useful to debug tests that do work in debug mode.
- In VSCode, go to the
Debug
view (on MacOS, use shortcutCMD + shift + D
). - From the Run toolbar, select the launch config you want to run:
Mocha All
- runs all tests.Mocha Current File
- only run currently open test file.
- Add breakpoints to any file you want to debug - click in the left hand column and a red dot will appear.
- Press The
green play
button orF5
.
Run in two separate terminals:
-
npm run cypress:server
This runs both the Cypress server and Mountebank which is the virtualisation server used for stubbing out external API calls.
-
Either:
npm run cypress:test
to run headlessnpm run cypress:test-headed
to run headed
variable | required | default value | Description |
---|---|---|---|
BIND_HOST |
127.0.0.1 | The IP address for the application to bind to. | |
PORT |
X | 9200 | The port number for the express server to be bound at runtime |
SESSION_ENCRYPTION_KEY |
X | key to be used by the cookie encryption algorithm. Should be a large unguessable string (More Info). | |
CONNECTOR_TOKEN_URL |
X | The connector endpoint to use when validating the one time token. | |
ANALYTICS_TRACKING_ID |
X | Tracking ID to be used by 'Google-Analytics'. | |
SECURE_COOKIE_OFF |
false/undefined | To switch off generating secure cookies. Set this to true only if you are running self service in a non HTTPS environment. |
|
NODE_WORKER_COUNT |
1 | The number of worker threads started by node cluster when run in production mode | |
WORLDPAY_3DS_FLEX_DDC_TEST_URL |
X | https://secure-test.worldpay.com/shopper/3ds/ddc.html |
URL for Device Data Collection (DDC) initiation in TEST |
WORLDPAY_3DS_FLEX_DDC_LIVE_URL |
X | URL for Device Data Collection (DDC) initiation in LIVE | |
WORLDPAY_3DS_FLEX_CHALLENGE_TEST_URL |
X | https://secure-test.worldpay.com/shopper/3ds/challenge.html |
Pointing to Worldpay's TEST 3ds flex challenge URL. |
WORLDPAY_3DS_FLEX_CHALLENGE_LIVE_URL |
X | https://centinelapi.cardinalcommerce.com/V2/Cruise/StepUp |
Pointing to Worldpay's LIVE 3ds flex challenge URL. |
CSP_SEND_HEADER |
false/undefined | Apply card payment contest security policy headers. | |
CSP_ENFORCE |
false/undefined | Browser will block content security policy violations if set to true, default is to only report on violations. | |
CSP_REPORT_URI |
URI to receive CSP violation reports. | ||
GOOGLE_PAY_MERCHANT_ID |
Merchant ID used to identify GOV.UK Pay to Google when making a payment request. This ID is got from the Google Pay Developer Profile. | ||
GOOGLE_PAY_MERCHANT_ID_2 |
The same as GOOGLE_PAY_MERCHANT_ID, but used to rotate to a new merchant id in a safe way. | ||
WORLDPAY_APPLE_PAY_ENABLED |
true | Feature toggle that enables Apple Pay for Worldpay accounts | |
WORLDPAY_GOOGLE_PAY_ENABLED |
true | Feature toggle that enables Google Pay for Worldpay accounts | |
STRIPE_APPLE_PAY_ENABLED |
true | Feature toggle that enables Apple Pay for Stripe accounts | |
STRIPE_GOOGLE_PAY_ENABLED |
true | Feature toggle that enables Google Pay for Stripe accounts | |
PAY_TEST_GATEWAY_ACCOUNTS |
[""] | Gateway accounts that should ignore the wallet feature toggles | |
STRIPE_TEST_PUBLISHABLE_API_KEY |
Non-secret Stripe API key we used by Google to process Stripe based Google Pay charges | ||
STRIPE_LIVE_PUBLISHABLE_API_KEY |
Non-secret Stripe API key we used by Google to process Stripe based Google Pay charges | ||
FRONTEND_URL |
Used to set the CSP Reporting-Endpoint header |
GOV.UK Pay aims to stay secure for everyone. If you are a security researcher and have discovered a security vulnerability in this code, we appreciate your help in disclosing it to us in a responsible manner. Please refer to our vulnerability disclosure policy and our security.txt file for details.