DEFRA · jbarnsley10 · Mar 5, 2026 · Feb 24, 2026 · Feb 24, 2026 · Feb 24, 2026
diff --git a/jest.setup.cjs b/jest.setup.cjs
@@ -19,3 +19,4 @@ process.env.SNS_SAVE_TOPIC_ARN =
 process.env.SNS_ADAPTER_TOPIC_ARN =
   'arn:aws:sns:eu-west-2:123456789012:test-adapter-topic'
 process.env.SNS_ENDPOINT = 'http://localhost:4566'
+process.env.PRIVATE_KEY_FOR_SECRETS = 'dummy-private-key'
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -46,8 +46,8 @@
   "license": "SEE LICENSE IN LICENSE",
   "dependencies": {
     "@aws-sdk/client-sns": "^3.997.0",
-    "@defra/forms-engine-plugin": "^4.0.60",
-    "@defra/forms-model": "^3.0.627",
+    "@defra/forms-engine-plugin": "^4.0.62",
+    "@defra/forms-model": "^3.0.629",
     "@defra/hapi-tracing": "^1.30.0",
     "@elastic/ecs-pino-format": "^1.5.0",
     "@hapi/boom": "^10.0.1",

diff --git a/src/config/index.ts b/src/config/index.ts
@@ -329,6 +329,14 @@ export const config = convict({
     nullable: false,
     default: 'defraforms@defra.gov.uk',
     env: 'FEEDBACK_VIA_EMAIL'
+  } as SchemaObj<string | undefined>,
+
+  privateKeyForSecrets: {
+    doc: 'The private key used to decrypt secret values',
+    format: String,
+    nullable: true,
+    default: undefined,
+    env: 'PRIVATE_KEY_FOR_SECRETS'
   } as SchemaObj<string | undefined>
 })
 

diff --git a/src/server/services/formsService.js b/src/server/services/formsService.js
@@ -2,6 +2,7 @@ import { FormStatus } from '@defra/forms-engine-plugin/types'
 import { formMetadataSchema } from '@defra/forms-model'
 
 import { config } from '~/src/config/index.js'
+import { decryptSecret } from '~/src/server/services/helpers/crypto.js'
 import { getJson, postJson } from '~/src/server/services/httpService.js'
 
 const managerUrl = config.get('managerUrl')
@@ -111,6 +112,21 @@ export async function validateSaveAndExitCredentials(
   return results
 }
 
+/**
+ * Retrieves a form secret and decrypts the value
+ * @param {string} formId - the id of the form
+ * @param {string} secretName - the name of the secret
+ */
+export async function getFormSecret(formId, secretName) {
+  const response = await fetch(
+    `${managerUrl}/forms/${formId}/secrets/${secretName}`
+  )
+  if (response.statusText !== 'OK') {
+    return ''
+  }
+  return decryptSecret(await response.text())
+}
+
 /**
  * @import { FormDefinition, FormMetadata } from '@defra/forms-model'
  * @import { SaveAndExitDetails, SaveAndExitResumeDetails } from '~/src/server/types.js'

diff --git a/src/server/services/formsService.test.js b/src/server/services/formsService.test.js
@@ -5,6 +5,7 @@ import {
   getFormDefinition,
   getFormMetadata,
   getFormMetadataById,
+  getFormSecret,
   getSaveAndExitDetails,
   validateSaveAndExitCredentials
 } from '~/src/server/services/formsService.js'
@@ -16,6 +17,10 @@ const { MANAGER_URL, SUBMISSION_URL } = process.env
 const magicLinkId = '7ac201b2-bea3-490d-8ccb-2734b2794f7b'
 
 jest.mock('~/src/server/services/httpService')
+jest.mock('node:crypto', () => ({
+  ...jest.requireActual('node:crypto'),
+  privateDecrypt: () => 'decrypted-secret'
+}))
 
 describe('Forms service', () => {
   const { definition, metadata } = fixtures.form
@@ -60,6 +65,19 @@ describe('Forms service', () => {
         updatedAt: expect.any(Date)
       })
     })
+
+    it('throws when validation error', async () => {
+      jest.mocked(getJson).mockResolvedValue({
+        res: /** @type {IncomingMessage} */ ({
+          statusCode: StatusCodes.OK
+        }),
+        payload: { invalid: '123' }
+      })
+
+      await expect(() => getFormMetadata(metadata.slug)).rejects.toThrow(
+        '"title" is required'
+      )
+    })
   })
 
   describe('getFormMetadataById', () => {
@@ -102,6 +120,19 @@ describe('Forms service', () => {
         updatedAt: expect.any(Date)
       })
     })
+
+    it('throws when validation error', async () => {
+      jest.mocked(getJson).mockResolvedValue({
+        res: /** @type {IncomingMessage} */ ({
+          statusCode: StatusCodes.OK
+        }),
+        payload: { invalid: '123' }
+      })
+
+      await expect(() => getFormMetadataById(metadata.id)).rejects.toThrow(
+        '"title" is required'
+      )
+    })
   })
 
   describe('getFormDefinition', () => {
@@ -168,6 +199,59 @@ describe('Forms service', () => {
         { payload: { securityAnswer: 'answer' } }
       )
     })
+
+    it('throws if no results', async () => {
+      // @ts-expect-error - partial mock of payload
+      jest.mocked(postJson).mockResolvedValue({
+        res: /** @type {IncomingMessage} */ ({
+          statusCode: StatusCodes.OK
+        }),
+        payload: undefined
+      })
+
+      await expect(() =>
+        validateSaveAndExitCredentials(magicLinkId, 'answer')
+      ).rejects.toThrow(
+        'Unexpected empty response in validateSaveAndExitCredentials'
+      )
+    })
+  })
+
+  describe('getFormSecret', () => {
+    beforeEach(() => {
+      // @ts-expect-error - mock fetch
+      global.fetch = jest.fn(() =>
+        Promise.resolve({
+          text: () => Promise.resolve('secret-value'),
+          statusText: 'OK'
+        })
+      )
+    })
+
+    it('calls correct url', async () => {
+      const res = await getFormSecret(metadata.id, 'secret-name')
+
+      expect(fetch).toHaveBeenCalledWith(
+        `${MANAGER_URL}/forms/${metadata.id}/secrets/secret-name`
+      )
+      expect(res).toBe('decrypted-secret')
+    })
+
+    it('handles missing secret', async () => {
+      // @ts-expect-error - mock fetch
+      global.fetch = jest.fn(() =>
+        Promise.resolve({
+          text: () => Promise.resolve('secret-value'),
+          statusText: 'Error'
+        })
+      )
+      const res = await getFormSecret(metadata.id, 'secret-name')
+
+      expect(fetch).toHaveBeenCalledWith(
+        `${MANAGER_URL}/forms/${metadata.id}/secrets/secret-name`
+      )
+      expect(res).toBe('')
+    })
   })
 })
 

diff --git a/src/server/services/helpers/crypto.js b/src/server/services/helpers/crypto.js
@@ -0,0 +1,17 @@
+import crypto from 'node:crypto'
+
+import { config } from '~/src/config/index.js'
+
+/**
+ * @param {string} secretValue - cleartext secret value
+ * @returns {string} base64-encoded result
+ */
+export function decryptSecret(secretValue) {
+  const privateKey = config.get('privateKeyForSecrets')
+  if (!privateKey) {
+    throw new Error('Private key is missing')
+  }
+  const buffer = Buffer.from(secretValue, 'base64')
+  const decrypted = crypto.privateDecrypt(privateKey, buffer)
+  return decrypted.toString()
+}
diff --git a/src/server/services/helpers/crypto.test.js b/src/server/services/helpers/crypto.test.js
@@ -0,0 +1,36 @@
+import { config } from '~/src/config/index.js'
+import { decryptSecret } from '~/src/server/services/helpers/crypto.js'
+
+jest.mock('~/src/config/index.ts', () => ({
+  config: {
+    get: jest.fn((key) => {
+      if (key === 'privateKeyForSecrets') return 'abcdef'
+      return 'mock-value'
+    })
+  }
+}))
+jest.mock('node:crypto', () => ({
+  privateDecrypt: () => 'decrypted-secret'
+}))
+
+describe('crypto helpers', () => {
+  describe('decryptSecret', () => {
+    it('should throw is private key is missing', () => {
+      jest.mocked(config.get).mockImplementationOnce((key) => {
+        if (key === 'privateKeyForSecrets') return undefined
+        return 'mock-value'
+      })
+      expect(() => decryptSecret('some-string')).toThrow(
+        'Private key is missing'
+      )
+    })
+
+    it('should return decrypted value', () => {
+      jest.mocked(config.get).mockImplementationOnce((key) => {
+        if (key === 'privateKeyForSecrets') return 'private-key'
+        return 'mock-value'
+      })
+      expect(decryptSecret('some-string')).toBe('decrypted-secret')
+    })
+  })
+})