CCM-11889: use internal user id for auth

Author: mark-r-bjss

lambdas/authorizer/src/__tests__/index.test.ts

@@ -42,7 +42,7 @@ const allowPolicy = {
     ],
   },
   context: {
-    user: 'sub',
+    internalUserId: 'user-1234',
     clientId: 'client-123',
   },
 };
@@ -76,7 +76,7 @@ afterEach(() => {
 test('returns Allow policy on valid token with clientId', async () => {
   lambdaCognitoAuthorizer.authorize.mockResolvedValue({
     success: true,
-    subject: 'sub',
+    internalUserId: 'user-1234',
     clientId: 'client-123',
   });
 

lambdas/authorizer/src/index.ts

@@ -20,7 +20,7 @@ const generateMethodArn = (
 const generatePolicy = (
   Resource: string,
   Effect: 'Allow' | 'Deny',
-  context?: { user: string; clientId?: string }
+  context?: { internalUserId: string; clientId?: string }
 ) => ({
   principalId: 'api-caller',
   policyDocument: {
@@ -66,7 +66,7 @@ export const handler: APIGatewayRequestAuthorizerHandler = async (event) => {
 
   if (authResult.success) {
     return generatePolicy(methodArn, 'Allow', {
-      user: authResult.subject,
+      internalUserId: authResult.internalUserId,
       clientId: authResult.clientId,
     });
   }

lambdas/backend-api/src/__tests__/api/count-routing-configs.test.ts

@@ -21,8 +21,8 @@ const setup = () => {
 describe('CountRoutingConfigs handler', () => {
   test.each([
     ['undefined', undefined],
-    ['missing user', { clientId: 'client-id', user: undefined }],
-    ['missing client', { clientId: undefined, user: 'user-id' }],
+    ['missing user', { clientId: 'client-id', internalUserId: undefined }],
+    ['missing client', { clientId: undefined, internalUserId: 'user-1234' }],
   ])(
     'should return 400 - Invalid request when requestContext is %s',
     async (_, ctx) => {
@@ -62,7 +62,7 @@ describe('CountRoutingConfigs handler', () => {
 
     const event = mock<APIGatewayProxyEvent>();
     event.requestContext.authorizer = {
-      user: 'sub',
+      internalUserId: 'user-1234',
       clientId: 'nhs-notify-client-id',
     };
 
@@ -81,7 +81,7 @@ describe('CountRoutingConfigs handler', () => {
     });
 
     expect(mocks.routingConfigClient.countRoutingConfigs).toHaveBeenCalledWith(
-      { userId: 'sub', clientId: 'nhs-notify-client-id' },
+      { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' },
       { status: 'DRAFT' }
     );
   });
@@ -95,7 +95,7 @@ describe('CountRoutingConfigs handler', () => {
 
     const event = mock<APIGatewayProxyEvent>();
     event.requestContext.authorizer = {
-      user: 'sub',
+      internalUserId: 'user-1234',
       clientId: 'nhs-notify-client-id',
     };
     event.queryStringParameters = {
@@ -110,7 +110,7 @@ describe('CountRoutingConfigs handler', () => {
     });
 
     expect(mocks.routingConfigClient.countRoutingConfigs).toHaveBeenCalledWith(
-      { userId: 'sub', clientId: 'nhs-notify-client-id' },
+      { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' },
       { status: 'COMPLETED' }
     );
   });

lambdas/backend-api/src/__tests__/api/create-routing-config.test.ts

@@ -17,8 +17,8 @@ describe('Create Routing Config Handler', () => {
 
   test.each([
     ['undefined', undefined],
-    ['missing user', { clientId: 'client-id', user: undefined }],
-    ['missing client', { clientId: undefined, user: 'user-id' }],
+    ['missing user', { clientId: 'client-id', internalUserId: undefined }],
+    ['missing client', { clientId: undefined, internalUserId: 'user-1234' }],
   ])(
     'should return 400 - Invalid request when requestContext is %s',
     async (_, ctx) => {
@@ -63,7 +63,7 @@ describe('Create Routing Config Handler', () => {
 
     const event = mock<APIGatewayProxyEvent>({
       requestContext: {
-        authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
+        authorizer: { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' },
       },
       body: undefined,
     });
@@ -83,7 +83,7 @@ describe('Create Routing Config Handler', () => {
 
     expect(mocks.routingConfigClient.createRoutingConfig).toHaveBeenCalledWith(
       {},
-      { userId: 'sub', clientId: 'nhs-notify-client-id' }
+      { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' }
     );
   });
 
@@ -101,7 +101,7 @@ describe('Create Routing Config Handler', () => {
 
     const event = mock<APIGatewayProxyEvent>({
       requestContext: {
-        authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
+        authorizer: { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' },
       },
       body: JSON.stringify({ id: 1 }),
     });
@@ -118,7 +118,7 @@ describe('Create Routing Config Handler', () => {
 
     expect(mocks.routingConfigClient.createRoutingConfig).toHaveBeenCalledWith(
       { id: 1 },
-      { userId: 'sub', clientId: 'nhs-notify-client-id' }
+      { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' }
     );
   });
 
@@ -156,7 +156,7 @@ describe('Create Routing Config Handler', () => {
 
     const event = mock<APIGatewayProxyEvent>({
       requestContext: {
-        authorizer: { user: 'sub', clientId: 'notify-client-id' },
+        authorizer: { internalUserId: 'user-1234', clientId: 'notify-client-id' },
       },
       body: JSON.stringify(create),
     });
@@ -171,7 +171,7 @@ describe('Create Routing Config Handler', () => {
     expect(mocks.routingConfigClient.createRoutingConfig).toHaveBeenCalledWith(
       create,
       {
-        userId: 'sub',
+        internalUserId: 'user-1234',
         clientId: 'notify-client-id',
       }
     );

lambdas/backend-api/src/__tests__/api/create.test.ts

@@ -17,8 +17,8 @@ describe('Template API - Create', () => {
 
   test.each([
     ['undefined', undefined],
-    ['missing user', { clientId: 'client-id', user: undefined }],
-    ['missing client', { clientId: undefined, user: 'user-id' }],
+    ['missing user', { clientId: 'client-id', internalUserId: undefined }],
+    ['missing client', { clientId: undefined, internalUserId: 'user-1234' }],
   ])(
     'should return 400 - Invalid request when requestContext is %s',
     async (_, ctx) => {
@@ -61,7 +61,7 @@ describe('Template API - Create', () => {
 
     const event = mock<APIGatewayProxyEvent>({
       requestContext: {
-        authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
+        authorizer: { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' },
       },
       body: undefined,
     });
@@ -81,7 +81,7 @@ describe('Template API - Create', () => {
 
     expect(mocks.templateClient.createTemplate).toHaveBeenCalledWith(
       {},
-      { userId: 'sub', clientId: 'nhs-notify-client-id' }
+      { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' }
     );
   });
 
@@ -99,7 +99,7 @@ describe('Template API - Create', () => {
 
     const event = mock<APIGatewayProxyEvent>({
       requestContext: {
-        authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
+        authorizer: { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' },
       },
       body: JSON.stringify({ id: 1 }),
     });
@@ -116,7 +116,7 @@ describe('Template API - Create', () => {
 
     expect(mocks.templateClient.createTemplate).toHaveBeenCalledWith(
       { id: 1 },
-      { userId: 'sub', clientId: 'nhs-notify-client-id' }
+      { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' }
     );
   });
 
@@ -143,7 +143,7 @@ describe('Template API - Create', () => {
 
     const event = mock<APIGatewayProxyEvent>({
       requestContext: {
-        authorizer: { user: 'sub', clientId: 'notify-client-id' },
+        authorizer: { internalUserId: 'user-1234', clientId: 'notify-client-id' },
       },
       body: JSON.stringify(create),
     });
@@ -156,7 +156,7 @@ describe('Template API - Create', () => {
     });
 
     expect(mocks.templateClient.createTemplate).toHaveBeenCalledWith(create, {
-      userId: 'sub',
+      internalUserId: 'user-1234',
       clientId: 'notify-client-id',
     });
   });

lambdas/backend-api/src/__tests__/api/delete-routing-config.test.ts

@@ -16,8 +16,8 @@ describe('Delete Routing Config Handler', () => {
 
   test.each([
     ['undefined', undefined],
-    ['missing user', { clientId: 'client-id', user: undefined }],
-    ['missing client', { clientId: undefined, user: 'user-id' }],
+    ['missing user', { clientId: 'client-id', internalUserId: undefined }],
+    ['missing client', { clientId: undefined, internalUserId: 'user-1234' }],
   ])(
     'should return 400 - Invalid request when requestContext is %s',
     async (_, ctx) => {
@@ -52,7 +52,7 @@ describe('Delete Routing Config Handler', () => {
 
     const event = mock<APIGatewayProxyEvent>({
       requestContext: {
-        authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
+        authorizer: { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' },
       },
       body: JSON.stringify({ name: 'test' }),
       pathParameters: { routingConfigId: undefined },
@@ -90,7 +90,7 @@ describe('Delete Routing Config Handler', () => {
 
     const event = mock<APIGatewayProxyEvent>({
       requestContext: {
-        authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
+        authorizer: { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' },
       },
       pathParameters: { routingConfigId: '1-2-3' },
       headers: {
@@ -111,7 +111,7 @@ describe('Delete Routing Config Handler', () => {
     expect(mocks.routingConfigClient.deleteRoutingConfig).toHaveBeenCalledWith(
       '1-2-3',
       {
-        userId: 'sub',
+        internalUserId: 'user-1234',
         clientId: 'nhs-notify-client-id',
       },
       '0'
@@ -127,7 +127,7 @@ describe('Delete Routing Config Handler', () => {
 
     const event = mock<APIGatewayProxyEvent>({
       requestContext: {
-        authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
+        authorizer: { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' },
       },
       pathParameters: { routingConfigId: '1-2-3' },
       headers: {
@@ -145,7 +145,7 @@ describe('Delete Routing Config Handler', () => {
     expect(mocks.routingConfigClient.deleteRoutingConfig).toHaveBeenCalledWith(
       '1-2-3',
       {
-        userId: 'sub',
+        internalUserId: 'user-1234',
         clientId: 'nhs-notify-client-id',
       },
       '0'
@@ -167,7 +167,7 @@ describe('Delete Routing Config Handler', () => {
 
     const event = mock<APIGatewayProxyEvent>({
       requestContext: {
-        authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
+        authorizer: { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' },
       },
       pathParameters: { routingConfigId: '1-2-3' },
       headers: {},
@@ -186,7 +186,7 @@ describe('Delete Routing Config Handler', () => {
 
     expect(mocks.routingConfigClient.deleteRoutingConfig).toHaveBeenCalledWith(
       '1-2-3',
-      { userId: 'sub', clientId: 'nhs-notify-client-id' },
+      { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' },
       ''
     );
   });

lambdas/backend-api/src/__tests__/api/delete.test.ts

@@ -16,8 +16,8 @@ describe('Template API - Delete', () => {
 
   test.each([
     ['undefined', undefined],
-    ['missing user', { clientId: 'client-id', user: undefined }],
-    ['missing client', { clientId: undefined, user: 'user-id' }],
+    ['missing user', { clientId: 'client-id', internalUserId: undefined }],
+    ['missing client', { clientId: undefined, internalUserId: 'user-1234' }],
   ])(
     'should return 400 - Invalid request when requestContext is %s',
     async (_, ctx) => {
@@ -50,7 +50,7 @@ describe('Template API - Delete', () => {
 
     const event = mock<APIGatewayProxyEvent>({
       requestContext: {
-        authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
+        authorizer: { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' },
       },
       body: JSON.stringify({ name: 'test' }),
       pathParameters: { templateId: undefined },
@@ -86,7 +86,7 @@ describe('Template API - Delete', () => {
 
     const event = mock<APIGatewayProxyEvent>({
       requestContext: {
-        authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
+        authorizer: { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' },
       },
       pathParameters: { templateId: '1-2-3' },
       headers: {
@@ -107,7 +107,7 @@ describe('Template API - Delete', () => {
     expect(mocks.templateClient.deleteTemplate).toHaveBeenCalledWith(
       '1-2-3',
       {
-        userId: 'sub',
+        internalUserId: 'user-1234',
         clientId: 'nhs-notify-client-id',
       },
       '0'
@@ -123,7 +123,7 @@ describe('Template API - Delete', () => {
 
     const event = mock<APIGatewayProxyEvent>({
       requestContext: {
-        authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
+        authorizer: { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' },
       },
       pathParameters: { templateId: '1-2-3' },
       headers: {
@@ -141,7 +141,7 @@ describe('Template API - Delete', () => {
     expect(mocks.templateClient.deleteTemplate).toHaveBeenCalledWith(
       '1-2-3',
       {
-        userId: 'sub',
+        internalUserId: 'user-1234',
         clientId: 'nhs-notify-client-id',
       },
       '0'
@@ -163,7 +163,7 @@ describe('Template API - Delete', () => {
 
     const event = mock<APIGatewayProxyEvent>({
       requestContext: {
-        authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
+        authorizer: { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' },
       },
       pathParameters: { templateId: '1-2-3' },
       headers: {},
@@ -182,7 +182,7 @@ describe('Template API - Delete', () => {
 
     expect(mocks.templateClient.deleteTemplate).toHaveBeenCalledWith(
       '1-2-3',
-      { userId: 'sub', clientId: 'nhs-notify-client-id' },
+      { internalUserId: 'user-1234', clientId: 'nhs-notify-client-id' },
       ''
     );
   });