feature: Secure form submissions

[Dashue]

Description

Introduce a n extensible pattern for secure form submissions

Context

The ability to have APIM hosted form submission handling backends have been requested for a long time.
This work aims to resolve this

Changes

• Webhook service takes additional headers
• StatusService provides additional headers to webhook service
• Introduces an extensible form security pattern (Single FormSecurityService and per form SecureFormSubmissionService)
• Moving the current KLS security approach into the new FormSecurityService

Type of change

What is the type of change you are making?

• Chore or documentation (non-breaking change that does not add functionality)
• ADR (Architectural Decision Record, non-breaking change that documents or proposes a decision)
• Refactor (non-breaking change that improves code quality)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

PR title

Have you updated the PR title to match the type of change you are making?

• Yes
• No, I need help or guidance

Testing

Automated tests

Have you added automated tests?

• Yes, unit or integration tests
• Yes, end-to-end (cypress) tests
• No, tests are not required for this change
• No, I need help or guidance
• No (manually verified KLS, each team will verify their own APIM security)

Manual tests

Have you manually tested your changes?

• Yes
• No, manual tests are not required or sufficiently covered by automated tests

Have you attached an example form JSON or snippet for the reviewer in this PR?

• Yes
• No, any existing form can be used
• No, it is not required or not applicable

Steps to test

1. Configure your form security
2. Verify form security is applied and accepted by the backend for successful form submission

Documentation

Have you updated the documentation?

• Yes, I have updated ./docs for this change since additional explanation or steps to use/configure the feature is required
• Yes, I have added or updated an ADR for this change since it is large, complex, or has significant architectural implications
• Yes, I have added inline comments for hard-to-understand areas
• No, I am not sure if documentation is required
• No, documentation is not required for this change

Discussion

• Yes, I have discussed this change with the maintainers on slack, email or via GitHub issues
• Yes, this change is an ADR to help kick-off discussion
• No, this change is small and does not require discussion
• No, I am not sure if one is required