Allow console access for FTE globar role (#2419)

2026-01-06 05:27:13 +00:00 · 2024-05-01 12:19:29 -04:00
parent e791608098
commit 570618705e
19 changed files with 294 additions and 290 deletions
--- a/console-webapp/.gitignore
+++ b/console-webapp/.gitignore
@@ -36,6 +36,7 @@ yarn-error.log
 /libpeerconnection.log
 testem.log
 /typings
 .nx/
 # System files
 .DS_Store
--- a/console-webapp/src/app/shared/services/backend.service.ts
+++ b/console-webapp/src/app/shared/services/backend.service.ts
@@ -33,6 +33,11 @@ export class BackendService {
    error: HttpErrorResponse,
    mockData?: Type
  ): Observable<Type> {
    // This is a temporary redirect to the old console untill the new console
    // is fully released and enabled
    if (error.url && window.location.href.indexOf(error.url) < 0) {
      window.location.href = error.url;
    }
    if (error.error instanceof Error) {
      // A client-side or network error occurred. Handle it accordingly.
      console.error('An error occurred:', error.error.message);
--- a/core/src/main/java/google/registry/request/Response.java
+++ b/core/src/main/java/google/registry/request/Response.java
@@ -28,6 +28,8 @@ import org.joda.time.DateTime;
 */
 public interface Response {
  void sendRedirect(String url) throws IOException;
  /** Sets the HTTP status code. */
  void setStatus(int status);
--- a/core/src/main/java/google/registry/request/ResponseImpl.java
+++ b/core/src/main/java/google/registry/request/ResponseImpl.java
@@ -32,6 +32,11 @@ public final class ResponseImpl implements Response {
    this.rsp = rsp;
  }
  @Override
  public void sendRedirect(String url) throws IOException {
    rsp.sendRedirect(url);
  }
  @Override
  public void setStatus(int status) {
    rsp.setStatus(status);
--- a/core/src/main/java/google/registry/ui/server/console/ConsoleApiAction.java
+++ b/core/src/main/java/google/registry/ui/server/console/ConsoleApiAction.java
@@ -17,10 +17,15 @@ package google.registry.ui.server.console;
 import static google.registry.request.Action.Method.GET;
 import com.google.api.client.http.HttpStatusCodes;
 import google.registry.model.console.GlobalRole;
 import google.registry.model.console.User;
 import google.registry.request.auth.AuthResult;
 import google.registry.security.XsrfTokenManager;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.ui.server.registrar.ConsoleUiAction;
 import google.registry.util.RegistryEnvironment;
 import jakarta.servlet.http.Cookie;
 import java.io.IOException;
 import java.util.Arrays;
 import java.util.Optional;
@@ -35,11 +40,26 @@ public abstract class ConsoleApiAction implements Runnable {
  @Override
  public final void run() {
    // Shouldn't be even possible because of Auth annotations on the various implementing classes
-    if (consoleApiParams.authResult().userAuthInfo().get().consoleUser().isEmpty()) {
+    AuthResult authResult = consoleApiParams.authResult();
    if (authResult.userAuthInfo().isEmpty()
        || authResult.userAuthInfo().get().consoleUser().isEmpty()) {
      consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED);
      return;
    }
    User user = consoleApiParams.authResult().userAuthInfo().get().consoleUser().get();
    // This allows us to enable console to a selected cohort of users with release
    // We can ignore it in tests
    if (RegistryEnvironment.get() != RegistryEnvironment.UNITTEST
        && !GlobalRole.FTE.equals(user.getUserRoles().getGlobalRole())) {
      try {
        consoleApiParams.response().sendRedirect(ConsoleUiAction.PATH);
        return;
      } catch (IOException e) {
        throw new RuntimeException(e);
      }
    }
    if (consoleApiParams.request().getMethod().equals(GET.toString())) {
      getHandler(user);
    } else {
@@ -75,4 +95,5 @@ public abstract class ConsoleApiAction implements Runnable {
    }
    return true;
  }
 }
--- a/core/src/main/java/google/registry/ui/server/console/ConsoleDomainGetAction.java
+++ b/core/src/main/java/google/registry/ui/server/console/ConsoleDomainGetAction.java
@@ -24,11 +24,8 @@ import google.registry.model.console.User;
 import google.registry.model.domain.Domain;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
-import google.registry.request.auth.AuthResult;
+import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.request.auth.UserAuthInfo;
 import google.registry.ui.server.registrar.JsonGetAction;
 import java.util.Optional;
 import javax.inject.Inject;
@@ -37,55 +34,41 @@ import javax.inject.Inject;
    service = Action.Service.DEFAULT,
    path = ConsoleDomainGetAction.PATH,
    auth = Auth.AUTH_PUBLIC_LOGGED_IN)
-public class ConsoleDomainGetAction implements JsonGetAction {
+public class ConsoleDomainGetAction extends ConsoleApiAction {
  public static final String PATH = "/console-api/domain";
  private final AuthResult authResult;
  private final Response response;
  private final Gson gson;
  private final String paramDomain;
  @Inject
  public ConsoleDomainGetAction(
-      AuthResult authResult,
+      ConsoleApiParams consoleApiParams,
      Response response,
      Gson gson,
      @Parameter("consoleDomain") String paramDomain) {
-    this.authResult = authResult;
+    super(consoleApiParams);
    this.response = response;
    this.gson = gson;
    this.paramDomain = paramDomain;
    this.gson = gson;
  }
  @Override
-  public void run() {
+  protected void getHandler(User user) {
    if (!authResult.isAuthenticated() || authResult.userAuthInfo().isEmpty()) {
      response.setStatus(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED);
      return;
    }
    UserAuthInfo authInfo = authResult.userAuthInfo().get();
    if (authInfo.consoleUser().isEmpty()) {
      response.setStatus(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED);
      return;
    }
    User user = authInfo.consoleUser().get();
    Optional<Domain> possibleDomain =
        tm().transact(
                () ->
                    EppResourceUtils.loadByForeignKeyCached(
                        Domain.class, paramDomain, tm().getTransactionTime()));
    if (possibleDomain.isEmpty()) {
-      response.setStatus(HttpStatusCodes.STATUS_CODE_NOT_FOUND);
+      consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_NOT_FOUND);
      return;
    }
    Domain domain = possibleDomain.get();
    if (!user.getUserRoles()
        .hasPermission(domain.getCurrentSponsorRegistrarId(), ConsolePermission.DOWNLOAD_DOMAINS)) {
-      response.setStatus(HttpStatusCodes.STATUS_CODE_NOT_FOUND);
+      consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_NOT_FOUND);
      return;
    }
-    response.setStatus(HttpStatusCodes.STATUS_CODE_OK);
+    consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_OK);
-    response.setPayload(gson.toJson(domain));
+    consoleApiParams.response().setPayload(gson.toJson(domain));
  }
 }
--- a/core/src/main/java/google/registry/ui/server/console/ConsoleDomainListAction.java
+++ b/core/src/main/java/google/registry/ui/server/console/ConsoleDomainListAction.java
@@ -27,10 +27,8 @@ import google.registry.model.console.User;
 import google.registry.model.domain.Domain;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
-import google.registry.request.auth.AuthResult;
+import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.ui.server.registrar.JsonGetAction;
 import java.util.List;
 import java.util.Optional;
 import javax.inject.Inject;
@@ -43,7 +41,7 @@ import org.joda.time.DateTime;
    path = ConsoleDomainListAction.PATH,
    method = Action.Method.GET,
    auth = Auth.AUTH_PUBLIC_LOGGED_IN)
-public class ConsoleDomainListAction implements JsonGetAction {
+public class ConsoleDomainListAction extends ConsoleApiAction {
  public static final String PATH = "/console-api/domain-list";
@@ -54,8 +52,6 @@ public class ConsoleDomainListAction implements JsonGetAction {
  private static final String SEARCH_TERM_QUERY = " AND LOWER(domainName) LIKE :searchTerm";
  private static final String ORDER_BY_STATEMENT = " ORDER BY creationTime DESC";
  private final AuthResult authResult;
  private final Response response;
  private final Gson gson;
  private final String registrarId;
  private final Optional<DateTime> checkpointTime;
@@ -66,8 +62,7 @@ public class ConsoleDomainListAction implements JsonGetAction {
  @Inject
  public ConsoleDomainListAction(
-      AuthResult authResult,
+      ConsoleApiParams consoleApiParams,
      Response response,
      Gson gson,
      @Parameter("registrarId") String registrarId,
      @Parameter("checkpointTime") Optional<DateTime> checkpointTime,
@@ -75,8 +70,7 @@ public class ConsoleDomainListAction implements JsonGetAction {
      @Parameter("resultsPerPage") Optional<Integer> resultsPerPage,
      @Parameter("totalResults") Optional<Long> totalResults,
      @Parameter("searchTerm") Optional<String> searchTerm) {
-    this.authResult = authResult;
+    super(consoleApiParams);
    this.response = response;
    this.gson = gson;
    this.registrarId = registrarId;
    this.checkpointTime = checkpointTime;
@@ -87,19 +81,20 @@ public class ConsoleDomainListAction implements JsonGetAction {
  }
  @Override
-  public void run() {
+  protected void getHandler(User user) {
    User user = authResult.userAuthInfo().get().consoleUser().get();
    if (!user.getUserRoles().hasPermission(registrarId, DOWNLOAD_DOMAINS)) {
-      response.setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
+      consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
      return;
    }
    if (resultsPerPage < 1 || resultsPerPage > 500) {
-      writeBadRequest("Results per page must be between 1 and 500 inclusive");
+      setFailedResponse(
          "Results per page must be between 1 and 500 inclusive",
          HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
      return;
    }
    if (pageNumber < 0) {
-      writeBadRequest("Page number must be non-negative");
+      setFailedResponse(
          "Page number must be non-negative", HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
      return;
    }
@@ -130,8 +125,10 @@ public class ConsoleDomainListAction implements JsonGetAction {
            .setFirstResult(numResultsToSkip)
            .setMaxResults(resultsPerPage)
            .getResultList();
-    response.setPayload(gson.toJson(new DomainListResult(domains, checkpoint, actualTotalResults)));
+    consoleApiParams
-    response.setStatus(HttpStatusCodes.STATUS_CODE_OK);
+        .response()
        .setPayload(gson.toJson(new DomainListResult(domains, checkpoint, actualTotalResults)));
    consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_OK);
  }
  /** Creates the query to get the total number of matching domains, interpolating as necessary. */
@@ -154,11 +151,6 @@ public class ConsoleDomainListAction implements JsonGetAction {
    return tm().query(DOMAIN_QUERY_TEMPLATE + ORDER_BY_STATEMENT, Domain.class);
  }
  private void writeBadRequest(String message) {
    response.setPayload(message);
    response.setStatus(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
  }
  /** Container result class that allows for pagination. */
  @VisibleForTesting
  static final class DomainListResult {
--- a/core/src/main/java/google/registry/ui/server/console/RegistrarsAction.java
+++ b/core/src/main/java/google/registry/ui/server/console/RegistrarsAction.java
@@ -31,12 +31,9 @@ import google.registry.model.registrar.RegistrarBase.State;
 import google.registry.model.registrar.RegistrarPoc;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
-import google.registry.request.auth.AuthResult;
+import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.ui.server.registrar.JsonGetAction;
 import google.registry.util.StringGenerator;
 import jakarta.servlet.http.HttpServletRequest;
 import java.util.Optional;
 import javax.inject.Inject;
 import javax.inject.Named;
@@ -46,50 +43,33 @@ import javax.inject.Named;
    path = RegistrarsAction.PATH,
    method = {GET, POST},
    auth = Auth.AUTH_PUBLIC_LOGGED_IN)
-public class RegistrarsAction implements JsonGetAction {
+public class RegistrarsAction extends ConsoleApiAction {
  private static final int PASSWORD_LENGTH = 16;
  private static final int PASSCODE_LENGTH = 5;
  static final String PATH = "/console-api/registrars";
  private final AuthResult authResult;
  private final Response response;
  private final Gson gson;
  private final HttpServletRequest req;
  private Optional<Registrar> registrar;
  private StringGenerator passwordGenerator;
  private StringGenerator passcodeGenerator;
  @Inject
  public RegistrarsAction(
-      HttpServletRequest req,
+      ConsoleApiParams consoleApiParams,
      AuthResult authResult,
      Response response,
      Gson gson,
      @Parameter("registrar") Optional<Registrar> registrar,
      @Named("base58StringGenerator") StringGenerator passwordGenerator,
      @Named("digitOnlyStringGenerator") StringGenerator passcodeGenerator) {
-    this.authResult = authResult;
+    super(consoleApiParams);
    this.response = response;
    this.gson = gson;
    this.registrar = registrar;
    this.req = req;
    this.passcodeGenerator = passcodeGenerator;
    this.passwordGenerator = passwordGenerator;
  }
  @Override
-  public void run() {
+  protected void getHandler(User user) {
    User user = authResult.userAuthInfo().get().consoleUser().get();
    if (req.getMethod().equals(GET.toString())) {
      getHandler(user);
    } else {
      postHandler(user);
    }
  }
  private void getHandler(User user) {
    if (!user.getUserRoles().hasGlobalPermission(ConsolePermission.VIEW_REGISTRARS)) {
-      response.setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
+      consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
      return;
    }
    ImmutableList<Registrar> registrars =
@@ -97,19 +77,20 @@ public class RegistrarsAction implements JsonGetAction {
            .filter(r -> r.getType() == Registrar.Type.REAL)
            .collect(ImmutableList.toImmutableList());
-    response.setPayload(gson.toJson(registrars));
+    consoleApiParams.response().setPayload(gson.toJson(registrars));
-    response.setStatus(HttpStatusCodes.STATUS_CODE_OK);
+    consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_OK);
  }
-  private void postHandler(User user) {
+  @Override
  protected void postHandler(User user) {
    if (!user.getUserRoles().isAdmin()) {
-      response.setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
+      consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
      return;
    }
    if (registrar.isEmpty()) {
-      response.setStatus(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
+      consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
-      response.setPayload(gson.toJson("'registrar' parameter is not present"));
+      consoleApiParams.response().setPayload(gson.toJson("'registrar' parameter is not present"));
      return;
    }
@@ -171,11 +152,9 @@ public class RegistrarsAction implements JsonGetAction {
              });
    } catch (IllegalArgumentException e) {
-      response.setStatus(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
+      setFailedResponse(e.getMessage(), HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
      response.setPayload(gson.toJson(e.getMessage()));
    } catch (Throwable e) {
-      response.setStatus(HttpStatusCodes.STATUS_CODE_SERVER_ERROR);
+      setFailedResponse(e.getMessage(), HttpStatusCodes.STATUS_CODE_SERVER_ERROR);
      response.setPayload(gson.toJson(e.getMessage()));
    }
  }
 }
--- a/core/src/main/java/google/registry/ui/server/console/settings/ContactAction.java
+++ b/core/src/main/java/google/registry/ui/server/console/settings/ContactAction.java
@@ -31,13 +31,11 @@ import google.registry.model.registrar.RegistrarPoc;
 import google.registry.persistence.transaction.QueryComposer.Comparator;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.request.auth.AuthResult;
 import google.registry.ui.forms.FormException;
-import google.registry.ui.server.registrar.JsonGetAction;
+import google.registry.ui.server.console.ConsoleApiAction;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.ui.server.registrar.RegistrarSettingsAction;
 import jakarta.servlet.http.HttpServletRequest;
 import java.util.Collections;
 import java.util.Optional;
 import javax.inject.Inject;
@@ -47,45 +45,29 @@ import javax.inject.Inject;
    path = ContactAction.PATH,
    method = {GET, POST},
    auth = Auth.AUTH_PUBLIC_LOGGED_IN)
-public class ContactAction implements JsonGetAction {
+public class ContactAction extends ConsoleApiAction {
  static final String PATH = "/console-api/settings/contacts";
  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
  private final HttpServletRequest req;
  private final AuthResult authResult;
  private final Response response;
  private final Gson gson;
  private final Optional<ImmutableSet<RegistrarPoc>> contacts;
  private final String registrarId;
  @Inject
  public ContactAction(
-      HttpServletRequest req,
+      ConsoleApiParams consoleApiParams,
      AuthResult authResult,
      Response response,
      Gson gson,
      @Parameter("registrarId") String registrarId,
      @Parameter("contacts") Optional<ImmutableSet<RegistrarPoc>> contacts) {
-    this.authResult = authResult;
+    super(consoleApiParams);
    this.response = response;
    this.gson = gson;
    this.registrarId = registrarId;
    this.contacts = contacts;
    this.req = req;
  }
  @Override
-  public void run() {
+  protected void getHandler(User user) {
    User user = authResult.userAuthInfo().get().consoleUser().get();
    if (req.getMethod().equals(GET.toString())) {
      getHandler(user);
    } else {
      postHandler(user);
    }
  }
  private void getHandler(User user) {
    if (!user.getUserRoles().hasPermission(registrarId, ConsolePermission.VIEW_REGISTRAR_DETAILS)) {
-      response.setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
+      consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
      return;
    }
@@ -99,19 +81,20 @@ public class ContactAction implements JsonGetAction {
                        .filter(r -> !r.getTypes().isEmpty())
                        .collect(toImmutableList()));
-    response.setStatus(HttpStatusCodes.STATUS_CODE_OK);
+    consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_OK);
-    response.setPayload(gson.toJson(am));
+    consoleApiParams.response().setPayload(gson.toJson(am));
  }
-  private void postHandler(User user) {
+  @Override
  protected void postHandler(User user) {
    if (!user.getUserRoles().hasPermission(registrarId, ConsolePermission.EDIT_REGISTRAR_DETAILS)) {
-      response.setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
+      consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
      return;
    }
    if (contacts.isEmpty()) {
-      response.setStatus(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
+      consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
-      response.setPayload(gson.toJson("Contacts parameter is not present"));
+      consoleApiParams.response().setPayload(gson.toJson("Contacts parameter is not present"));
      return;
    }
@@ -137,12 +120,12 @@ public class ContactAction implements JsonGetAction {
    } catch (FormException e) {
      logger.atWarning().withCause(e).log(
          "Error processing contacts post request for registrar: %s", registrarId);
-      response.setStatus(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
+      consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
-      response.setPayload(e.getMessage());
+      consoleApiParams.response().setPayload(e.getMessage());
      return;
    }
    RegistrarPoc.updateContacts(registrar, updatedContacts);
-    response.setStatus(HttpStatusCodes.STATUS_CODE_OK);
+    consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_OK);
  }
 }
--- a/core/src/main/java/google/registry/ui/server/console/settings/SecurityAction.java
+++ b/core/src/main/java/google/registry/ui/server/console/settings/SecurityAction.java
@@ -18,7 +18,6 @@ import static google.registry.persistence.transaction.TransactionManagerFactory.
 import static google.registry.request.Action.Method.POST;
 import com.google.api.client.http.HttpStatusCodes;
 import com.google.gson.Gson;
 import google.registry.flows.certs.CertificateChecker;
 import google.registry.flows.certs.CertificateChecker.InsecureCertificateException;
 import google.registry.model.console.ConsolePermission;
@@ -26,12 +25,11 @@ import google.registry.model.console.User;
 import google.registry.model.registrar.Registrar;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException;
-import google.registry.ui.server.registrar.JsonGetAction;
+import google.registry.ui.server.console.ConsoleApiAction;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import java.util.Optional;
 import javax.inject.Inject;
@@ -40,12 +38,9 @@ import javax.inject.Inject;
    path = SecurityAction.PATH,
    method = {POST},
    auth = Auth.AUTH_PUBLIC_LOGGED_IN)
-public class SecurityAction implements JsonGetAction {
+public class SecurityAction extends ConsoleApiAction {
  static final String PATH = "/console-api/settings/security";
  private final AuthResult authResult;
  private final Response response;
  private final Gson gson;
  private final String registrarId;
  private final AuthenticatedRegistrarAccessor registrarAccessor;
  private final Optional<Registrar> registrar;
@@ -53,16 +48,12 @@ public class SecurityAction implements JsonGetAction {
  @Inject
  public SecurityAction(
-      AuthResult authResult,
+      ConsoleApiParams consoleApiParams,
      Response response,
      Gson gson,
      CertificateChecker certificateChecker,
      AuthenticatedRegistrarAccessor registrarAccessor,
      @Parameter("registrarId") String registrarId,
      @Parameter("registrar") Optional<Registrar> registrar) {
-    this.authResult = authResult;
+    super(consoleApiParams);
    this.response = response;
    this.gson = gson;
    this.registrarId = registrarId;
    this.registrarAccessor = registrarAccessor;
    this.registrar = registrar;
@@ -70,16 +61,15 @@ public class SecurityAction implements JsonGetAction {
  }
  @Override
-  public void run() {
+  protected void postHandler(User user) {
    User user = authResult.userAuthInfo().get().consoleUser().get();
    if (!user.getUserRoles().hasPermission(registrarId, ConsolePermission.EDIT_REGISTRAR_DETAILS)) {
-      response.setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
+      consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
      return;
    }
    if (registrar.isEmpty()) {
-      response.setStatus(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
+      setFailedResponse(
-      response.setPayload(gson.toJson("'registrar' parameter is not present"));
+          "'registrar' parameter is not present", HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
      return;
    }
@@ -87,8 +77,7 @@ public class SecurityAction implements JsonGetAction {
    try {
      savedRegistrar = registrarAccessor.getRegistrar(registrarId);
    } catch (RegistrarAccessDeniedException e) {
-      response.setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
+      setFailedResponse(e.getMessage(), HttpStatusCodes.STATUS_CODE_FORBIDDEN);
      response.setPayload(e.getMessage());
      return;
    }
@@ -122,12 +111,12 @@ public class SecurityAction implements JsonGetAction {
        }
      }
    } catch (InsecureCertificateException e) {
-      response.setStatus(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
+      setFailedResponse(
-      response.setPayload("Invalid certificate in parameter");
+          "Invalid certificate in parameter", HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
      return;
    }
    tm().put(updatedRegistrar.build());
-    response.setStatus(HttpStatusCodes.STATUS_CODE_OK);
+    consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_OK);
  }
 }
--- a/core/src/main/java/google/registry/ui/server/console/settings/WhoisRegistrarFieldsAction.java
+++ b/core/src/main/java/google/registry/ui/server/console/settings/WhoisRegistrarFieldsAction.java
@@ -18,18 +18,16 @@ import static google.registry.persistence.transaction.TransactionManagerFactory.
 import static google.registry.request.Action.Method.POST;
 import com.google.api.client.http.HttpStatusCodes;
 import com.google.gson.Gson;
 import google.registry.model.console.ConsolePermission;
 import google.registry.model.console.User;
 import google.registry.model.registrar.Registrar;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException;
-import google.registry.ui.server.registrar.JsonGetAction;
+import google.registry.ui.server.console.ConsoleApiAction;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import java.util.Optional;
 import javax.inject.Inject;
@@ -44,42 +42,34 @@ import javax.inject.Inject;
    path = WhoisRegistrarFieldsAction.PATH,
    method = {POST},
    auth = Auth.AUTH_PUBLIC_LOGGED_IN)
-public class WhoisRegistrarFieldsAction implements JsonGetAction {
+public class WhoisRegistrarFieldsAction extends ConsoleApiAction {
  static final String PATH = "/console-api/settings/whois-fields";
  private final AuthResult authResult;
  private final Response response;
  private final Gson gson;
  private AuthenticatedRegistrarAccessor registrarAccessor;
  private Optional<Registrar> registrar;
  @Inject
  public WhoisRegistrarFieldsAction(
-      AuthResult authResult,
+      ConsoleApiParams consoleApiParams,
      Response response,
      Gson gson,
      AuthenticatedRegistrarAccessor registrarAccessor,
      @Parameter("registrar") Optional<Registrar> registrar) {
-    this.authResult = authResult;
+    super(consoleApiParams);
    this.response = response;
    this.gson = gson;
    this.registrarAccessor = registrarAccessor;
    this.registrar = registrar;
  }
  @Override
-  public void run() {
+  protected void postHandler(User user) {
    if (registrar.isEmpty()) {
-      response.setStatus(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
+      setFailedResponse(
-      response.setPayload(gson.toJson("'registrar' parameter is not present"));
+          "'registrar' parameter is not present", HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
      return;
    }
    User user = authResult.userAuthInfo().get().consoleUser().get();
    if (!user.getUserRoles()
        .hasPermission(
            registrar.get().getRegistrarId(), ConsolePermission.EDIT_REGISTRAR_DETAILS)) {
-      response.setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
+      consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
      return;
    }
@@ -92,8 +82,8 @@ public class WhoisRegistrarFieldsAction implements JsonGetAction {
      // reload to make sure the object has all the correct fields
      savedRegistrar = registrarAccessor.getRegistrar(providedRegistrar.getRegistrarId());
    } catch (RegistrarAccessDeniedException e) {
-      response.setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
+      consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
-      response.setPayload(e.getMessage());
+      consoleApiParams.response().setPayload(e.getMessage());
      return;
    }
@@ -102,6 +92,6 @@ public class WhoisRegistrarFieldsAction implements JsonGetAction {
    newRegistrar.setUrl(providedRegistrar.getUrl());
    newRegistrar.setLocalizedAddress(providedRegistrar.getLocalizedAddress());
    tm().put(newRegistrar.build());
-    response.setStatus(HttpStatusCodes.STATUS_CODE_OK);
+    consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_OK);
  }
 }
--- a/core/src/test/java/google/registry/testing/FakeResponse.java
+++ b/core/src/test/java/google/registry/testing/FakeResponse.java
@@ -67,6 +67,12 @@ public final class FakeResponse implements Response {
    return writer;
  }
  @Override
  public void sendRedirect(String url) throws IOException {
    status = 302;
    this.payload = String.format("Redirected to %s", url);
  }
  @Override
  public void setStatus(int status) {
    checkArgument(status >= 100);
--- a/core/src/test/java/google/registry/ui/server/console/ConsoleDomainGetActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/ConsoleDomainGetActionTest.java
@@ -17,6 +17,7 @@ package google.registry.ui.server.console;
 import static com.google.common.truth.Truth.assertThat;
 import static google.registry.testing.DatabaseHelper.createTld;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 import com.google.api.client.http.HttpStatusCodes;
 import com.google.common.collect.ImmutableMap;
@@ -25,11 +26,15 @@ import google.registry.model.console.RegistrarRole;
 import google.registry.model.console.User;
 import google.registry.model.console.UserRoles;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.request.Action;
 import google.registry.request.RequestModule;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.UserAuthInfo;
 import google.registry.testing.DatabaseHelper;
 import google.registry.testing.FakeConsoleApiParams;
 import google.registry.testing.FakeResponse;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import java.util.Optional;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;
@@ -38,7 +43,7 @@ import org.junit.jupiter.api.extension.RegisterExtension;
 public class ConsoleDomainGetActionTest {
  private static final Gson GSON = RequestModule.provideGson();
-  private static final FakeResponse RESPONSE = new FakeResponse();
+  private ConsoleApiParams consoleApiParams;
  @RegisterExtension
  final JpaTestExtensions.JpaIntegrationTestExtension jpa =
@@ -63,8 +68,9 @@ public class ConsoleDomainGetActionTest {
                            .build()))),
            "exists.tld");
    action.run();
-    assertThat(RESPONSE.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
-    assertThat(RESPONSE.getPayload())
+        .isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
    assertThat(((FakeResponse) consoleApiParams.response()).getPayload())
        .isEqualTo(
            "{\"domainName\":\"exists.tld\",\"adminContact\":{\"key\":\"3-ROID\",\"kind\":"
                + "\"google.registry.model.contact.Contact\"},\"techContact\":{\"key\":\"3-ROID\","
@@ -82,7 +88,8 @@ public class ConsoleDomainGetActionTest {
  void testFailure_emptyAuth() {
    ConsoleDomainGetAction action = createAction(AuthResult.NOT_AUTHENTICATED, "exists.tld");
    action.run();
-    assertThat(RESPONSE.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
        .isEqualTo(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED);
  }
  @Test
@@ -90,7 +97,8 @@ public class ConsoleDomainGetActionTest {
    ConsoleDomainGetAction action =
        createAction(AuthResult.createApp("service@registry.example"), "exists.tld");
    action.run();
-    assertThat(RESPONSE.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
        .isEqualTo(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED);
  }
  @Test
@@ -101,7 +109,8 @@ public class ConsoleDomainGetActionTest {
                UserAuthInfo.create(mock(com.google.appengine.api.users.User.class), false)),
            "exists.tld");
    action.run();
-    assertThat(RESPONSE.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
        .isEqualTo(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED);
  }
  @Test
@@ -111,7 +120,8 @@ public class ConsoleDomainGetActionTest {
            AuthResult.createUser(UserAuthInfo.create(createUser(new UserRoles.Builder().build()))),
            "exists.tld");
    action.run();
-    assertThat(RESPONSE.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_NOT_FOUND);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
        .isEqualTo(HttpStatusCodes.STATUS_CODE_NOT_FOUND);
  }
  @Test
@@ -122,7 +132,8 @@ public class ConsoleDomainGetActionTest {
                UserAuthInfo.create(createUser(new UserRoles.Builder().setIsAdmin(true).build()))),
            "nonexistent.tld");
    action.run();
-    assertThat(RESPONSE.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_NOT_FOUND);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
        .isEqualTo(HttpStatusCodes.STATUS_CODE_NOT_FOUND);
  }
  private User createUser(UserRoles userRoles) {
@@ -133,6 +144,8 @@ public class ConsoleDomainGetActionTest {
  }
  private ConsoleDomainGetAction createAction(AuthResult authResult, String domain) {
-    return new ConsoleDomainGetAction(authResult, RESPONSE, GSON, domain);
+    consoleApiParams = FakeConsoleApiParams.get(Optional.of(authResult));
    when(consoleApiParams.request().getMethod()).thenReturn(Action.Method.GET.toString());
    return new ConsoleDomainGetAction(consoleApiParams, GSON, domain);
  }
 }
--- a/core/src/test/java/google/registry/ui/server/console/ConsoleDomainListActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/ConsoleDomainListActionTest.java
@@ -20,6 +20,7 @@ import static google.registry.testing.DatabaseHelper.createAdminUser;
 import static google.registry.testing.DatabaseHelper.createTld;
 import static google.registry.testing.DatabaseHelper.persistActiveDomain;
 import static google.registry.testing.DatabaseHelper.persistDomainAsDeleted;
 import static org.mockito.Mockito.when;
 import com.google.api.client.http.HttpStatusCodes;
 import com.google.common.collect.Iterables;
@@ -27,13 +28,16 @@ import com.google.gson.Gson;
 import google.registry.model.EppResourceUtils;
 import google.registry.model.domain.Domain;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.request.Action;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.UserAuthInfo;
 import google.registry.testing.DatabaseHelper;
 import google.registry.testing.FakeClock;
 import google.registry.testing.FakeConsoleApiParams;
 import google.registry.testing.FakeResponse;
 import google.registry.tools.GsonUtils;
 import google.registry.ui.server.console.ConsoleDomainListAction.DomainListResult;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import java.util.Optional;
 import javax.annotation.Nullable;
 import org.joda.time.DateTime;
@@ -48,7 +52,7 @@ public class ConsoleDomainListActionTest {
  private final FakeClock clock = new FakeClock(DateTime.parse("2023-10-20T00:00:00.000Z"));
-  private FakeResponse response;
+  private ConsoleApiParams consoleApiParams;
  @RegisterExtension
  final JpaTestExtensions.JpaIntegrationTestExtension jpa =
@@ -68,7 +72,9 @@ public class ConsoleDomainListActionTest {
  void testSuccess_allDomains() {
    ConsoleDomainListAction action = createAction("TheRegistrar");
    action.run();
-    DomainListResult result = GSON.fromJson(response.getPayload(), DomainListResult.class);
+    DomainListResult result =
        GSON.fromJson(
            ((FakeResponse) consoleApiParams.response()).getPayload(), DomainListResult.class);
    assertThat(result.domains).hasSize(10);
    assertThat(result.totalResults).isEqualTo(10);
    assertThat(result.checkpointTime).isEqualTo(clock.nowUtc());
@@ -80,7 +86,9 @@ public class ConsoleDomainListActionTest {
  void testSuccess_noDomains() {
    ConsoleDomainListAction action = createAction("NewRegistrar");
    action.run();
-    DomainListResult result = GSON.fromJson(response.getPayload(), DomainListResult.class);
+    DomainListResult result =
        GSON.fromJson(
            ((FakeResponse) consoleApiParams.response()).getPayload(), DomainListResult.class);
    assertThat(result.domains).hasSize(0);
    assertThat(result.totalResults).isEqualTo(0);
    assertThat(result.checkpointTime).isEqualTo(clock.nowUtc());
@@ -91,7 +99,9 @@ public class ConsoleDomainListActionTest {
    // Two pages of results should go in reverse chronological order
    ConsoleDomainListAction action = createAction("TheRegistrar", null, 0, 5, null, null);
    action.run();
-    DomainListResult result = GSON.fromJson(response.getPayload(), DomainListResult.class);
+    DomainListResult result =
        GSON.fromJson(
            ((FakeResponse) consoleApiParams.response()).getPayload(), DomainListResult.class);
    assertThat(result.domains.stream().map(Domain::getDomainName).collect(toImmutableList()))
        .containsExactly("9exists.tld", "8exists.tld", "7exists.tld", "6exists.tld", "5exists.tld");
    assertThat(result.totalResults).isEqualTo(10);
@@ -99,7 +109,9 @@ public class ConsoleDomainListActionTest {
    // Now do the second page
    action = createAction("TheRegistrar", result.checkpointTime, 1, 5, 10L, null);
    action.run();
-    result = GSON.fromJson(response.getPayload(), DomainListResult.class);
+    result =
        GSON.fromJson(
            ((FakeResponse) consoleApiParams.response()).getPayload(), DomainListResult.class);
    assertThat(result.domains.stream().map(Domain::getDomainName).collect(toImmutableList()))
        .containsExactly("4exists.tld", "3exists.tld", "2exists.tld", "1exists.tld", "0exists.tld");
  }
@@ -108,7 +120,9 @@ public class ConsoleDomainListActionTest {
  void testSuccess_partialPage() {
    ConsoleDomainListAction action = createAction("TheRegistrar", null, 1, 8, null, null);
    action.run();
-    DomainListResult result = GSON.fromJson(response.getPayload(), DomainListResult.class);
+    DomainListResult result =
        GSON.fromJson(
            ((FakeResponse) consoleApiParams.response()).getPayload(), DomainListResult.class);
    assertThat(result.domains.stream().map(Domain::getDomainName).collect(toImmutableList()))
        .containsExactly("1exists.tld", "0exists.tld");
  }
@@ -118,7 +132,9 @@ public class ConsoleDomainListActionTest {
    ConsoleDomainListAction action = createAction("TheRegistrar", null, 0, 10, null, null);
    action.run();
-    DomainListResult result = GSON.fromJson(response.getPayload(), DomainListResult.class);
+    DomainListResult result =
        GSON.fromJson(
            ((FakeResponse) consoleApiParams.response()).getPayload(), DomainListResult.class);
    assertThat(result.domains).hasSize(10);
    assertThat(result.totalResults).isEqualTo(10);
@@ -128,7 +144,9 @@ public class ConsoleDomainListActionTest {
    // Even though we persisted a new domain, the old checkpoint should return no more results
    action = createAction("TheRegistrar", result.checkpointTime, 1, 10, null, null);
    action.run();
-    result = GSON.fromJson(response.getPayload(), DomainListResult.class);
+    result =
        GSON.fromJson(
            ((FakeResponse) consoleApiParams.response()).getPayload(), DomainListResult.class);
    assertThat(result.domains).isEmpty();
    assertThat(result.totalResults).isEqualTo(10);
  }
@@ -137,7 +155,9 @@ public class ConsoleDomainListActionTest {
  void testSuccess_checkpointTime_deletion() {
    ConsoleDomainListAction action = createAction("TheRegistrar", null, 0, 5, null, null);
    action.run();
-    DomainListResult result = GSON.fromJson(response.getPayload(), DomainListResult.class);
+    DomainListResult result =
        GSON.fromJson(
            ((FakeResponse) consoleApiParams.response()).getPayload(), DomainListResult.class);
    clock.advanceOneMilli();
    Domain toDelete =
@@ -147,7 +167,9 @@ public class ConsoleDomainListActionTest {
    // Second page should include the domain that is now deleted due to the checkpoint time
    action = createAction("TheRegistrar", result.checkpointTime, 1, 5, null, null);
    action.run();
-    result = GSON.fromJson(response.getPayload(), DomainListResult.class);
+    result =
        GSON.fromJson(
            ((FakeResponse) consoleApiParams.response()).getPayload(), DomainListResult.class);
    assertThat(result.domains.stream().map(Domain::getDomainName).collect(toImmutableList()))
        .containsExactly("4exists.tld", "3exists.tld", "2exists.tld", "1exists.tld", "0exists.tld");
  }
@@ -156,7 +178,9 @@ public class ConsoleDomainListActionTest {
  void testSuccess_searchTerm_oneMatch() {
    ConsoleDomainListAction action = createAction("TheRegistrar", null, 0, 5, null, "0");
    action.run();
-    DomainListResult result = GSON.fromJson(response.getPayload(), DomainListResult.class);
+    DomainListResult result =
        GSON.fromJson(
            ((FakeResponse) consoleApiParams.response()).getPayload(), DomainListResult.class);
    assertThat(Iterables.getOnlyElement(result.domains).getDomainName()).isEqualTo("0exists.tld");
  }
@@ -164,7 +188,9 @@ public class ConsoleDomainListActionTest {
  void testSuccess_searchTerm_returnsNone() {
    ConsoleDomainListAction action = createAction("TheRegistrar", null, 0, 5, null, "deleted");
    action.run();
-    DomainListResult result = GSON.fromJson(response.getPayload(), DomainListResult.class);
+    DomainListResult result =
        GSON.fromJson(
            ((FakeResponse) consoleApiParams.response()).getPayload(), DomainListResult.class);
    assertThat(result.domains).isEmpty();
  }
@@ -172,7 +198,9 @@ public class ConsoleDomainListActionTest {
  void testSuccess_searchTerm_caseInsensitive() {
    ConsoleDomainListAction action = createAction("TheRegistrar", null, 0, 5, null, "eXiStS");
    action.run();
-    DomainListResult result = GSON.fromJson(response.getPayload(), DomainListResult.class);
+    DomainListResult result =
        GSON.fromJson(
            ((FakeResponse) consoleApiParams.response()).getPayload(), DomainListResult.class);
    assertThat(result.domains).hasSize(5);
    assertThat(result.totalResults).isEqualTo(10);
  }
@@ -181,7 +209,9 @@ public class ConsoleDomainListActionTest {
  void testSuccess_searchTerm_tld() {
    ConsoleDomainListAction action = createAction("TheRegistrar", null, 0, 5, null, "tld");
    action.run();
-    DomainListResult result = GSON.fromJson(response.getPayload(), DomainListResult.class);
+    DomainListResult result =
        GSON.fromJson(
            ((FakeResponse) consoleApiParams.response()).getPayload(), DomainListResult.class);
    assertThat(result.domains).hasSize(5);
    assertThat(result.totalResults).isEqualTo(10);
  }
@@ -190,7 +220,9 @@ public class ConsoleDomainListActionTest {
  void testPartialSuccess_pastEnd() {
    ConsoleDomainListAction action = createAction("TheRegistrar", null, 5, 5, null, null);
    action.run();
-    DomainListResult result = GSON.fromJson(response.getPayload(), DomainListResult.class);
+    DomainListResult result =
        GSON.fromJson(
            ((FakeResponse) consoleApiParams.response()).getPayload(), DomainListResult.class);
    assertThat(result.domains).isEmpty();
  }
@@ -198,14 +230,16 @@ public class ConsoleDomainListActionTest {
  void testFailure_invalidResultsPerPage() {
    ConsoleDomainListAction action = createAction("TheRegistrar", null, 0, 0, null, null);
    action.run();
-    assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
-    assertThat(response.getPayload())
+        .isEqualTo(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
    assertThat(((FakeResponse) consoleApiParams.response()).getPayload())
        .isEqualTo("Results per page must be between 1 and 500 inclusive");
    action = createAction("TheRegistrar", null, 0, 501, null, null);
    action.run();
-    assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
-    assertThat(response.getPayload())
+        .isEqualTo(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
    assertThat(((FakeResponse) consoleApiParams.response()).getPayload())
        .isEqualTo("Results per page must be between 1 and 500 inclusive");
  }
@@ -213,8 +247,10 @@ public class ConsoleDomainListActionTest {
  void testFailure_invalidPageNumber() {
    ConsoleDomainListAction action = createAction("TheRegistrar", null, -1, 10, null, null);
    action.run();
-    assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
-    assertThat(response.getPayload()).isEqualTo("Page number must be non-negative");
+        .isEqualTo(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
    assertThat(((FakeResponse) consoleApiParams.response()).getPayload())
        .isEqualTo("Page number must be non-negative");
  }
  private ConsoleDomainListAction createAction(String registrarId) {
@@ -228,12 +264,12 @@ public class ConsoleDomainListActionTest {
      @Nullable Integer resultsPerPage,
      @Nullable Long totalResults,
      @Nullable String searchTerm) {
    response = new FakeResponse();
    AuthResult authResult =
        AuthResult.createUser(UserAuthInfo.create(createAdminUser("email@email.example")));
    consoleApiParams = FakeConsoleApiParams.get(Optional.of(authResult));
    when(consoleApiParams.request().getMethod()).thenReturn(Action.Method.GET.toString());
    return new ConsoleDomainListAction(
-        authResult,
+        consoleApiParams,
        response,
        GSON,
        registrarId,
        Optional.ofNullable(checkpointTime),
--- a/core/src/test/java/google/registry/ui/server/console/ConsoleEppPasswordActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/ConsoleEppPasswordActionTest.java
@@ -45,7 +45,6 @@ import google.registry.testing.FakeResponse;
 import google.registry.tools.GsonUtils;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.util.EmailMessage;
 import jakarta.servlet.http.Cookie;
 import java.util.Optional;
 import javax.mail.internet.AddressException;
 import javax.mail.internet.InternetAddress;
@@ -197,12 +196,7 @@ class ConsoleEppPasswordActionTest {
    AuthenticatedRegistrarAccessor authenticatedRegistrarAccessor =
        AuthenticatedRegistrarAccessor.createForTesting(
            ImmutableSetMultimap.of("registrarId", OWNER));
    Cookie cookie =
        new Cookie(
            consoleApiParams.xsrfTokenManager().X_CSRF_TOKEN,
            consoleApiParams.xsrfTokenManager().generateToken(""));
    when(consoleApiParams.request().getMethod()).thenReturn(Action.Method.POST.toString());
    when(consoleApiParams.request().getCookies()).thenReturn(new Cookie[] {cookie});
    return new ConsoleEppPasswordAction(
        consoleApiParams, authenticatedRegistrarAccessor, gmailClient);
--- a/core/src/test/java/google/registry/ui/server/console/RegistrarsActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/RegistrarsActionTest.java
@@ -21,7 +21,6 @@ import static google.registry.testing.DatabaseHelper.persistNewRegistrar;
 import static google.registry.testing.DatabaseHelper.persistResource;
 import static google.registry.testing.SqlHelper.saveRegistrar;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 import com.google.api.client.http.HttpStatusCodes;
@@ -40,10 +39,11 @@ import google.registry.request.RequestModule;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.UserAuthInfo;
 import google.registry.testing.DeterministicStringGenerator;
 import google.registry.testing.FakeConsoleApiParams;
 import google.registry.testing.FakeResponse;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.ui.server.registrar.RegistrarConsoleModule;
 import google.registry.util.StringGenerator;
 import jakarta.servlet.http.HttpServletRequest;
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.StringReader;
@@ -56,9 +56,8 @@ import org.junit.jupiter.api.extension.RegisterExtension;
 /** Tests for {@link google.registry.ui.server.console.RegistrarsAction}. */
 class RegistrarsActionTest {
  private final HttpServletRequest request = mock(HttpServletRequest.class);
  private static final Gson GSON = RequestModule.provideGson();
-  private FakeResponse response;
+  private ConsoleApiParams consoleApiParams;
  private StringGenerator passwordGenerator =
      new DeterministicStringGenerator("abcdefghijklmnopqrstuvwxyz");
@@ -112,8 +111,9 @@ class RegistrarsActionTest {
                    createUser(
                        new UserRoles.Builder().setGlobalRole(GlobalRole.SUPPORT_LEAD).build()))));
    action.run();
-    assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
-    String payload = response.getPayload();
+        .isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
    String payload = ((FakeResponse) consoleApiParams.response()).getPayload();
    assertThat(
            ImmutableList.of("\"registrarId\":\"NewRegistrar\"", "\"registrarId\":\"TheRegistrar\"")
                .stream()
@@ -131,8 +131,9 @@ class RegistrarsActionTest {
                UserAuthInfo.create(
                    createUser(new UserRoles.Builder().setGlobalRole(GlobalRole.FTE).build()))));
    action.run();
-    assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
-    String payload = response.getPayload();
+        .isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
    String payload = ((FakeResponse) consoleApiParams.response()).getPayload();
    assertThat(
            ImmutableList.of(
                    "\"registrarId\":\"NewRegistrar\"",
@@ -151,7 +152,8 @@ class RegistrarsActionTest {
            AuthResult.createUser(
                UserAuthInfo.create(createUser(new UserRoles.Builder().setIsAdmin(true).build()))));
    action.run();
-    assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
        .isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
    Registrar r = loadRegistrar("regIdTest");
    assertThat(r).isNotNull();
    assertThat(
@@ -180,12 +182,12 @@ class RegistrarsActionTest {
                          UserAuthInfo.create(
                              createUser(new UserRoles.Builder().setIsAdmin(true).build()))));
              action.run();
-              assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
+              assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
-              assertThat(response.getPayload())
+                  .isEqualTo(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
              assertThat(((FakeResponse) consoleApiParams.response()).getPayload())
                  .isEqualTo(
-                      GSON.toJson(
+                      String.format(
-                          String.format(
+                          "Missing value for %s", userFriendlyKeysToRegistrarKeys.get(key)));
                              "Missing value for %s", userFriendlyKeysToRegistrarKeys.get(key))));
            });
  }
@@ -198,9 +200,10 @@ class RegistrarsActionTest {
            AuthResult.createUser(
                UserAuthInfo.create(createUser(new UserRoles.Builder().setIsAdmin(true).build()))));
    action.run();
-    assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
-    assertThat(response.getPayload())
+        .isEqualTo(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
-        .isEqualTo(GSON.toJson("Registrar with registrarId regIdTest already exists"));
+    assertThat(((FakeResponse) consoleApiParams.response()).getPayload())
        .isEqualTo("Registrar with registrarId regIdTest already exists");
  }
  @Test
@@ -219,7 +222,8 @@ class RegistrarsActionTest {
                                    RegistrarRole.ACCOUNT_MANAGER_WITH_REGISTRY_LOCK))
                            .build()))));
    action.run();
-    assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
        .isEqualTo(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
  }
  private User createUser(UserRoles userRoles) {
@@ -230,27 +234,19 @@ class RegistrarsActionTest {
  }
  private RegistrarsAction createAction(Action.Method method, AuthResult authResult) {
-    response = new FakeResponse();
+    consoleApiParams = FakeConsoleApiParams.get(Optional.of(authResult));
-    when(request.getMethod()).thenReturn(method.toString());
+    when(consoleApiParams.request().getMethod()).thenReturn(method.toString());
    if (method.equals(Action.Method.GET)) {
      return new RegistrarsAction(
-          request,
+          consoleApiParams, GSON, Optional.ofNullable(null), passwordGenerator, passcodeGenerator);
          authResult,
          response,
          GSON,
          Optional.ofNullable(null),
          passwordGenerator,
          passcodeGenerator);
    } else {
      try {
        doReturn(new BufferedReader(new StringReader(registrarParamMap.toString())))
-            .when(request)
+            .when(consoleApiParams.request())
            .getReader();
      } catch (IOException e) {
        return new RegistrarsAction(
-            request,
+            consoleApiParams,
            authResult,
            response,
            GSON,
            Optional.ofNullable(null),
            passwordGenerator,
@@ -258,15 +254,9 @@ class RegistrarsActionTest {
      }
      Optional<Registrar> maybeRegistrar =
          RegistrarConsoleModule.provideRegistrar(
-              GSON, RequestModule.provideJsonBody(request, GSON));
+              GSON, RequestModule.provideJsonBody(consoleApiParams.request(), GSON));
      return new RegistrarsAction(
-          request,
+          consoleApiParams, GSON, maybeRegistrar, passwordGenerator, passcodeGenerator);
          authResult,
          response,
          GSON,
          maybeRegistrar,
          passwordGenerator,
          passcodeGenerator);
    }
  }
 }
--- a/core/src/test/java/google/registry/ui/server/console/settings/ContactActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/settings/ContactActionTest.java
@@ -21,7 +21,7 @@ import static google.registry.testing.DatabaseHelper.createAdminUser;
 import static google.registry.testing.DatabaseHelper.insertInDb;
 import static google.registry.testing.DatabaseHelper.loadAllOf;
 import static google.registry.testing.SqlHelper.saveRegistrar;
-import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.when;
 import com.google.api.client.http.HttpStatusCodes;
@@ -38,9 +38,10 @@ import google.registry.request.Action;
 import google.registry.request.RequestModule;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.UserAuthInfo;
 import google.registry.testing.FakeConsoleApiParams;
 import google.registry.testing.FakeResponse;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.ui.server.registrar.RegistrarConsoleModule;
 import jakarta.servlet.http.HttpServletRequest;
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.StringReader;
@@ -69,10 +70,9 @@ class ContactActionTest {
          + "\"visibleInWhoisAsTech\":false,\"visibleInDomainWhoisAsAbuse\":false}";
  private Registrar testRegistrar;
-  private final HttpServletRequest request = mock(HttpServletRequest.class);
+  private ConsoleApiParams consoleApiParams;
  private RegistrarPoc testRegistrarPoc;
  private static final Gson GSON = RequestModule.provideGson();
  private FakeResponse response;
  @RegisterExtension
  final JpaTestExtensions.JpaIntegrationTestExtension jpa =
@@ -80,7 +80,6 @@ class ContactActionTest {
  @BeforeEach
  void beforeEach() {
    response = new FakeResponse();
    testRegistrar = saveRegistrar("registrarId");
    testRegistrarPoc =
        new RegistrarPoc.Builder()
@@ -106,8 +105,10 @@ class ContactActionTest {
            testRegistrar.getRegistrarId(),
            null);
    action.run();
-    assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
-    assertThat(response.getPayload()).isEqualTo("[" + jsonRegistrar1 + "]");
+        .isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
    assertThat(((FakeResponse) consoleApiParams.response()).getPayload())
        .isEqualTo("[" + jsonRegistrar1 + "]");
  }
  @Test
@@ -121,8 +122,9 @@ class ContactActionTest {
            testRegistrar.getRegistrarId(),
            null);
    action.run();
-    assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
-    assertThat(response.getPayload()).isEqualTo("[]");
+        .isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
    assertThat(((FakeResponse) consoleApiParams.response()).getPayload()).isEqualTo("[]");
  }
  @Test
@@ -134,7 +136,8 @@ class ContactActionTest {
            testRegistrar.getRegistrarId(),
            "[" + jsonRegistrar1 + "," + jsonRegistrar2 + "]");
    action.run();
-    assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
        .isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
    assertThat(
            loadAllOf(RegistrarPoc.class).stream()
                .filter(r -> r.registrarId.equals(testRegistrar.getRegistrarId()))
@@ -154,7 +157,8 @@ class ContactActionTest {
            testRegistrar.getRegistrarId(),
            "[" + jsonRegistrar1 + "," + jsonRegistrar2 + "]");
    action.run();
-    assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
        .isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
    HashMap<String, String> testResult = new HashMap<>();
    loadAllOf(RegistrarPoc.class).stream()
        .filter(r -> r.registrarId.equals(testRegistrar.getRegistrarId()))
@@ -177,7 +181,8 @@ class ContactActionTest {
            testRegistrar.getRegistrarId(),
            "[" + jsonRegistrar2 + "]");
    action.run();
-    assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
        .isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
    assertThat(
            loadAllOf(RegistrarPoc.class).stream()
                .filter(r -> r.registrarId.equals(testRegistrar.getRegistrarId()))
@@ -207,21 +212,25 @@ class ContactActionTest {
            testRegistrar.getRegistrarId(),
            "[" + jsonRegistrar2 + "]");
    action.run();
-    assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
        .isEqualTo(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
  }
  private ContactAction createAction(
      Action.Method method, AuthResult authResult, String registrarId, String contacts)
      throws IOException {
-    when(request.getMethod()).thenReturn(method.toString());
+    consoleApiParams = FakeConsoleApiParams.get(Optional.of(authResult));
    when(consoleApiParams.request().getMethod()).thenReturn(method.toString());
    if (method.equals(Action.Method.GET)) {
-      return new ContactAction(request, authResult, response, GSON, registrarId, Optional.empty());
+      return new ContactAction(consoleApiParams, GSON, registrarId, Optional.empty());
    } else {
-      when(request.getReader()).thenReturn(new BufferedReader(new StringReader(contacts)));
+      doReturn(new BufferedReader(new StringReader(contacts)))
          .when(consoleApiParams.request())
          .getReader();
      Optional<ImmutableSet<RegistrarPoc>> maybeContacts =
          RegistrarConsoleModule.provideContacts(
-              GSON, RequestModule.provideJsonBody(request, GSON));
+              GSON, RequestModule.provideJsonBody(consoleApiParams.request(), GSON));
-      return new ContactAction(request, authResult, response, GSON, registrarId, maybeContacts);
+      return new ContactAction(consoleApiParams, GSON, registrarId, maybeContacts);
    }
  }
 }
--- a/core/src/test/java/google/registry/ui/server/console/settings/SecurityActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/settings/SecurityActionTest.java
@@ -20,7 +20,7 @@ import static google.registry.testing.DatabaseHelper.loadRegistrar;
 import static google.registry.testing.SqlHelper.saveRegistrar;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
 import static org.mockito.Mockito.doReturn;
-import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
 import com.google.api.client.http.HttpStatusCodes;
 import com.google.common.collect.ImmutableSet;
@@ -30,15 +30,17 @@ import com.google.gson.Gson;
 import google.registry.flows.certs.CertificateChecker;
 import google.registry.model.registrar.Registrar;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.request.Action;
 import google.registry.request.RequestModule;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
 import google.registry.request.auth.UserAuthInfo;
 import google.registry.testing.DatabaseHelper;
 import google.registry.testing.FakeClock;
 import google.registry.testing.FakeConsoleApiParams;
 import google.registry.testing.FakeResponse;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.ui.server.registrar.RegistrarConsoleModule;
 import jakarta.servlet.http.HttpServletRequest;
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.StringReader;
@@ -57,10 +59,9 @@ class SecurityActionTest {
              + " \"ipAddressAllowList\": [\"192.168.1.1/32\"]}",
          SAMPLE_CERT2);
  private static final Gson GSON = RequestModule.provideGson();
-  private final HttpServletRequest request = mock(HttpServletRequest.class);
+  private ConsoleApiParams consoleApiParams;
  private final FakeClock clock = new FakeClock();
  private Registrar testRegistrar;
  private FakeResponse response = new FakeResponse();
  private AuthenticatedRegistrarAccessor registrarAccessor =
      AuthenticatedRegistrarAccessor.createForTesting(
@@ -93,7 +94,8 @@ class SecurityActionTest {
                UserAuthInfo.create(DatabaseHelper.createAdminUser("email@email.com"))),
            testRegistrar.getRegistrarId());
    action.run();
-    assertThat(response.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
        .isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
    Registrar r = loadRegistrar(testRegistrar.getRegistrarId());
    assertThat(r.getClientCertificateHash().get())
        .isEqualTo("GNd6ZP8/n91t9UTnpxR8aH7aAW4+CpvufYx9ViGbcMY");
@@ -103,16 +105,15 @@ class SecurityActionTest {
  private SecurityAction createAction(AuthResult authResult, String registrarId)
      throws IOException {
-    doReturn(new BufferedReader(new StringReader(jsonRegistrar1))).when(request).getReader();
+    consoleApiParams = FakeConsoleApiParams.get(Optional.of(authResult));
    when(consoleApiParams.request().getMethod()).thenReturn(Action.Method.POST.toString());
    doReturn(new BufferedReader(new StringReader(jsonRegistrar1)))
        .when(consoleApiParams.request())
        .getReader();
    Optional<Registrar> maybeRegistrar =
-        RegistrarConsoleModule.provideRegistrar(GSON, RequestModule.provideJsonBody(request, GSON));
+        RegistrarConsoleModule.provideRegistrar(
-      return new SecurityAction(
+            GSON, RequestModule.provideJsonBody(consoleApiParams.request(), GSON));
-          authResult,
+    return new SecurityAction(
-          response,
+        consoleApiParams, certificateChecker, registrarAccessor, registrarId, maybeRegistrar);
          GSON,
          certificateChecker,
          registrarAccessor,
          registrarId,
          maybeRegistrar);
  }
 }
--- a/core/src/test/java/google/registry/ui/server/console/settings/WhoisRegistrarFieldsActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/settings/WhoisRegistrarFieldsActionTest.java
@@ -16,7 +16,7 @@ package google.registry.ui.server.console.settings;
 import static com.google.common.truth.Truth.assertThat;
 import static google.registry.model.ImmutableObjectSubject.assertAboutImmutableObjects;
-import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.when;
 import com.google.api.client.http.HttpStatusCodes;
@@ -30,6 +30,7 @@ import google.registry.model.console.User;
 import google.registry.model.console.UserRoles;
 import google.registry.model.registrar.Registrar;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.request.Action;
 import google.registry.request.RequestModule;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
@@ -37,13 +38,15 @@ import google.registry.request.auth.AuthenticatedRegistrarAccessor.Role;
 import google.registry.request.auth.UserAuthInfo;
 import google.registry.testing.DatabaseHelper;
 import google.registry.testing.FakeClock;
 import google.registry.testing.FakeConsoleApiParams;
 import google.registry.testing.FakeResponse;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.ui.server.registrar.RegistrarConsoleModule;
 import jakarta.servlet.http.HttpServletRequest;
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.StringReader;
 import java.util.HashMap;
 import java.util.Optional;
 import org.joda.time.DateTime;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;
@@ -51,10 +54,9 @@ import org.junit.jupiter.api.extension.RegisterExtension;
 /** Tests for {@link WhoisRegistrarFieldsAction}. */
 public class WhoisRegistrarFieldsActionTest {
  private ConsoleApiParams consoleApiParams;
  private static final Gson GSON = RequestModule.provideGson();
  private final FakeClock clock = new FakeClock(DateTime.parse("2023-08-01T00:00:00.000Z"));
  private final FakeResponse fakeResponse = new FakeResponse();
  private final HttpServletRequest request = mock(HttpServletRequest.class);
  private final AuthenticatedRegistrarAccessor registrarAccessor =
      AuthenticatedRegistrarAccessor.createForTesting(
          ImmutableSetMultimap.of("TheRegistrar", Role.OWNER, "NewRegistrar", Role.OWNER));
@@ -110,7 +112,8 @@ public class WhoisRegistrarFieldsActionTest {
                + " \"NL\", \"zip\": \"10011\", \"countryCode\": \"CA\"}"));
    WhoisRegistrarFieldsAction action = createAction();
    action.run();
-    assertThat(fakeResponse.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
        .isEqualTo(HttpStatusCodes.STATUS_CODE_OK);
    Registrar newRegistrar = Registrar.loadByRegistrarId("TheRegistrar").get(); // skip cache
    assertThat(newRegistrar.getWhoisServer()).isEqualTo("whois.nic.google");
    assertThat(newRegistrar.getUrl()).isEqualTo("https://newurl.example");
@@ -138,7 +141,8 @@ public class WhoisRegistrarFieldsActionTest {
    uiRegistrarMap.put("registrarId", "NewRegistrar");
    WhoisRegistrarFieldsAction action = createAction(onlyTheRegistrar);
    action.run();
-    assertThat(fakeResponse.getStatus()).isEqualTo(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
        .isEqualTo(HttpStatusCodes.STATUS_CODE_FORBIDDEN);
    // should be no change
    assertThat(DatabaseHelper.loadByEntity(newRegistrar)).isEqualTo(newRegistrar);
  }
@@ -153,14 +157,15 @@ public class WhoisRegistrarFieldsActionTest {
  }
  private WhoisRegistrarFieldsAction createAction(AuthResult authResult) throws IOException {
-    when(request.getReader())
+    consoleApiParams = FakeConsoleApiParams.get(Optional.of(authResult));
-        .thenReturn(new BufferedReader(new StringReader(uiRegistrarMap.toString())));
+    when(consoleApiParams.request().getMethod()).thenReturn(Action.Method.POST.toString());
    doReturn(new BufferedReader(new StringReader(uiRegistrarMap.toString())))
        .when(consoleApiParams.request())
        .getReader();
    return new WhoisRegistrarFieldsAction(
-        authResult,
+        consoleApiParams,
        fakeResponse,
        GSON,
        registrarAccessor,
        RegistrarConsoleModule.provideRegistrar(
-            GSON, RequestModule.provideJsonBody(request, GSON)));
+            GSON, RequestModule.provideJsonBody(consoleApiParams.request(), GSON)));
  }
 }