nhs-notify-web-template-management/frontend/src/__tests__/middleware.test.ts at a2fb1e88a4be064e22212b17cb06fcedb3f59ea7 · NHSDigital/nhs-notify-web-template-management · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
/**
 * @jest-environment node
 */
import { NextRequest } from 'next/server';
import { getAccessTokenServer } from '@utils/amplify-utils';
import { middleware } from '../middleware';

jest.mock('@utils/amplify-utils');

const getTokenMock = jest.mocked(getAccessTokenServer);

function getCsp(response: Response) {
  const csp = response.headers.get('Content-Security-Policy');
  return csp?.split(';').map((s) => s.trim());
}

const OLD_ENV = { ...process.env };
afterAll(() => {
  process.env = OLD_ENV;
});

describe('middleware function', () => {
  it('If route is not registered in middleware, respond with 404', async () => {
    const url = new URL('https://url.com/manage-templates/does-not-exist');
    const request = new NextRequest(url);
    const response = await middleware(request);

    expect(response.status).toBe(404);
  });

  it('if request path is protected, and no access token is obtained, redirect to auth page', async () => {
    const url = new URL('https://url.com/manage-templates');
    const request = new NextRequest(url);
    request.cookies.set('csrf_token', 'some-csrf-value');

    const response = await middleware(request);

    expect(getTokenMock).toHaveBeenCalledWith({ forceRefresh: true });

    expect(response.status).toBe(307);
    expect(response.headers.get('location')).toBe(
      'https://url.com/auth?redirect=%2Ftemplates%2Fmanage-templates'
    );
    expect(response.headers.get('Content-Type')).toBe('text/html');
    expect(response.cookies.get('csrf_token')?.value).toEqual('');
  });

  it('if request path is protected, and access token is obtained, respond with CSP', async () => {
    getTokenMock.mockResolvedValueOnce('token');

    const url = new URL('https://url.com/manage-templates');
    const request = new NextRequest(url);
    const response = await middleware(request);
    const csp = getCsp(response);

    expect(csp).toEqual([
      "base-uri 'self'",
      "default-src 'none'",
      "frame-ancestors 'none'",
      "font-src 'self' https://assets.nhs.uk",
      "form-action 'self'",
      "frame-src 'self'",
      "connect-src 'self' https://cognito-idp.eu-west-2.amazonaws.com",
      "img-src 'self'",
      "manifest-src 'self'",
      "object-src 'none'",
      expect.stringMatching(/^script-src 'self' 'nonce-[\dA-Za-z]+'$/),
      expect.stringMatching(/^style-src 'self' 'nonce-[\dA-Za-z]+'$/),
      'upgrade-insecure-requests',
      '',
    ]);
  });

  it('if request path is not protected, respond with CSP', async () => {
    const url = new URL('https://url.com/create-and-submit-templates');
    const request = new NextRequest(url);
    const response = await middleware(request);
    const csp = getCsp(response);

    expect(csp).toEqual([
      "base-uri 'self'",
      "default-src 'none'",
      "frame-ancestors 'none'",
      "font-src 'self' https://assets.nhs.uk",
      "form-action 'self'",
      "frame-src 'self'",
      "connect-src 'self' https://cognito-idp.eu-west-2.amazonaws.com",
      "img-src 'self'",
      "manifest-src 'self'",
      "object-src 'none'",
      expect.stringMatching(/^script-src 'self' 'nonce-[\dA-Za-z]+'$/),
      expect.stringMatching(/^style-src 'self' 'nonce-[\dA-Za-z]+'$/),
      'upgrade-insecure-requests',
      '',
    ]);
  });

  it('when running in development mode, CSP script-src allows unsafe-eval', async () => {
    // @ts-expect-error assignment to const
    process.env.NODE_ENV = 'development';

    const url = new URL('https://url.com/create-and-submit-templates');
    const request = new NextRequest(url);
    const response = await middleware(request);
    const csp = getCsp(response);

    expect(csp).toEqual([
      "base-uri 'self'",
      "default-src 'none'",
      "frame-ancestors 'none'",
      "font-src 'self' https://assets.nhs.uk",
      "form-action 'self'",
      "frame-src 'self'",
      "connect-src 'self' https://cognito-idp.eu-west-2.amazonaws.com",
      "img-src 'self'",
      "manifest-src 'self'",
      "object-src 'none'",
      expect.stringMatching(
        /^script-src 'self' 'nonce-[\dA-Za-z]+' 'unsafe-eval'$/
      ),
      expect.stringMatching(/^style-src 'self' 'nonce-[\dA-Za-z]+'$/),
      'upgrade-insecure-requests',
      '',
    ]);
  });
});