Merge pull request #294 from NHSDigital/feature/CCM-8477_csrf-token

CCM-8446: CSRF generation

Author: chris-elliott-nhsd

amplify.yml

@@ -1,7 +1,7 @@
 version: 1
 applications:
   - appRoot: frontend
-    backend:
+    frontend:
       phases:
         build:
           commands:
@@ -10,18 +10,8 @@ applications:
             - nvm use 20.13.1
             - npm ci --cache .npm --prefer-offline
             - npm run create-amplify-outputs env
-            - cd frontend
-    frontend:
-      phases:
-        build:
-          commands:
             - npm run build
       artifacts:
         baseDirectory: .next
         files:
           - '**/*'
-      cache:
-        paths:
-          - frontend/.next/cache/**/*
-          - .npm/**/*
-          - node_modules/**/*

frontend/package.json

@@ -22,8 +22,11 @@
     "@aws-amplify/backend": "^1.2.0",
     "@aws-amplify/ui-react": "^6.3.1",
     "@aws-sdk/client-ses": "^3.637.0",
+    "@edge-csrf/core": "^2.5.2",
+    "@edge-csrf/nextjs": "^2.5.2",
     "aws-amplify": "^6.6.0",
     "date-fns": "^4.1.0",
+    "jwt-decode": "^4.0.0",
     "markdown-it": "^13.0.1",
     "mimetext": "^3.0.24",
     "next": "14.2.13",
@@ -43,6 +46,7 @@
     "@testing-library/react": "^16.0.1",
     "@testing-library/user-event": "^14.5.2",
     "@types/jest": "^29.5.14",
+    "@types/jsonwebtoken": "^9.0.8",
     "@types/markdown-it": "^13.0.1",
     "@types/node": "^22.8.1",
     "@types/react": "^18",

frontend/src/__tests__/utils/csrf-utils.test.ts

@@ -0,0 +1,233 @@
+import { mockDeep } from 'jest-mock-extended';
+import {
+  generateCsrf,
+  getSessionId,
+  verifyCsrfToken,
+  verifyCsrfTokenFull,
+  getCsrfFormValue,
+} from '@utils/csrf-utils';
+import { cookies } from 'next/headers';
+import { sign } from 'jsonwebtoken';
+import type { ReadonlyRequestCookies } from 'next/dist/server/web/spec-extension/adapters/request-cookies';
+import { BinaryLike, BinaryToTextEncoding } from 'node:crypto';
+import { getAccessTokenServer } from '@utils/amplify-utils';
+
+class MockHmac {
+  constructor() {}
+
+  update(_: BinaryLike) {
+    return this;
+  }
+
+  digest(_: BinaryToTextEncoding) {
+    return 'hmac';
+  }
+}
+
+const mockJwt = sign(
+  {
+    jti: 'jti',
+  },
+  'key'
+);
+
+jest.mock('next/headers');
+jest.mock('node:crypto', () => ({
+  createHmac: () => new MockHmac(),
+  randomBytes: () => 'salt',
+}));
+jest.mock('@utils/amplify-utils');
+
+const OLD_ENV = { ...process.env };
+
+beforeAll(() => {
+  process.env.CSRF_SECRET = 'secret';
+});
+
+beforeEach(() => {
+  jest.clearAllMocks();
+});
+
+afterAll(() => {
+  process.env = OLD_ENV;
+});
+
+describe('getCsrfFormValue', () => {
+  test('cookie is present', async () => {
+    jest.mocked(cookies).mockReturnValue(
+      mockDeep<ReadonlyRequestCookies>({
+        get: (_: string) => ({
+          name: 'csrf_token',
+          value: 'token',
+        }),
+      })
+    );
+
+    const csrfToken = await getCsrfFormValue();
+
+    expect(csrfToken).toEqual('token');
+  });
+  test('cookie is not present', async () => {
+    jest.mocked(cookies).mockReturnValue(
+      mockDeep<ReadonlyRequestCookies>({
+        get: (_: string) => undefined,
+      })
+    );
+
+    const csrfToken = await getCsrfFormValue();
+
+    expect(csrfToken).toEqual('no_token');
+  });
+});
+
+describe('getSessionId', () => {
+  test('errors when access token not found', async () => {
+    jest.mocked(getAccessTokenServer).mockResolvedValue(undefined);
+
+    await expect(() => getSessionId()).rejects.toThrow(
+      'Could not get access token'
+    );
+  });
+
+  test('errors when session ID not found', async () => {
+    const mockEmptyJwt = sign(
+      {
+        jti: undefined,
+      },
+      'key'
+    );
+
+    jest.mocked(getAccessTokenServer).mockResolvedValue(mockEmptyJwt);
+
+    await expect(() => getSessionId()).rejects.toThrow(
+      'Could not get session ID'
+    );
+  });
+
+  test('returns session id', async () => {
+    jest.mocked(getAccessTokenServer).mockResolvedValue(mockJwt);
+
+    const sessionId = await getSessionId();
+
+    expect(sessionId).toEqual('jti');
+  });
+});
+
+test('generateCsrf', async () => {
+  const csrf = await generateCsrf();
+  expect(csrf).toEqual('hmac.salt');
+});
+
+describe('verifyCsrfToken', () => {
+  test('valid CSRF token', async () => {
+    const csrfVerification = await verifyCsrfToken(
+      'hmac.salt',
+      'secret',
+      'salt'
+    );
+
+    expect(csrfVerification).toEqual(true);
+  });
+
+  test('invalid CSRF token', async () => {
+    const csrfVerification = await verifyCsrfToken(
+      'hmac2.salt',
+      'secret',
+      'salt'
+    );
+
+    expect(csrfVerification).toEqual(false);
+  });
+});
+
+describe('verifyCsrfTokenFull', () => {
+  test('missing CSRF cookie', async () => {
+    const formData = mockDeep<FormData>();
+
+    jest.mocked(getAccessTokenServer).mockResolvedValue(mockJwt);
+
+    await expect(() => verifyCsrfTokenFull(formData)).rejects.toThrow(
+      'missing CSRF cookie'
+    );
+  });
+
+  test('missing CSRF form field', async () => {
+    const formData = mockDeep<FormData>({
+      get: () => null,
+    });
+
+    jest.mocked(getAccessTokenServer).mockResolvedValue(mockJwt);
+    jest.mocked(cookies).mockReturnValue(
+      mockDeep<ReadonlyRequestCookies>({
+        get: (_: string) => ({
+          name: 'csrf_token',
+          value: 'hmac.salt',
+        }),
+      })
+    );
+
+    await expect(() => verifyCsrfTokenFull(formData)).rejects.toThrow(
+      'missing CSRF form field'
+    );
+  });
+
+  test('CSRF mismatch', async () => {
+    const formData = mockDeep<FormData>({
+      get: () => 'hmac2.salt',
+    });
+
+    jest.mocked(getAccessTokenServer).mockResolvedValue(mockJwt);
+    jest.mocked(cookies).mockReturnValue(
+      mockDeep<ReadonlyRequestCookies>({
+        get: (_: string) => ({
+          name: 'csrf_token',
+          value: 'hmac.salt',
+        }),
+      })
+    );
+
+    await expect(() => verifyCsrfTokenFull(formData)).rejects.toThrow(
+      'CSRF mismatch'
+    );
+  });
+
+  test('invalid CSRF form field', async () => {
+    const formData = mockDeep<FormData>({
+      get: () => 'hmac2.salt',
+    });
+
+    jest.mocked(getAccessTokenServer).mockResolvedValue(mockJwt);
+    jest.mocked(cookies).mockReturnValue(
+      mockDeep<ReadonlyRequestCookies>({
+        get: (_: string) => ({
+          name: 'csrf_token',
+          value: 'hmac2.salt',
+        }),
+      })
+    );
+
+    await expect(() => verifyCsrfTokenFull(formData)).rejects.toThrow(
+      'CSRF error'
+    );
+  });
+
+  test('valid CSRF', async () => {
+    const formData = mockDeep<FormData>({
+      get: () => 'hmac.salt',
+    });
+
+    jest.mocked(getAccessTokenServer).mockResolvedValue(mockJwt);
+    jest.mocked(cookies).mockReturnValue(
+      mockDeep<ReadonlyRequestCookies>({
+        get: (_: string) => ({
+          name: 'csrf_token',
+          value: 'hmac.salt',
+        }),
+      })
+    );
+
+    const csrfVerification = await verifyCsrfTokenFull(formData);
+
+    expect(csrfVerification).toEqual(true);
+  });
+});

frontend/src/__tests__/utils/get-environment-variable.test.ts

@@ -0,0 +1,15 @@
+import { getEnvironmentVariable } from '@utils/get-environment-variable';
+
+test('throws on missing environment variable', () => {
+  delete process.env.TEST_VAR;
+
+  expect(() => getEnvironmentVariable('TEST_VAR')).toThrow(
+    'Missing environment variable'
+  );
+});
+
+test('returns environment variable value', () => {
+  process.env.TEST_VAR = 'value';
+
+  expect(getEnvironmentVariable('TEST_VAR')).toEqual('value');
+});

frontend/src/app/auth/page.dev.tsx

@@ -10,7 +10,7 @@ import path from 'path';
 import { getBasePath } from '@utils/get-base-path';
 import { NHSNotifyMain } from '@atoms/NHSNotifyMain/NHSNotifyMain';
 
-export const Redirect = () => {
+const useRedirectPath = () => {
   const searchParams = useSearchParams();
 
   const requestRedirectPath = searchParams.get('redirect');
@@ -27,9 +27,21 @@ export const Redirect = () => {
     redirectPath = redirectPath.slice(basePath.length);
   }
 
+  return redirectPath;
+};
+
+export const Redirect = () => {
+  const redirectPath = useRedirectPath();
+
   return redirect(redirectPath, RedirectType.push);
 };
 
+const SignIn = () => {
+  const redirectPath = useRedirectPath();
+
+  redirect(`/auth/signin?redirect=${encodeURIComponent(redirectPath)}`);
+};
+
 export default function Page() {
   return (
     <NHSNotifyMain>
@@ -45,7 +57,7 @@ export default function Page() {
             },
           }}
         >
-          <Redirect />
+          <SignIn />
         </Authenticator>
       </Suspense>
     </NHSNotifyMain>

frontend/src/app/auth/signin/route.dev.ts

@@ -0,0 +1,22 @@
+'use server';
+
+import { generateCsrf } from '@utils/csrf-utils';
+import { cookies } from 'next/headers';
+import { getBasePath } from '@utils/get-base-path';
+
+export const GET = async (request: Request) => {
+  const redirectPath = new URL(request.url).searchParams.get('redirect') ?? '/';
+
+  const csrfToken = await generateCsrf();
+
+  const resJson = { csrfToken };
+
+  cookies().set('csrf_token', csrfToken);
+
+  return Response.json(resJson, {
+    status: 302,
+    headers: {
+      Location: `${getBasePath()}${redirectPath}`,
+    },
+  });
+};

frontend/src/middleware.ts

@@ -40,7 +40,7 @@ export async function middleware(request: NextRequest) {
   const requestHeaders = new Headers(request.headers);
   requestHeaders.set('Content-Security-Policy', csp);
 
-  const publicPaths = ['/create-and-submit-templates', '/auth'];
+  const publicPaths = ['/create-and-submit-templates', '/auth', '/lib'];
 
   if (isPublicPath(request.nextUrl.pathname, publicPaths)) {
     const publicPathResponse = NextResponse.next({