empty

Author: alexnuttall

scripts/maintenance/migrate-to-client-ownership/.eslintignore

@@ -0,0 +1 @@
+dist

scripts/maintenance/migrate-to-client-ownership/.gitignore

@@ -0,0 +1,4 @@
+.build
+coverage
+node_modules
+dist

scripts/maintenance/migrate-to-client-ownership/jest.config.ts

@@ -0,0 +1,9 @@
+import type { Config } from 'jest';
+import { baseJestConfig } from 'nhs-notify-web-template-management-utils';
+
+const config: Config = {
+  ...baseJestConfig,
+  testEnvironment: 'node',
+};
+
+export default config;

scripts/maintenance/migrate-to-client-ownership/package.json

@@ -0,0 +1,32 @@
+{
+  "dependencies": {
+    "@aws-sdk/client-cognito-identity-provider": "^3.864.0",
+    "jsonwebtoken": "^9.0.2",
+    "jwks-rsa": "^3.2.0",
+    "jwt-decode": "^4.0.0",
+    "nhs-notify-web-template-management-utils": "^0.0.1",
+    "zod": "^4.0.5"
+  },
+  "devDependencies": {
+    "@swc/core": "^1.11.13",
+    "@swc/jest": "^0.2.37",
+    "@tsconfig/node20": "^20.1.5",
+    "@types/aws-lambda": "^8.10.148",
+    "@types/jest": "^29.5.14",
+    "@types/jsonwebtoken": "^9.0.9",
+    "esbuild": "^0.25.8",
+    "jest": "^29.7.0",
+    "jest-mock-extended": "^3.0.7",
+    "typescript": "^5.8.2"
+  },
+  "name": "nhs-notify-templates-api-authorizer",
+  "private": true,
+  "scripts": {
+    "lambda-build": "rm -rf dist && npx esbuild --bundle --minify --sourcemap --target=es2020 --platform=node --loader:.node=file --entry-names=[name] --outdir=dist src/index.ts",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
+    "test:unit": "jest",
+    "typecheck": "tsc --noEmit"
+  },
+  "version": "0.0.1"
+}

scripts/maintenance/migrate-to-client-ownership/src/__tests__/index.test.ts

@@ -0,0 +1,149 @@
+import type { APIGatewayRequestAuthorizerEvent, Context } from 'aws-lambda';
+import { mock } from 'jest-mock-extended';
+import { logger } from 'nhs-notify-web-template-management-utils/logger';
+import { handler } from '../index';
+import { LambdaCognitoAuthorizer } from 'nhs-notify-web-template-management-utils/lambda-cognito-authorizer';
+import { CognitoIdentityProviderClient } from '@aws-sdk/client-cognito-identity-provider';
+
+const requestContext = {
+  accountId: '000000000000',
+  apiId: 'api-id',
+  stage: 'stage',
+};
+
+const methodArn = 'arn:aws:execute-api:eu-west-2:000000000000:api-id/stage/*';
+
+jest.mock('nhs-notify-web-template-management-utils/logger');
+const mockLogger = jest.mocked(logger);
+
+jest.mock('nhs-notify-web-template-management-utils/lambda-cognito-authorizer');
+const lambdaCognitoAuthorizer = mock<LambdaCognitoAuthorizer>();
+jest
+  .mocked(LambdaCognitoAuthorizer)
+  .mockImplementation(() => lambdaCognitoAuthorizer);
+
+jest.mock('@aws-sdk/client-cognito-identity-provider');
+const cognitoClientMock = mock<CognitoIdentityProviderClient>();
+
+jest
+  .mocked(CognitoIdentityProviderClient)
+  .mockImplementation(() => cognitoClientMock);
+
+const allowPolicy = {
+  principalId: 'api-caller',
+  policyDocument: {
+    Version: '2012-10-17',
+    Statement: [
+      {
+        Action: 'execute-api:Invoke',
+        Effect: 'Allow',
+        Resource: methodArn,
+      },
+    ],
+  },
+  context: {
+    user: 'sub',
+  },
+};
+
+const denyPolicy = {
+  principalId: 'api-caller',
+  policyDocument: {
+    Version: '2012-10-17',
+    Statement: [
+      {
+        Action: 'execute-api:Invoke',
+        Effect: 'Deny',
+        Resource: methodArn,
+      },
+    ],
+  },
+};
+
+const originalEnv = { ...process.env };
+
+beforeEach(() => {
+  jest.clearAllMocks();
+  process.env.USER_POOL_ID = 'user-pool-id';
+  process.env.USER_POOL_CLIENT_ID = 'user-pool-client-id';
+});
+
+afterEach(() => {
+  process.env = originalEnv;
+});
+
+test('returns Allow policy on valid token', async () => {
+  lambdaCognitoAuthorizer.authorize.mockResolvedValue({
+    success: true,
+    subject: 'sub',
+  });
+
+  const res = await handler(
+    mock<APIGatewayRequestAuthorizerEvent>({
+      requestContext,
+      headers: { Authorization: 'jwt' },
+      type: 'REQUEST',
+    }),
+    mock<Context>(),
+    jest.fn()
+  );
+
+  expect(res).toEqual(allowPolicy);
+  expect(mockLogger.warn).not.toHaveBeenCalled();
+  expect(mockLogger.error).not.toHaveBeenCalled();
+
+  expect(lambdaCognitoAuthorizer.authorize).toHaveBeenCalledWith(
+    'user-pool-id',
+    'user-pool-client-id',
+    'jwt'
+  );
+});
+
+test('returns Deny policy on lambda misconfiguration', async () => {
+  process.env.USER_POOL_ID = '';
+
+  const res = await handler(
+    mock<APIGatewayRequestAuthorizerEvent>({
+      requestContext,
+      headers: { Authorization: '123' },
+      type: 'REQUEST',
+    }),
+    mock<Context>(),
+    jest.fn()
+  );
+
+  expect(res).toEqual(denyPolicy);
+  expect(mockLogger.error).toHaveBeenCalledWith('Lambda misconfiguration');
+});
+
+test('returns Deny policy if no Authorization token in header', async () => {
+  const res = await handler(
+    mock<APIGatewayRequestAuthorizerEvent>({
+      requestContext,
+      headers: { Authorization: undefined },
+      type: 'REQUEST',
+    }),
+    mock<Context>(),
+    jest.fn()
+  );
+
+  expect(res).toEqual(denyPolicy);
+});
+
+test('returns Deny policy when authorization fails', async () => {
+  lambdaCognitoAuthorizer.authorize.mockResolvedValue({
+    success: false,
+  });
+
+  const res = await handler(
+    mock<APIGatewayRequestAuthorizerEvent>({
+      requestContext,
+      headers: { Authorization: 'jwt' },
+      type: 'REQUEST',
+    }),
+    mock<Context>(),
+    jest.fn()
+  );
+
+  expect(res).toEqual(denyPolicy);
+});

scripts/maintenance/migrate-to-client-ownership/src/index.ts

@@ -0,0 +1,75 @@
+import type {
+  APIGatewayEventRequestContextWithAuthorizer,
+  APIGatewayRequestAuthorizerHandler,
+} from 'aws-lambda';
+import { CognitoIdentityProviderClient } from '@aws-sdk/client-cognito-identity-provider';
+import { logger } from 'nhs-notify-web-template-management-utils/logger';
+import { LambdaCognitoAuthorizer } from 'nhs-notify-web-template-management-utils/lambda-cognito-authorizer';
+
+const cognitoClient = new CognitoIdentityProviderClient({
+  region: 'eu-west-2',
+});
+
+const getEnvironmentVariable = (envName: string) => process.env[envName];
+
+const generateMethodArn = (
+  requestContext: APIGatewayEventRequestContextWithAuthorizer<undefined>
+) =>
+  `arn:aws:execute-api:eu-west-2:${requestContext.accountId}:${requestContext.apiId}/${requestContext.stage}/*`;
+
+const generatePolicy = (
+  Resource: string,
+  Effect: 'Allow' | 'Deny',
+  context?: { user: string; clientId?: string }
+) => ({
+  principalId: 'api-caller',
+  policyDocument: {
+    Version: '2012-10-17',
+    Statement: [
+      {
+        Action: 'execute-api:Invoke',
+        Effect,
+        Resource,
+      },
+    ],
+  },
+  context,
+});
+
+export const handler: APIGatewayRequestAuthorizerHandler = async (event) => {
+  const { headers, requestContext } = event;
+  const methodArn = generateMethodArn(requestContext);
+
+  if (!headers?.Authorization) {
+    return generatePolicy(methodArn, 'Deny');
+  }
+
+  const userPoolId = getEnvironmentVariable('USER_POOL_ID');
+  const userPoolClientId = getEnvironmentVariable('USER_POOL_CLIENT_ID');
+  const authorizationToken = headers.Authorization;
+
+  if (!userPoolId || !userPoolClientId) {
+    logger.error('Lambda misconfiguration');
+    return generatePolicy(methodArn, 'Deny');
+  }
+
+  const lambdaCognitoAuthorizer = new LambdaCognitoAuthorizer(
+    cognitoClient,
+    logger
+  );
+
+  const authResult = await lambdaCognitoAuthorizer.authorize(
+    userPoolId,
+    userPoolClientId,
+    authorizationToken
+  );
+
+  if (authResult.success) {
+    return generatePolicy(methodArn, 'Allow', {
+      user: authResult.subject,
+      clientId: authResult.clientId,
+    });
+  }
+
+  return generatePolicy(methodArn, 'Deny');
+};

scripts/maintenance/migrate-to-client-ownership/tsconfig.json

@@ -0,0 +1,6 @@
+{
+  "extends": "@tsconfig/node20/tsconfig.json",
+  "include": [
+    "src/**/*"
+  ]
+}