CCM-10422: update dl auth

alexnuttall · alexnuttall · commit cad12324d278 · 2025-08-14T11:48:12.000+01:00
diff --git a/infrastructure/terraform/modules/backend-api/module_lambda_request_proof.tf b/infrastructure/terraform/modules/backend-api/module_lambda_request_proof.tf
@@ -47,7 +47,6 @@ data "aws_iam_policy_document" "request_proof_lambda_policy" {
       aws_dynamodb_table.templates.arn,
     ]
   }
-  
   statement {
     sid    = "AllowProofingSQS"
     effect = "Allow"
diff --git a/utils/utils/src/__tests__/lambda-cognito-authorizer.test.ts b/utils/utils/src/__tests__/lambda-cognito-authorizer.test.ts
@@ -136,35 +136,6 @@ describe('LambdaCognitoAuthorizer', () => {
     expect(mockLogger.logMessages).toEqual([]);
   });
 
-  test('returns success on valid token when expected resource owner is the user (not client)', async () => {
-    const jwt = sign(
-      {
-        token_use: 'access',
-        client_id: 'user-pool-client-id',
-        iss: 'https://cognito-idp.eu-west-2.amazonaws.com/user-pool-id',
-        'nhs-notify:client-id': 'nhs-notify-client-id',
-      },
-      'key',
-      {
-        keyid: 'key-id',
-      }
-    );
-
-    const res = await authorizer.authorize(
-      userPoolId,
-      userPoolClientId,
-      jwt,
-      'sub'
-    );
-
-    expect(res).toEqual({
-      success: true,
-      subject: 'sub',
-      clientId: 'nhs-notify-client-id',
-    });
-    expect(mockLogger.logMessages).toEqual([]);
-  });
-
   test('returns failure on malformed token', async () => {
     const res = await authorizer.authorize(
       userPoolId,
@@ -401,7 +372,7 @@ describe('LambdaCognitoAuthorizer', () => {
     );
   });
 
-  test('returns failure when expected resourc owner matches neither notify client id nor sub, from Cognito', async () => {
+  test('returns failure when expected resource owner does not match notify client id from Cognito', async () => {
     const jwt = sign(
       {
         token_use: 'access',
diff --git a/utils/utils/src/lambda-cognito-authorizer.ts b/utils/utils/src/lambda-cognito-authorizer.ts
@@ -92,12 +92,9 @@ export class LambdaCognitoAuthorizer {
 
       if (
         expectedResourceOwner !== undefined &&
-        expectedResourceOwner !== sub &&
         expectedResourceOwner !== notifyClientId
       ) {
-        this.logger.warn(
-          'Neither subject nor clientId matches expected resource owner'
-        );
+        this.logger.warn('clientId does not match expected resource owner');
         return { success: false };
       }
 

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,6 @@ data "aws_iam_policy_document" "request_proof_lambda_policy" {`
`47`	`47`	`aws_dynamodb_table.templates.arn,`
`48`	`48`	`]`
`49`	`49`	`}`
`50`		`-`
`51`	`50`	`statement {`
`52`	`51`	`sid = "AllowProofingSQS"`
`53`	`52`	`effect = "Allow"`