Merge pull request #235 from NHSDigital/feature/CCM-7465_use-jwt-sub

CCM-7465 : Update APIs to use sub as the owner field in DDB PT.1

Author: bhansell1

infrastructure/terraform/components/sandbox/aws_cognito_user_pool_client_sandbox.tf

@@ -4,6 +4,17 @@ resource "aws_cognito_user_pool_client" "sandbox" {
 
   explicit_auth_flows = [
     "ALLOW_USER_PASSWORD_AUTH",
-    "ALLOW_REFRESH_TOKEN_AUTH"
+    "ALLOW_REFRESH_TOKEN_AUTH",
+    "ALLOW_USER_SRP_AUTH"
   ]
+
+  access_token_validity  = 1 # 1 hour
+  id_token_validity      = 1 # 1 hour
+  refresh_token_validity = 1 # 1 day
+
+  token_validity_units {
+    access_token  = "hours"
+    id_token      = "hours"
+    refresh_token = "days"
+  }
 }

infrastructure/terraform/components/sandbox/outputs.tf

@@ -9,3 +9,7 @@ output "cognito_user_pool_id" {
 output "cognito_user_pool_client_id" {
   value = aws_cognito_user_pool_client.sandbox.id
 }
+
+output "dynamodb_table_templates" {
+  value = module.backend_api.dynamodb_table_templates
+}

infrastructure/terraform/modules/backend-api/outputs.tf

@@ -1,3 +1,7 @@
 output "api_base_url" {
   value = aws_api_gateway_stage.main.invoke_url
 }
+
+output "dynamodb_table_templates" {
+  value = aws_dynamodb_table.templates.name
+}

lambdas/authorizer/src/__tests__/index.test.ts

@@ -32,7 +32,7 @@ jest.mock('@aws-sdk/client-cognito-identity-provider', () => {
       ) {
         return {
           Username: undefined,
-          UserAttributes: [{ Name: 'email', Value: 'email' }],
+          UserAttributes: [{ Name: 'sub', Value: 'sub' }],
         };
       }
 
@@ -48,17 +48,17 @@ jest.mock('@aws-sdk/client-cognito-identity-provider', () => {
 
       if (
         decodedJwt.iss ===
-        'https://cognito-idp.eu-west-2.amazonaws.com/user-pool-id-cognito-no-email'
+        'https://cognito-idp.eu-west-2.amazonaws.com/user-pool-id-cognito-no-sub'
       ) {
         return {
           Username: 'username',
-          UserAttributes: [{ Name: 'NOT-EMAIL', Value: 'not-email' }],
+          UserAttributes: [{ Name: 'NOT-SUB', Value: 'not-sub' }],
         };
       }
 
       return {
         Username: 'username',
-        UserAttributes: [{ Name: 'email', Value: 'email' }],
+        UserAttributes: [{ Name: 'sub', Value: 'sub' }],
       };
     }
   }
@@ -100,8 +100,7 @@ const allowPolicy = {
     ],
   },
   context: {
-    username: 'username',
-    email: 'email',
+    user: 'sub',
   },
 };
 
@@ -361,14 +360,14 @@ test.each([
   expect(warnMock).toHaveBeenCalledWith('Missing user');
 });
 
-test('returns Deny policy, when no email on Cognito UserAttributes', async () => {
-  process.env.USER_POOL_ID = 'user-pool-id-cognito-no-email';
+test('returns Deny policy, when no sub on Cognito UserAttributes', async () => {
+  process.env.USER_POOL_ID = 'user-pool-id-cognito-no-sub';
 
   const jwt = sign(
     {
       token_use: 'access',
       client_id: 'user-pool-client-id',
-      iss: 'https://cognito-idp.eu-west-2.amazonaws.com/user-pool-id-cognito-no-email',
+      iss: 'https://cognito-idp.eu-west-2.amazonaws.com/user-pool-id-cognito-no-sub',
     },
     'key',
     {
@@ -387,7 +386,7 @@ test('returns Deny policy, when no email on Cognito UserAttributes', async () =>
   );
 
   expect(res).toEqual(denyPolicy);
-  expect(warnMock).toHaveBeenCalledWith('Missing user email address');
+  expect(warnMock).toHaveBeenCalledWith('Missing user subject');
 });
 
 test('returns Allow policy on valid token', async () => {

lambdas/authorizer/src/index.ts

@@ -22,7 +22,7 @@ const $AccessToken = z.object({
 const generatePolicy = (
   Resource: string,
   Effect: 'Allow' | 'Deny',
-  context?: { username: string; email: string }
+  context?: { user: string }
 ) => ({
   principalId: 'api-caller',
   policyDocument: {
@@ -110,18 +110,15 @@ export const handler: APIGatewayRequestAuthorizerHandler = async ({
       return generatePolicy(methodArn, 'Deny');
     }
 
-    const emailAddress = UserAttributes.find(
-      ({ Name }) => Name === 'email'
-    )?.Value;
+    const sub = UserAttributes.find(({ Name }) => Name === 'sub')?.Value;
 
-    if (!emailAddress) {
-      logger.warn('Missing user email address');
+    if (!sub) {
+      logger.warn('Missing user subject');
       return generatePolicy(methodArn, 'Deny');
     }
 
     return generatePolicy(methodArn, 'Allow', {
-      username: Username,
-      email: emailAddress,
+      user: sub,
     });
   } catch (error) {
     logger.error(error);

lambdas/backend-api/src/__tests__/templates/api/create.test.ts

@@ -16,9 +16,9 @@ const createMock = jest.spyOn(TemplateClient.prototype, 'createTemplate');
 describe('Template API - Create', () => {
   beforeEach(jest.resetAllMocks);
 
-  test('should return 400 - Invalid request when, no email in requestContext', async () => {
+  test('should return 400 - Invalid request when, no user in requestContext', async () => {
     const event = mock<APIGatewayProxyEvent>({
-      requestContext: { authorizer: { email: undefined } },
+      requestContext: { authorizer: { user: undefined } },
       body: JSON.stringify({ id: 1 }),
     });
 
@@ -48,7 +48,7 @@ describe('Template API - Create', () => {
     });
 
     const event = mock<APIGatewayProxyEvent>({
-      requestContext: { authorizer: { email: 'email' } },
+      requestContext: { authorizer: { user: 'sub' } },
       body: undefined,
     });
 
@@ -65,7 +65,7 @@ describe('Template API - Create', () => {
       }),
     });
 
-    expect(TemplateClient).toHaveBeenCalledWith('email');
+    expect(TemplateClient).toHaveBeenCalledWith('sub');
 
     expect(createMock).toHaveBeenCalledWith({});
   });
@@ -79,7 +79,7 @@ describe('Template API - Create', () => {
     });
 
     const event = mock<APIGatewayProxyEvent>({
-      requestContext: { authorizer: { email: 'email' } },
+      requestContext: { authorizer: { user: 'sub' } },
       body: JSON.stringify({ id: 1 }),
     });
 
@@ -93,7 +93,7 @@ describe('Template API - Create', () => {
       }),
     });
 
-    expect(TemplateClient).toHaveBeenCalledWith('email');
+    expect(TemplateClient).toHaveBeenCalledWith('sub');
 
     expect(createMock).toHaveBeenCalledWith({ id: 1 });
   });
@@ -117,7 +117,7 @@ describe('Template API - Create', () => {
     });
 
     const event = mock<APIGatewayProxyEvent>({
-      requestContext: { authorizer: { email: 'email' } },
+      requestContext: { authorizer: { user: 'sub' } },
       body: JSON.stringify(create),
     });
 
@@ -128,7 +128,7 @@ describe('Template API - Create', () => {
       body: JSON.stringify({ statusCode: 201, template: response }),
     });
 
-    expect(TemplateClient).toHaveBeenCalledWith('email');
+    expect(TemplateClient).toHaveBeenCalledWith('sub');
 
     expect(createMock).toHaveBeenCalledWith(create);
   });

lambdas/backend-api/src/__tests__/templates/api/get.test.ts

@@ -15,9 +15,9 @@ const getTemplateMock = jest.spyOn(TemplateClient.prototype, 'getTemplate');
 describe('Template API - Get', () => {
   beforeEach(jest.resetAllMocks);
 
-  test('should return 400 - Invalid request when, no email in requestContext', async () => {
+  test('should return 400 - Invalid request when, no user in requestContext', async () => {
     const event = mock<APIGatewayProxyEvent>({
-      requestContext: { authorizer: { email: undefined } },
+      requestContext: { authorizer: { user: undefined } },
       pathParameters: { templateId: '1' },
     });
 
@@ -36,7 +36,7 @@ describe('Template API - Get', () => {
 
   test('should return 400 - Invalid request when, no templateId', async () => {
     const event = mock<APIGatewayProxyEvent>({
-      requestContext: { authorizer: { email: 'email' } },
+      requestContext: { authorizer: { user: 'sub' } },
       pathParameters: { templateId: undefined },
     });
 
@@ -62,7 +62,7 @@ describe('Template API - Get', () => {
     });
 
     const event = mock<APIGatewayProxyEvent>({
-      requestContext: { authorizer: { email: 'email' } },
+      requestContext: { authorizer: { user: 'sub' } },
       pathParameters: { templateId: '1' },
     });
 
@@ -76,7 +76,7 @@ describe('Template API - Get', () => {
       }),
     });
 
-    expect(TemplateClient).toHaveBeenCalledWith('email');
+    expect(TemplateClient).toHaveBeenCalledWith('sub');
     expect(getTemplateMock).toHaveBeenCalledWith('1');
   });
 
@@ -96,7 +96,7 @@ describe('Template API - Get', () => {
     });
 
     const event = mock<APIGatewayProxyEvent>({
-      requestContext: { authorizer: { email: 'email' } },
+      requestContext: { authorizer: { user: 'sub' } },
       pathParameters: { templateId: '1' },
     });
 
@@ -107,7 +107,7 @@ describe('Template API - Get', () => {
       body: JSON.stringify({ statusCode: 200, template }),
     });
 
-    expect(TemplateClient).toHaveBeenCalledWith('email');
+    expect(TemplateClient).toHaveBeenCalledWith('sub');
     expect(getTemplateMock).toHaveBeenCalledWith('1');
   });
 });

lambdas/backend-api/src/__tests__/templates/api/list.test.ts

@@ -15,9 +15,9 @@ const listTemplatesMock = jest.spyOn(TemplateClient.prototype, 'listTemplates');
 describe('Template API - List', () => {
   beforeEach(jest.resetAllMocks);
 
-  test('should return 400 - Invalid request when, no email in requestContext', async () => {
+  test('should return 400 - Invalid request when, no user in requestContext', async () => {
     const event = mock<APIGatewayProxyEvent>({
-      requestContext: { authorizer: { email: undefined } },
+      requestContext: { authorizer: { user: undefined } },
     });
 
     const result = await handler(event, mock<Context>(), jest.fn());
@@ -42,7 +42,7 @@ describe('Template API - List', () => {
     });
 
     const event = mock<APIGatewayProxyEvent>({
-      requestContext: { authorizer: { email: 'email' } },
+      requestContext: { authorizer: { user: 'sub' } },
       pathParameters: { templateId: '1' },
     });
 
@@ -56,7 +56,7 @@ describe('Template API - List', () => {
       }),
     });
 
-    expect(TemplateClient).toHaveBeenCalledWith('email');
+    expect(TemplateClient).toHaveBeenCalledWith('sub');
 
     expect(listTemplatesMock).toHaveBeenCalled();
   });
@@ -77,7 +77,7 @@ describe('Template API - List', () => {
     });
 
     const event = mock<APIGatewayProxyEvent>({
-      requestContext: { authorizer: { email: 'email' } },
+      requestContext: { authorizer: { user: 'sub' } },
     });
 
     const result = await handler(event, mock<Context>(), jest.fn());
@@ -87,7 +87,7 @@ describe('Template API - List', () => {
       body: JSON.stringify({ statusCode: 200, templates: [template] }),
     });
 
-    expect(TemplateClient).toHaveBeenCalledWith('email');
+    expect(TemplateClient).toHaveBeenCalledWith('sub');
 
     expect(listTemplatesMock).toHaveBeenCalled();
   });

lambdas/backend-api/src/__tests__/templates/api/update.test.ts

@@ -19,9 +19,9 @@ const updateTemplateMock = jest.spyOn(
 describe('Template API - Update', () => {
   beforeEach(jest.resetAllMocks);
 
-  test('should return 400 - Invalid request when, no email in requestContext', async () => {
+  test('should return 400 - Invalid request when, no user in requestContext', async () => {
     const event = mock<APIGatewayProxyEvent>({
-      requestContext: { authorizer: { email: undefined } },
+      requestContext: { authorizer: { user: undefined } },
       body: JSON.stringify({ name: 'test' }),
       pathParameters: { templateId: '1-2-3' },
     });
@@ -52,7 +52,7 @@ describe('Template API - Update', () => {
     });
 
     const event = mock<APIGatewayProxyEvent>({
-      requestContext: { authorizer: { email: 'email' } },
+      requestContext: { authorizer: { user: 'sub' } },
       pathParameters: { templateId: '1-2-3' },
       body: undefined,
     });
@@ -70,14 +70,14 @@ describe('Template API - Update', () => {
       }),
     });
 
-    expect(TemplateClient).toHaveBeenCalledWith('email');
+    expect(TemplateClient).toHaveBeenCalledWith('sub');
 
     expect(updateTemplateMock).toHaveBeenCalledWith('1-2-3', {});
   });
 
   test('should return 400 - Invalid request when, no templateId', async () => {
     const event = mock<APIGatewayProxyEvent>({
-      requestContext: { authorizer: { email: 'email' } },
+      requestContext: { authorizer: { user: 'sub' } },
       body: JSON.stringify({ name: 'test' }),
       pathParameters: { templateId: undefined },
     });
@@ -104,7 +104,7 @@ describe('Template API - Update', () => {
     });
 
     const event = mock<APIGatewayProxyEvent>({
-      requestContext: { authorizer: { email: 'email' } },
+      requestContext: { authorizer: { user: 'sub' } },
       body: JSON.stringify({ name: 'name' }),
       pathParameters: { templateId: '1-2-3' },
     });
@@ -119,7 +119,7 @@ describe('Template API - Update', () => {
       }),
     });
 
-    expect(TemplateClient).toHaveBeenCalledWith('email');
+    expect(TemplateClient).toHaveBeenCalledWith('sub');
 
     expect(updateTemplateMock).toHaveBeenCalledWith('1-2-3', { name: 'name' });
   });
@@ -144,7 +144,7 @@ describe('Template API - Update', () => {
     });
 
     const event = mock<APIGatewayProxyEvent>({
-      requestContext: { authorizer: { email: 'email' } },
+      requestContext: { authorizer: { user: 'sub' } },
       body: JSON.stringify(update),
       pathParameters: { templateId: '1-2-3' },
     });
@@ -156,7 +156,7 @@ describe('Template API - Update', () => {
       body: JSON.stringify({ statusCode: 200, template: response }),
     });
 
-    expect(TemplateClient).toHaveBeenCalledWith('email');
+    expect(TemplateClient).toHaveBeenCalledWith('sub');
 
     expect(updateTemplateMock).toHaveBeenCalledWith('1-2-3', update);
   });

lambdas/backend-api/src/templates/api/create.ts

@@ -3,15 +3,15 @@ import { TemplateClient } from '@backend-api/templates/app/template-client';
 import { apiFailure, apiSuccess } from './responses';
 
 export const handler: APIGatewayProxyHandler = async (event) => {
-  const email = event.requestContext.authorizer?.email;
+  const user = event.requestContext.authorizer?.user;
 
   const dto = JSON.parse(event.body || '{}');
 
-  if (!email) {
+  if (!user) {
     return apiFailure(400, 'Invalid request');
   }
 
-  const client = new TemplateClient(email);
+  const client = new TemplateClient(user);
 
   const { data, error } = await client.createTemplate(dto);