unhappy path unit tests

alexnuttall · alexnuttall · commit 7d81c08d83d1 · 2025-05-15T08:12:24.000+01:00
diff --git a/lambdas/download-authorizer/src/__tests__/index.test.ts b/lambdas/download-authorizer/src/__tests__/index.test.ts
@@ -1,7 +1,7 @@
-import type { CloudFrontRequestEvent } from 'aws-lambda';
+import type { CloudFrontRequest, CloudFrontRequestEvent } from 'aws-lambda';
 import { mock } from 'jest-mock-extended';
 import { logger } from 'nhs-notify-web-template-management-utils/logger';
-import { handler } from '../index';
+import { denial, handler, parseRequest } from '../index';
 import { LambdaCognitoAuthorizer } from 'nhs-notify-web-template-management-utils/lambda-cognito-authorizer';
 import { CognitoIdentityProviderClient } from '@aws-sdk/client-cognito-identity-provider';
 
@@ -85,4 +85,72 @@ describe('download authorizer handler', () => {
       subject
     );
   });
+
+  test('returns denial if cognito configuration is not present in custom headers', async () => {
+    const uri = '/subject/template-id/proof1.pdf';
+    const cookie =
+      'CognitoIdentityServiceProvider.user-pool-client-id.subject.AccessToken=jwt';
+
+    const event = mock<CloudFrontRequestEvent>(
+      makeEvent(uri, cookie, {
+        'x-user-pool-id': undefined,
+        'x-user-pool-client-id': undefined,
+      })
+    );
+
+    const res = await handler(event);
+
+    expect(res).toEqual(denial);
+    expect(mockLogger.error).toHaveBeenCalledWith('Lambda misconfiguration');
+
+    expect(lambdaCognitoAuthorizer.authorize).not.toHaveBeenCalled();
+  });
+
+  test('returns denial if required cookie is not available', async () => {
+    const uri = '/subject/template-id/proof1.pdf';
+    const cookie = 'k=v; k2=v2';
+
+    const event = mock<CloudFrontRequestEvent>(makeEvent(uri, cookie));
+
+    const res = await handler(event);
+
+    expect(res).toEqual(denial);
+    expect(mockLogger.warn).toHaveBeenCalledWith('Cookie is missing');
+
+    expect(lambdaCognitoAuthorizer.authorize).not.toHaveBeenCalled();
+  });
+
+  test('returns denial if authorization fails', async () => {
+    const uri = '/subject/template-id/proof1.pdf';
+    const cookie = `CognitoIdentityServiceProvider.${userPoolClientId}.subject.AccessToken=jwt`;
+
+    lambdaCognitoAuthorizer.authorize.mockResolvedValue({
+      success: false,
+    });
+
+    const event = mock<CloudFrontRequestEvent>(makeEvent(uri, cookie));
+
+    const res = await handler(event);
+
+    expect(res).toEqual(denial);
+  });
+});
+
+describe('parseRequest', () => {
+  test('path defaults to empty string if owner segment cant be extracted', () => {
+    const uri = '';
+    const request = mock<CloudFrontRequest>(
+      makeEvent(uri, 'cookie').Records[0].cf.request
+    );
+
+    expect(parseRequest(request).ownerPathComponent).toBe('');
+  });
+
+  test('cookie header defaults to empty string if it is not present on request', () => {
+    const request = mock<CloudFrontRequest>(
+      makeEvent('/subject/file.txt', undefined).Records[0].cf.request
+    );
+
+    expect(parseRequest(request).authorizationToken).toBe(undefined);
+  });
 });
diff --git a/lambdas/download-authorizer/src/index.ts b/lambdas/download-authorizer/src/index.ts
@@ -8,14 +8,14 @@ const cognitoClient = new CognitoIdentityProviderClient({
   region: 'eu-west-2',
 });
 
-const denial = {
+export const denial = {
   status: '403',
   statusDescription: 'Forbidden',
   body: '<h1>Access Denied</h1>',
 };
 
-function parseRequest(request: CloudFrontRequest) {
-  const [, ownerPathComponent] = request.uri.split('/');
+export function parseRequest(request: CloudFrontRequest) {
+  const ownerPathComponent = request.uri.split('/')[1] ?? '';
 
   const customHeaders = request.origin?.s3?.customHeaders;
   const userPoolId = customHeaders?.['x-user-pool-id']?.[0]?.value;
@@ -35,7 +35,6 @@ function parseRequest(request: CloudFrontRequest) {
 }
 
 export const handler = async (event: CloudFrontRequestEvent) => {
-  logger.info(event);
   const { request } = event.Records[0].cf;
 
   const {
@@ -55,11 +54,6 @@ export const handler = async (event: CloudFrontRequestEvent) => {
     return denial;
   }
 
-  if (!ownerPathComponent) {
-    logger.warn('Could not determine expected subject');
-    return denial;
-  }
-
   const authorizer = new LambdaCognitoAuthorizer(cognitoClient, logger);
 
   const authResult = await authorizer.authorize(
@@ -69,9 +63,7 @@ export const handler = async (event: CloudFrontRequestEvent) => {
     ownerPathComponent
   );
 
-  if (authResult.success) {
-    return request;
-  }
+  if (authResult.success) return request;
 
   return denial;
 };
