Merge pull request #297 from NHSDigital/feature/CCM-8477_csrf-token-3

CCM-8446: CSRF token verification

Author: chris-elliott-nhsd

frontend/package.json

@@ -22,14 +22,13 @@
     "@aws-amplify/backend": "^1.2.0",
     "@aws-amplify/ui-react": "^6.3.1",
     "@aws-sdk/client-ses": "^3.637.0",
-    "@edge-csrf/core": "^2.5.2",
-    "@edge-csrf/nextjs": "^2.5.2",
     "aws-amplify": "^6.6.0",
     "date-fns": "^4.1.0",
     "jwt-decode": "^4.0.0",
     "markdown-it": "^13.0.1",
     "mimetext": "^3.0.24",
     "next": "14.2.13",
+    "next-client-cookies": "^1.1.1",
     "nhs-notify-backend-client": "*",
     "nhs-notify-web-template-management-amplify": "*",
     "nhs-notify-web-template-management-utils": "*",

frontend/src/__tests__/app/choose-a-template-type/__snapshots__/page.test.tsx.snap

@@ -38,6 +38,12 @@ exports[`ChooseATemplateTypePage 1`] = `
         type="hidden"
         value="choose-a-template-type"
       />
+      <input
+        name="csrf_token"
+        readonly=""
+        type="hidden"
+        value="no_token"
+      />
       <div
         class="nhsuk-form-group"
       >

frontend/src/__tests__/components/forms/ChooseTemplate/__snapshots__/ChooseTemplate.test.tsx.snap

@@ -63,6 +63,12 @@ exports[`Choose template page renders error component 1`] = `
         type="hidden"
         value="choose-a-template-type"
       />
+      <input
+        name="csrf_token"
+        readonly=""
+        type="hidden"
+        value="no_token"
+      />
       <div
         class="nhsuk-form-group"
       >
@@ -215,6 +221,12 @@ exports[`Choose template page selects one radio button at a time 1`] = `
         type="hidden"
         value="choose-a-template-type"
       />
+      <input
+        name="csrf_token"
+        readonly=""
+        type="hidden"
+        value="no_token"
+      />
       <div
         class="nhsuk-form-group"
       >

frontend/src/__tests__/components/forms/CopyTemplate/__snapshots__/CopyTemplate.test.tsx.snap

@@ -75,6 +75,12 @@ exports[`Choose template page renders error component 1`] = `
             type="hidden"
             value="choose-a-template-type"
           />
+          <input
+            name="csrf_token"
+            readonly=""
+            type="hidden"
+            value="no_token"
+          />
           <div
             class="nhsuk-form-group"
           >
@@ -228,6 +234,12 @@ exports[`Choose template page selects one radio button at a time 1`] = `
             type="hidden"
             value="choose-a-template-type"
           />
+          <input
+            name="csrf_token"
+            readonly=""
+            type="hidden"
+            value="no_token"
+          />
           <div
             class="nhsuk-form-group"
           >

frontend/src/__tests__/components/forms/DeleteTemplate/DeleteTemplate.test.tsx

@@ -17,9 +17,13 @@ jest.mock('react-dom', () => {
         formData: FormData
       ) => Promise<TemplateFormState>,
       initialState: TemplateFormState
-    ) => [initialState, '/action'],
+    ) => [initialState, '/yes-action'],
   };
 });
+jest.mock('@forms/DeleteTemplate/server-action', () => ({
+  deleteTemplateYesAction: '/yes-action',
+  deleteTemplateNoAction: '/no-action',
+}));
 
 test('renders component correctly', () => {
   const container = render(

frontend/src/__tests__/components/forms/DeleteTemplate/__snapshots__/DeleteTemplate.test.tsx.snap

@@ -22,10 +22,22 @@ exports[`renders component correctly 1`] = `
           The template will be removed and you won't be able to recover it.
         </p>
         <form
-          action="/templates/manage-templates"
+          action="/no-action"
           class="nhsuk-u-margin-right-3"
           style="display: inline;"
         >
+          <input
+            name="form-id"
+            readonly=""
+            type="hidden"
+            value="delete-template-no"
+          />
+          <input
+            name="csrf_token"
+            readonly=""
+            type="hidden"
+            value="no_token"
+          />
           <button
             aria-disabled="false"
             class="nhsuk-button nhsuk-button--secondary"
@@ -35,9 +47,21 @@ exports[`renders component correctly 1`] = `
           </button>
         </form>
         <form
-          action="/action"
+          action="/yes-action"
           style="display: inline;"
         >
+          <input
+            name="form-id"
+            readonly=""
+            type="hidden"
+            value="delete-template-yes"
+          />
+          <input
+            name="csrf_token"
+            readonly=""
+            type="hidden"
+            value="no_token"
+          />
           <button
             aria-disabled="false"
             class="nhsuk-button nhsuk-button--warning"

frontend/src/__tests__/components/forms/DeleteTemplate/server-action.test.ts

@@ -1,5 +1,8 @@
 import { redirect, RedirectType } from 'next/navigation';
-import { deleteTemplateAction } from '@forms/DeleteTemplate/server-action';
+import {
+  deleteTemplateYesAction,
+  deleteTemplateNoAction,
+} from '@forms/DeleteTemplate/server-action';
 import {
   NHSAppTemplate,
   TemplateStatus,
@@ -15,6 +18,17 @@ beforeAll(() => {
   jest.setSystemTime(new Date('2022-01-01 09:00'));
 });
 
+test('redirects', async () => {
+  const mockRedirect = jest.mocked(redirect);
+
+  await deleteTemplateNoAction();
+
+  expect(mockRedirect).toHaveBeenCalledWith(
+    '/manage-templates',
+    RedirectType.push
+  );
+});
+
 test('calls form action and redirects', async () => {
   const mockRedirect = jest.mocked(redirect);
   const mockSaveTemplate = jest.mocked(saveTemplate);
@@ -27,7 +41,7 @@ test('calls form action and redirects', async () => {
     templateStatus: TemplateStatus.NOT_YET_SUBMITTED,
   };
 
-  await deleteTemplateAction(mockTemplate);
+  await deleteTemplateYesAction(mockTemplate);
 
   expect(mockSaveTemplate).toHaveBeenCalledWith({
     ...mockTemplate,

frontend/src/__tests__/components/forms/EmailTemplateForm/__snapshots__/EmailTemplateForm.test.tsx.snap

@@ -79,6 +79,12 @@ exports[`renders page one error 1`] = `
             type="hidden"
             value="create-email-template"
           />
+          <input
+            name="csrf_token"
+            readonly=""
+            type="hidden"
+            value="no_token"
+          />
           <h1
             class="nhsuk-heading-xl"
             data-testid="page-heading"
@@ -693,6 +699,12 @@ exports[`renders page with multiple errors 1`] = `
             type="hidden"
             value="create-email-template"
           />
+          <input
+            name="csrf_token"
+            readonly=""
+            type="hidden"
+            value="no_token"
+          />
           <h1
             class="nhsuk-heading-xl"
             data-testid="page-heading"
@@ -1294,6 +1306,12 @@ exports[`renders page with preloaded field values 1`] = `
             type="hidden"
             value="create-email-template"
           />
+          <input
+            name="csrf_token"
+            readonly=""
+            type="hidden"
+            value="no_token"
+          />
           <h1
             class="nhsuk-heading-xl"
             data-testid="page-heading"
@@ -1835,6 +1853,12 @@ exports[`renders page without back link for initial state with id 1`] = `
             type="hidden"
             value="create-email-template"
           />
+          <input
+            name="csrf_token"
+            readonly=""
+            type="hidden"
+            value="no_token"
+          />
           <h1
             class="nhsuk-heading-xl"
             data-testid="page-heading"

frontend/src/__tests__/components/forms/NhsAppTemplateForm/__snapshots__/NhsAppTemplateForm.test.tsx.snap

@@ -44,6 +44,12 @@ exports[`renders page 1`] = `
             type="hidden"
             value="create-nhs-app-template"
           />
+          <input
+            name="csrf_token"
+            readonly=""
+            type="hidden"
+            value="no_token"
+          />
           <h1
             class="nhsuk-heading-xl"
             data-testid="page-heading"
@@ -524,6 +530,12 @@ exports[`renders page one error 1`] = `
             type="hidden"
             value="create-nhs-app-template"
           />
+          <input
+            name="csrf_token"
+            readonly=""
+            type="hidden"
+            value="no_token"
+          />
           <h1
             class="nhsuk-heading-xl"
             data-testid="page-heading"
@@ -1018,6 +1030,12 @@ exports[`renders page with multiple errors 1`] = `
             type="hidden"
             value="create-nhs-app-template"
           />
+          <input
+            name="csrf_token"
+            readonly=""
+            type="hidden"
+            value="no_token"
+          />
           <h1
             class="nhsuk-heading-xl"
             data-testid="page-heading"
@@ -1492,6 +1510,12 @@ exports[`renders page with preloaded field values 1`] = `
             type="hidden"
             value="create-nhs-app-template"
           />
+          <input
+            name="csrf_token"
+            readonly=""
+            type="hidden"
+            value="no_token"
+          />
           <h1
             class="nhsuk-heading-xl"
             data-testid="page-heading"
@@ -1920,6 +1944,12 @@ exports[`renders page without back link for initial state with id 1`] = `
             type="hidden"
             value="create-nhs-app-template"
           />
+          <input
+            name="csrf_token"
+            readonly=""
+            type="hidden"
+            value="no_token"
+          />
           <h1
             class="nhsuk-heading-xl"
             data-testid="page-heading"

frontend/src/__tests__/components/forms/ReviewEmailTemplate/__snapshots__/ReviewEmailTemplate.test.tsx.snap

@@ -197,6 +197,12 @@ exports[`Review email form renders matches error snapshot 1`] = `
             type="hidden"
             value="review-email-template"
           />
+          <input
+            name="csrf_token"
+            readonly=""
+            type="hidden"
+            value="no_token"
+          />
           <div
             class="nhsuk-form-group nhsuk-form-group--error"
           >
@@ -465,6 +471,12 @@ exports[`Review email form renders matches snapshot when navigating from edit sc
             type="hidden"
             value="review-email-template"
           />
+          <input
+            name="csrf_token"
+            readonly=""
+            type="hidden"
+            value="no_token"
+          />
           <div
             class="nhsuk-form-group"
           >
@@ -716,6 +728,12 @@ exports[`Review email form renders matches snapshot when navigating from manage
             type="hidden"
             value="review-email-template"
           />
+          <input
+            name="csrf_token"
+            readonly=""
+            type="hidden"
+            value="no_token"
+          />
           <div
             class="nhsuk-form-group"
           >