Restrict certificates route to Grover middleware

Grover turns the html output of the certificates#show action into a PDF response, but we don't want to expose HTML format as a valid response. So limit the route to Grover middleware requests.
DFE-Digital · Apr 11, 2024 · a2a9411 · a2a9411
1 parent c955191
commit a2a9411
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/config/routes/aytq.rb b/config/routes/aytq.rb
@@ -14,7 +14,9 @@
 
   resource :start, only: [:show]
 
-  resources :certificates, only: [:show]
+  resources :certificates, only: [:show],
+    constraints: ->(req) { req.env["Rack-Middleware-Grover"] == "true" }
+
   resource :identity_user, only: [:show]
   resource :npq_certificate, only: [:show]