Overview
Retrieves bank account information for a specified local authority. The response contains encrypted bank details that are decrypted server-side using the FSS encryption key.
Bank details are masked for unauthorized users. Only users with the viewFullBankDetails permission (CEO role) can view complete bank account information.
Authentication
This endpoint requires authentication via JWT token. The user’s role determines what level of detail is returned:
- Authorized (CEO): Full bank details including complete sort code and account number
- Unauthorized: Masked bank details showing only last 2 digits of sort code and last 3 digits of account number
Authorization
Required Permission: viewFullBankDetails
Allowed Roles: CEO (Chief Executive Officer)
Users without the required role can still access the endpoint but will receive masked bank details. See response examples below for details.
Request
The identifier for the local authority. This is URL-encoded in the request path.
Example Request
curl -X GET 'http://localhost:3001/bank-details/LA12345' \
-H 'Authorization: Bearer YOUR_JWT_TOKEN' \
-H 'Content-Type: application/json'
Response
Success Response (200 OK)
Authorized User (Full Details)
The name on the bank account
The full 6-digit sort code (e.g., “12-34-56”)
The full 8-digit account number
The local authority identifier
Whether the bank details have been confirmed
Job reference or JPP identifier
The organization identifier
Example Response (Authorized)
{
"accountName": "City Council Finance",
"sortCode": "12-34-56",
"accountNumber": "12345678",
"localAuthority": "LA12345",
"confirmed": true,
"jpp": "JPP-2024-001",
"organizationId": "ORG123"
}
Unauthorized User (Masked Details)
Example Response (Unauthorized)
{
"accountName": "City Council Finance",
"sortCode": "ending with 56",
"accountNumber": "ending with 678",
"localAuthority": "LA12345",
"confirmed": true,
"jpp": "JPP-2024-001",
"organizationId": "ORG123"
}
Error Responses
500 Internal Server Error
Returned when:
- The FSS API request fails
- Bank details decryption fails
- General server error occurs
Error type (“Internal Server Error”)
Error message (“Failed to fetch bank details” or “Failed to decrypt bank details”)
{
"statusCode": 500,
"error": "Internal Server Error",
"message": "Failed to fetch bank details"
}
Implementation Details
Encryption
Bank details are encrypted by the FSS (Financial Support System) API and stored encrypted. The backend decrypts them using AES-256 encryption with a key specified in the FSS_API_ENCRYPTION_KEY environment variable.
- Receives encrypted response data from FSS API
- Uses
fssEncryptionKey from configuration to decrypt
- Parses the decrypted JSON data
- Applies masking rules based on user authorization
Data Masking
For unauthorized users, the processBankDetails helper function masks sensitive information:
- Sort Code: Shows “ending with XX” (last 2 digits)
- Account Number: Shows “ending with XXX” (last 3 digits)
- Account Name: Visible to all users
- Other Fields: Visible to all users
Audit Logging
All requests to this endpoint are logged for audit purposes:
- Authorized Access: Logs
FullBankDetailsViewed action
- Unauthorized Access: Logs
MaskedBankDetailsViewed action
- Success/Failure: Records outcome and HTTP status code
External API Integration
The endpoint forwards requests to the FSS API:
- Base URL: Configured via
FSS_API_URL environment variable
- Endpoint:
/sn_gsm/bank_details/{localAuthority}
- Authentication: Uses
x-sn-apikey header with the API key from FSS_API_KEY
Source Code References
- Route definition: src/routes/bankDetails.js:7-17
- Handler implementation: src/handler/bankDetails/get.js:32-98
- Access control: src/plugins/access-control.js:4
- Configuration: src/config.js:147-163, 172-177