CCM-11870 Check for client ID in authorizer

nicki-nhs · nicki-nhs · commit d1d314f84775 · 2025-08-28T15:35:04.000+01:00
diff --git a/lambdas/authorizer/src/__tests__/index.test.ts b/lambdas/authorizer/src/__tests__/index.test.ts
@@ -43,6 +43,7 @@ const allowPolicy = {
   },
   context: {
     user: 'sub',
+    clientId: 'client-123',
   },
 };
 
@@ -72,10 +73,11 @@ afterEach(() => {
   process.env = originalEnv;
 });
 
-test('returns Allow policy on valid token', async () => {
+test('returns Allow policy on valid token with clientId', async () => {
   lambdaCognitoAuthorizer.authorize.mockResolvedValue({
     success: true,
     subject: 'sub',
+    clientId: 'client-123',
   });
 
   const res = await handler(
@@ -99,6 +101,58 @@ test('returns Allow policy on valid token', async () => {
   );
 });
 
+test('returns Deny policy when authorisation succeeds but clientId is missing', async () => {
+  lambdaCognitoAuthorizer.authorize.mockResolvedValue({
+    success: true,
+    subject: 'sub',
+    clientId: undefined,
+  });
+
+  const res = await handler(
+    mock<APIGatewayRequestAuthorizerEvent>({
+      requestContext,
+      headers: { Authorization: 'jwt' },
+      type: 'REQUEST',
+    }),
+    mock<Context>(),
+    jest.fn()
+  );
+
+  expect(res).toEqual({
+    ...denyPolicy,
+    context: { user: 'sub' },
+  });
+  expect(mockLogger.warn).toHaveBeenCalledWith(
+    'Authorisation denied: missing clientId'
+  );
+});
+
+test('returns Deny policy when authorize succeeds but clientId is empty/whitespace', async () => {
+  lambdaCognitoAuthorizer.authorize.mockResolvedValue({
+    success: true,
+    subject: 'sub',
+    clientId: '   ',
+  });
+
+  const res = await handler(
+    mock<APIGatewayRequestAuthorizerEvent>({
+      requestContext,
+      headers: { Authorization: 'jwt' },
+      type: 'REQUEST',
+    }),
+    mock<Context>(),
+    jest.fn()
+  );
+
+  expect(res).toEqual({
+    ...denyPolicy,
+    context: { user: 'sub' },
+  });
+  expect(mockLogger.warn).toHaveBeenCalledWith(
+    'Authorisation denied: missing clientId'
+  );
+});
+
 test('returns Deny policy on lambda misconfiguration', async () => {
   process.env.USER_POOL_ID = '';
 
diff --git a/lambdas/authorizer/src/index.ts b/lambdas/authorizer/src/index.ts
@@ -65,10 +65,17 @@ export const handler: APIGatewayRequestAuthorizerHandler = async (event) => {
   );
 
   if (authResult.success) {
-    return generatePolicy(methodArn, 'Allow', {
-      user: authResult.subject,
-      clientId: authResult.clientId,
-    });
+    const clientId = authResult.clientId;
+
+    if (!clientId || clientId.trim() === '') {
+      logger.warn('Authorisation denied: missing clientId');
+      return generatePolicy(methodArn, 'Deny', { user: authResult.subject });
+    } else {
+      return generatePolicy(methodArn, 'Allow', {
+        user: authResult.subject,
+        clientId,
+      });
+    }
   }
 
   return generatePolicy(methodArn, 'Deny');
