cleanup

alexnuttall · alexnuttall · commit 4a2d628dfa5c · 2025-06-23T08:45:32.000+01:00
diff --git a/infrastructure/terraform/components/sandbox/aws_cognito_user_pool_sandbox.tf b/infrastructure/terraform/components/sandbox/aws_cognito_user_pool_sandbox.tf
@@ -9,10 +9,10 @@ resource "aws_cognito_user_pool" "sandbox" {
   }
 
   schema {
-    name                     = "sbx:client_id"
-    attribute_data_type      = "String"
-    mutable                  = true
-    required                 = false
+    name                = "sbx:client_id"
+    attribute_data_type = "String"
+    mutable             = true
+    required            = false
     string_attribute_constraints {}
   }
 }
diff --git a/infrastructure/terraform/modules/backend-api/spec.tmpl.json b/infrastructure/terraform/modules/backend-api/spec.tmpl.json
@@ -8,10 +8,16 @@
           },
           {
             "properties": {
+              "clientId": {
+                "type": "string"
+              },
               "createdAt": {
                 "format": "date-time",
                 "type": "string"
               },
+              "createdBy": {
+                "type": "string"
+              },
               "id": {
                 "type": "string"
               },
@@ -24,18 +30,12 @@
               },
               "updatedBy": {
                 "type": "string"
-              },
-              "createdBy": {
-                "type": "string"
-              },
-              "clientId": {
-                "type": "string"
               }
             },
             "required": [
+              "createdAt",
               "id",
               "templateStatus",
-              "createdAt",
               "updatedAt"
             ],
             "type": "object"
diff --git a/infrastructure/terraform/modules/cognito-triggers/module_pre_token_generation_lambda.tf b/infrastructure/terraform/modules/cognito-triggers/module_pre_token_generation_lambda.tf
@@ -34,4 +34,4 @@ module "pre_token_generation_lambda" {
     source_arn     = "arn:aws:cognito-idp:${var.region}:${var.aws_account_id}:userpool/${var.user_pool_id}"
     source_account = var.aws_account_id
   }]
-}
+}
diff --git a/lambdas/authorizer/src/index.ts b/lambdas/authorizer/src/index.ts
@@ -20,7 +20,7 @@ const generateMethodArn = (
 const generatePolicy = (
   Resource: string,
   Effect: 'Allow' | 'Deny',
-  context?: { user: string; clientId: string | undefined }
+  context?: { user: string; clientId?: string }
 ) => ({
   principalId: 'api-caller',
   policyDocument: {
diff --git a/lambdas/backend-api/src/templates/infra/template-repository.ts b/lambdas/backend-api/src/templates/infra/template-repository.ts
@@ -627,7 +627,7 @@ export class TemplateRepository {
 
     const andConditions = [
       'attribute_exists(id)',
-      'NOT templateStatus IN (:deleted, :submitted)',
+      'NOT #templateStatus IN (:deleted, :submitted)',
       ...(conditionExpression.$and || []),
     ].join(' AND ');
 
@@ -640,9 +640,9 @@ export class TemplateRepository {
       UpdateExpression: `SET ${updateExpression.join(', ')}, #updatedAt = :updatedAt, #updatedBy = :updatedBy`,
       ExpressionAttributeNames: {
         ...expressionAttributeNames,
-        '#updatedAt': ':updatedAt',
-        '#updatedBy': ':updatedBy',
-        '#templateStatus': ':templateStatus',
+        '#updatedAt': 'updatedAt',
+        '#updatedBy': 'updatedBy',
+        '#templateStatus': 'templateStatus',
       },
       ExpressionAttributeValues: {
         ...expressionAttributeValues,
diff --git a/lambdas/backend-client/src/types/generated/types.gen.ts b/lambdas/backend-client/src/types/generated/types.gen.ts
@@ -1,13 +1,13 @@
 // This file is auto-generated by @hey-api/openapi-ts
 
 export type BaseCreatedTemplate = BaseTemplate & {
+  clientId?: string;
   createdAt: string;
+  createdBy?: string;
   id: string;
   templateStatus: TemplateStatus;
   updatedAt: string;
   updatedBy?: string;
-  createdBy?: string;
-  clientId?: string;
 };
 
 export type BaseTemplate = {
diff --git a/tests/accessibility/test-user-client.ts b/tests/accessibility/test-user-client.ts
@@ -28,9 +28,6 @@ export class TestUserClient {
           },
         ],
         MessageAction: 'SUPPRESS',
-        ClientMetadata: {
-          'nhs-notify-client-id': 'client-id',
-        },
       })
     );
 
diff --git a/utils/utils/src/__tests__/lambda-cognito-authorizer.test.ts b/utils/utils/src/__tests__/lambda-cognito-authorizer.test.ts
@@ -89,6 +89,7 @@ describe('LambdaCognitoAuthorizer', () => {
         token_use: 'access',
         client_id: 'user-pool-client-id',
         iss: 'https://cognito-idp.eu-west-2.amazonaws.com/user-pool-id',
+        'nhs-notify:client-id': 'nhs-notify-client-id',
       },
       'key',
       {
@@ -98,7 +99,34 @@ describe('LambdaCognitoAuthorizer', () => {
 
     const res = await authorizer.authorize(userPoolId, userPoolClientId, jwt);
 
-    expect(res).toEqual({ success: true, subject: 'sub' });
+    expect(res).toEqual({
+      success: true,
+      subject: 'sub',
+      clientId: 'nhs-notify-client-id',
+    });
+    expect(mockLogger.logMessages).toEqual([]);
+  });
+
+  test('returns success on valid token without notify-client-id', async () => {
+    const jwt = sign(
+      {
+        token_use: 'access',
+        client_id: 'user-pool-client-id',
+        iss: 'https://cognito-idp.eu-west-2.amazonaws.com/user-pool-id',
+      },
+      'key',
+      {
+        keyid: 'key-id',
+      }
+    );
+
+    const res = await authorizer.authorize(userPoolId, userPoolClientId, jwt);
+
+    expect(res).toEqual({
+      success: true,
+      subject: 'sub',
+      clientId: 'nhs-notify-client-id',
+    });
     expect(mockLogger.logMessages).toEqual([]);
   });
 
@@ -125,6 +153,7 @@ describe('LambdaCognitoAuthorizer', () => {
         token_use: 'access',
         client_id: 'user-pool-client-id',
         iss: 'https://cognito-idp.eu-west-2.amazonaws.com/user-pool-id',
+        clientId: 'nhs-notify-client-id',
       },
       'key'
     );
@@ -146,6 +175,7 @@ describe('LambdaCognitoAuthorizer', () => {
         token_use: 'access',
         client_id: 'user-pool-client-id-2',
         iss: 'https://cognito-idp.eu-west-2.amazonaws.com/user-pool-id',
+        clientId: 'nhs-notify-client-id',
       },
       'key',
       {
@@ -171,6 +201,7 @@ describe('LambdaCognitoAuthorizer', () => {
         token_use: 'access',
         client_id: 'user-pool-client-id',
         iss: 'https://cognito-idp.eu-west-2.amazonaws.com/user-pool-id-2',
+        clientId: 'nhs-notify-client-id',
       },
       'key',
       {
@@ -196,6 +227,7 @@ describe('LambdaCognitoAuthorizer', () => {
         token_use: 'id',
         client_id: 'user-pool-client-id',
         iss: 'https://cognito-idp.eu-west-2.amazonaws.com/user-pool-id',
+        clientId: 'nhs-notify-client-id',
       },
       'key',
       {
@@ -222,6 +254,7 @@ describe('LambdaCognitoAuthorizer', () => {
         token_use: 'access',
         client_id: 'user-pool-client-id',
         iss: 'https://cognito-idp.eu-west-2.amazonaws.com/user-pool-id-cognito-error',
+        clientId: 'nhs-notify-client-id',
       },
       'key',
       {
@@ -253,6 +286,7 @@ describe('LambdaCognitoAuthorizer', () => {
         token_use: 'access',
         client_id: 'user-pool-client-id',
         iss: `https://cognito-idp.eu-west-2.amazonaws.com/${iss}`,
+        clientId: 'nhs-notify-client-id',
       },
       'key',
       {
@@ -279,6 +313,7 @@ describe('LambdaCognitoAuthorizer', () => {
         token_use: 'access',
         client_id: 'user-pool-client-id',
         iss: 'https://cognito-idp.eu-west-2.amazonaws.com/user-pool-id-cognito-no-sub',
+        clientId: 'nhs-notify-client-id',
       },
       'key',
       {
@@ -307,6 +342,7 @@ describe('LambdaCognitoAuthorizer', () => {
         token_use: 'access',
         client_id: 'user-pool-client-id',
         iss: 'https://cognito-idp.eu-west-2.amazonaws.com/user-pool-id',
+        clientId: 'nhs-notify-client-id',
       },
       'key',
       {
@@ -337,6 +373,7 @@ describe('LambdaCognitoAuthorizer', () => {
         client_id: 'user-pool-client-id',
         iss: 'https://cognito-idp.eu-west-2.amazonaws.com/user-pool-id',
         exp: 1_640_995_200,
+        clientId: 'nhs-notify-client-id',
       },
       'key',
       {
diff --git a/utils/utils/src/types.ts b/utils/utils/src/types.ts
@@ -96,6 +96,7 @@ export type GuardDutyMalwareScanStatusPassed = Extract<
 >;
 
 export type DatabaseTemplate = {
+  clientId?: string;
   createdAt: string;
   createdBy?: string;
   files?: LetterFiles;
@@ -110,7 +111,6 @@ export type DatabaseTemplate = {
   templateType: TemplateType;
   updatedAt: string;
   updatedBy?: string;
-  clientId?: string;
 } & DbOnlyTemplateProperties;
 
 type DbOnlyTemplateProperties = {

Original file line number	Diff line number	Diff line change
`@@ -9,10 +9,10 @@ resource "aws_cognito_user_pool" "sandbox" {`
`9`	`9`	`}`
`10`	`10`
`11`	`11`	`schema {`
`12`		`- name = "sbx:client_id"`
`13`		`- attribute_data_type = "String"`
`14`		`- mutable = true`
`15`		`- required = false`
	`12`	`+ name = "sbx:client_id"`
	`13`	`+ attribute_data_type = "String"`
	`14`	`+ mutable = true`
	`15`	`+ required = false`
`16`	`16`	`string_attribute_constraints {}`
`17`	`17`	`}`
`18`	`18`	`}`