CCM-11870-middleware-checks-client-id (#655)

Co-authored-by: Michael Harrison <[email protected]>

Author: nicki-nhs

frontend/src/__tests__/middleware.test.ts

@@ -4,10 +4,13 @@
 import { NextRequest } from 'next/server';
 import { getSessionServer } from '@utils/amplify-utils';
 import { middleware } from '../middleware';
+import { getClientIdFromToken } from '@utils/token-utils';
 
 jest.mock('@utils/amplify-utils');
+jest.mock('@utils/token-utils');
 
 const getTokenMock = jest.mocked(getSessionServer);
+const getClientIdFromTokenMock = jest.mocked(getClientIdFromToken);
 
 function getCsp(response: Response) {
   const csp = response.headers.get('Content-Security-Policy');
@@ -19,6 +22,13 @@ afterAll(() => {
   process.env = OLD_ENV;
 });
 
+beforeEach(() => {
+  jest.resetAllMocks();
+  getClientIdFromTokenMock.mockImplementation((token) =>
+    token ? 'client1' : undefined
+  );
+});
+
 describe('middleware function', () => {
   it('If route is not registered in middleware, respond with 404', async () => {
     const url = new URL('https://url.com/message-templates/does-not-exist');
@@ -28,7 +38,7 @@ describe('middleware function', () => {
     expect(response.status).toBe(404);
   });
 
-  it('if request path is protected, and no access token is obtained, redirect to auth page', async () => {
+  it('if request path is protected, and no access/id token is obtained, redirect to auth page', async () => {
     const url = new URL('https://url.com/message-templates');
     const request = new NextRequest(url);
     request.cookies.set('csrf_token', 'some-csrf-value');
@@ -50,9 +60,9 @@ describe('middleware function', () => {
     expect(response.cookies.get('csrf_token')?.value).toEqual('');
   });
 
-  it('if request path is protected, and access token is obtained, respond with CSP', async () => {
+  it('if request path is protected, tokens exist AND token has client-id, respond with CSP', async () => {
     getTokenMock.mockResolvedValueOnce({
-      accessToken: 'token',
+      accessToken: 'access-token',
       clientId: 'client1',
     });
 
@@ -61,6 +71,9 @@ describe('middleware function', () => {
     const response = await middleware(request);
     const csp = getCsp(response);
 
+    expect(response.status).toBe(200);
+    expect(getClientIdFromTokenMock).toHaveBeenCalledTimes(1);
+
     expect(csp).toEqual([
       "base-uri 'self'",
       "default-src 'none'",
@@ -79,12 +92,58 @@ describe('middleware function', () => {
     ]);
   });
 
+  it('if request path is protected, tokens exist BUT token missing client-id, redirect to request-to-be-added page', async () => {
+    getTokenMock.mockResolvedValueOnce({
+      accessToken: 'access-token',
+    });
+
+    getClientIdFromTokenMock.mockReturnValueOnce(undefined);
+    getClientIdFromTokenMock.mockReturnValueOnce(undefined);
+
+    const url = new URL('https://url.com/message-templates');
+    const request = new NextRequest(url);
+    const response = await middleware(request);
+
+    expect(response.status).toBe(307);
+    expect(response.headers.get('location')).toBe(
+      'https://url.com/auth/request-to-be-added-to-a-service?redirect=%2Ftemplates%2Fmessage-templates'
+    );
+  });
+
   it('if request path is not protected, respond with CSP', async () => {
     const url = new URL('https://url.com/create-and-submit-templates');
     const request = new NextRequest(url);
     const response = await middleware(request);
     const csp = getCsp(response);
 
+    expect(response.status).toBe(200);
+    expect(csp).toEqual([
+      "base-uri 'self'",
+      "default-src 'none'",
+      "frame-ancestors 'none'",
+      "font-src 'self' https://assets.nhs.uk",
+      "form-action 'self'",
+      "frame-src 'self'",
+      "connect-src 'self' https://cognito-idp.eu-west-2.amazonaws.com",
+      "img-src 'self'",
+      "manifest-src 'self'",
+      "object-src 'none'",
+      expect.stringMatching(/^script-src 'self' 'nonce-[\dA-Za-z]+'$/),
+      expect.stringMatching(/^style-src 'self' 'nonce-[\dA-Za-z]+'$/),
+      'upgrade-insecure-requests',
+      '',
+    ]);
+  });
+
+  it('public path (/auth/request-to-be-added-to-a-service) responds with CSP', async () => {
+    const url = new URL(
+      'https://url.com/auth/request-to-be-added-to-a-service'
+    );
+    const request = new NextRequest(url);
+    const response = await middleware(request);
+    const csp = getCsp(response);
+
+    expect(response.status).toBe(200);
     expect(csp).toEqual([
       "base-uri 'self'",
       "default-src 'none'",

frontend/src/__tests__/utils/amplify-utils.test.ts

@@ -3,11 +3,7 @@
  */
 import { sign } from 'jsonwebtoken';
 import { fetchAuthSession } from 'aws-amplify/auth/server';
-import {
-  getSessionServer,
-  getSessionId,
-  getClientId,
-} from '../../utils/amplify-utils';
+import { getSessionServer, getSessionId } from '../../utils/amplify-utils';
 
 jest.mock('aws-amplify/auth/server');
 jest.mock('@aws-amplify/adapter-nextjs/api');
@@ -73,7 +69,10 @@ describe('amplify-utils', () => {
 
     const result = await getSessionServer();
 
-    expect(result).toEqual({ accessToken: undefined });
+    expect(result).toEqual({
+      accessToken: undefined,
+      clientId: undefined,
+    });
   });
 
   test('getSessionServer - should return undefined properties if an error occurs', async () => {
@@ -83,7 +82,10 @@ describe('amplify-utils', () => {
 
     const result = await getSessionServer();
 
-    expect(result).toEqual({ accessToken: undefined });
+    expect(result).toEqual({
+      accessToken: undefined,
+      clientId: undefined,
+    });
   });
 
   describe('getSessionId', () => {
@@ -127,25 +129,4 @@ describe('amplify-utils', () => {
       expect(sessionId).toEqual('jti');
     });
   });
-
-  describe('getClientId', () => {
-    test('returns undefined when client ID not found', async () => {
-      const mockAccessToken = sign({}, 'key');
-
-      const clientId = await getClientId(mockAccessToken);
-
-      expect(clientId).toBeUndefined();
-    });
-
-    test('retrieves client id from access token param', async () => {
-      const mockAccessToken = sign(
-        { ['nhs-notify:client-id']: 'client2' },
-        'key'
-      );
-
-      const clientId = await getClientId(mockAccessToken);
-
-      expect(clientId).toEqual('client2');
-    });
-  });
 });

frontend/src/__tests__/utils/token-utils.test.ts

@@ -0,0 +1,62 @@
+/**
+ * @jest-environment node
+ */
+import { sign } from 'jsonwebtoken';
+import { decodeJwt, getClaim, getClientIdFromToken } from '@utils/token-utils';
+import { JWT } from 'aws-amplify/auth';
+
+describe('token-utils', () => {
+  describe('decodeJwt', () => {
+    it('decodes a valid JWT payload', () => {
+      const token = sign({ testKey: 'value', testNum: 1 }, 'secret');
+      const claims = decodeJwt(token);
+
+      expect(claims.testKey).toBe('value');
+      expect(claims.testNum).toBe(1);
+    });
+  });
+
+  describe('getClaim', () => {
+    it('returns a string when the claim exists (string)', () => {
+      const claims = { testKey: 'value' } as unknown as JWT['payload'];
+
+      expect(getClaim(claims, 'testKey')).toBe('value');
+    });
+
+    it('returns stringified value for non-strings', () => {
+      const claims = { num: 123, bool: true } as unknown as JWT['payload'];
+
+      expect(getClaim(claims, 'num')).toBe('123');
+      expect(getClaim(claims, 'bool')).toBe('true');
+    });
+
+    it('returns undefined when the claim is missing, null or undefined', () => {
+      const claims = { a: null, b: undefined } as unknown as JWT['payload'];
+
+      expect(getClaim(claims, 'missing')).toBeUndefined();
+      expect(getClaim(claims, 'a')).toBeUndefined();
+      expect(getClaim(claims, 'b')).toBeUndefined();
+    });
+  });
+
+  describe('getClientIdFromToken', () => {
+    test('returns undefined when client ID not found', async () => {
+      const mockAccessToken = sign({}, 'key');
+
+      const clientId = await getClientIdFromToken(mockAccessToken);
+
+      expect(clientId).toBeUndefined();
+    });
+
+    test('retrieves client id from access token param', async () => {
+      const mockAccessToken = sign(
+        { ['nhs-notify:client-id']: 'client2' },
+        'key'
+      );
+
+      const clientId = await getClientIdFromToken(mockAccessToken);
+
+      expect(clientId).toEqual('client2');
+    });
+  });
+});

frontend/src/middleware.ts

@@ -1,6 +1,7 @@
 import { NextResponse, type NextRequest } from 'next/server';
 import { getSessionServer } from '@utils/amplify-utils';
 import { getBasePath } from '@utils/get-base-path';
+import { getClientIdFromToken } from '@utils/token-utils';
 
 const protectedPaths = [
   /^\/choose-a-template-type$/,
@@ -42,6 +43,7 @@ const publicPaths = [
   /^\/auth\/signin$/,
   /^\/auth\/signout$/,
   /^\/auth\/idle$/,
+  /^\/auth\/request-to-be-added-to-a-service$/,
 ];
 
 function getContentSecurityPolicy(nonce: string) {
@@ -96,16 +98,15 @@ export async function middleware(request: NextRequest) {
     return new NextResponse('Page not found', { status: 404 });
   }
 
-  const { accessToken } = await getSessionServer({ forceRefresh: true });
+  const { accessToken } = await getSessionServer({
+    forceRefresh: true,
+  });
 
   if (!accessToken) {
+    const path = `${getBasePath()}${pathname}`;
+
     const redirectResponse = NextResponse.redirect(
-      new URL(
-        `/auth?redirect=${encodeURIComponent(
-          `${getBasePath()}${request.nextUrl.pathname}`
-        )}`,
-        request.url
-      )
+      new URL(`/auth?redirect=${encodeURIComponent(path)}`, request.url)
     );
 
     redirectResponse.headers.set('Content-Type', 'text/html');
@@ -115,6 +116,20 @@ export async function middleware(request: NextRequest) {
     return redirectResponse;
   }
 
+  const hasClientId = getClientIdFromToken(accessToken);
+
+  if (!hasClientId) {
+    const missingClientIdRedirect = new URL(
+      `/auth/request-to-be-added-to-a-service?redirect=${encodeURIComponent(
+        `${getBasePath()}${pathname}`
+      )}`,
+      request.url
+    );
+    const redirectResponse = NextResponse.redirect(missingClientIdRedirect);
+
+    return redirectResponse;
+  }
+
   const response = NextResponse.next({
     request: {
       headers: requestHeaders,

frontend/src/utils/amplify-utils.ts

@@ -5,8 +5,8 @@
 import { cookies } from 'next/headers';
 import { createServerRunner } from '@aws-amplify/adapter-nextjs';
 import { fetchAuthSession } from 'aws-amplify/auth/server';
-import { FetchAuthSessionOptions, JWT } from 'aws-amplify/auth';
-import { jwtDecode } from 'jwt-decode';
+import { FetchAuthSessionOptions } from 'aws-amplify/auth';
+import { decodeJwt, getClaim, getClientIdFromToken } from './token-utils';
 
 const config = require('@/amplify_outputs.json');
 
@@ -17,8 +17,8 @@ export const { runWithAmplifyServerContext } = createServerRunner({
 export async function getSessionServer(
   options: FetchAuthSessionOptions = {}
 ): Promise<{
-  accessToken: string | undefined;
-  clientId: string | undefined;
+  accessToken?: string;
+  clientId?: string;
 }> {
   const session = await runWithAmplifyServerContext({
     nextServerContext: { cookies },
@@ -28,39 +28,23 @@ export async function getSessionServer(
   });
 
   const accessToken = session?.tokens?.accessToken?.toString();
-  const clientId = accessToken && (await getClientId(accessToken));
+  const clientId = accessToken && getClientIdFromToken(accessToken);
 
   return {
     accessToken,
     clientId,
   };
 }
 
-export const getSessionId = async () => {
-  return getAccessTokenParam('origin_jti');
-};
-
-export const getClientId = async (accessToken: string) => {
-  return getJwtPayload('nhs-notify:client-id', accessToken);
-};
-
 const getAccessTokenParam = async (key: string) => {
   const authSession = await getSessionServer();
   const accessToken = authSession.accessToken;
 
   if (!accessToken) return;
 
-  return getJwtPayload(key, accessToken);
+  return getClaim(decodeJwt(accessToken), key);
 };
 
-const getJwtPayload = (key: string, accessToken: string) => {
-  const jwt = jwtDecode<JWT['payload']>(accessToken);
-
-  const value = jwt[key];
-
-  if (!value) {
-    return;
-  }
-
-  return value.toString();
+export const getSessionId = async () => {
+  return getAccessTokenParam('origin_jti');
 };

frontend/src/utils/token-utils.ts

@@ -0,0 +1,17 @@
+import { jwtDecode } from 'jwt-decode';
+import { JWT } from 'aws-amplify/auth';
+
+export const decodeJwt = (token: string): JWT['payload'] =>
+  jwtDecode<JWT['payload']>(token);
+
+export const getClaim = (
+  claims: JWT['payload'],
+  key: string
+): string | undefined => {
+  const value = claims[key];
+  return value == null ? undefined : String(value);
+};
+
+export const getClientIdFromToken = (token: string) => {
+  return getClaim(decodeJwt(token), 'nhs-notify:client-id');
+};