CCM-11870 Check for client ID on protected routes

Author: nicki-nhs

frontend/src/__tests__/middleware.test.ts

@@ -4,10 +4,13 @@
 import { NextRequest } from 'next/server';
 import { getSessionServer } from '@utils/amplify-utils';
 import { middleware } from '../middleware';
+import { getClientIdFromToken } from '@utils/token-utils';
 
 jest.mock('@utils/amplify-utils');
+jest.mock('@utils/token-utils');
 
 const getTokenMock = jest.mocked(getSessionServer);
+const getClientIdFromTokenMock = jest.mocked(getClientIdFromToken);
 
 function getCsp(response: Response) {
   const csp = response.headers.get('Content-Security-Policy');
@@ -19,6 +22,13 @@ afterAll(() => {
   process.env = OLD_ENV;
 });
 
+beforeEach(() => {
+  jest.resetAllMocks();
+  getClientIdFromTokenMock.mockImplementation((token) =>
+    token ? 'client1' : undefined
+  );
+});
+
 describe('middleware function', () => {
   it('If route is not registered in middleware, respond with 404', async () => {
     const url = new URL('https://url.com/message-templates/does-not-exist');
@@ -28,14 +38,15 @@ describe('middleware function', () => {
     expect(response.status).toBe(404);
   });
 
-  it('if request path is protected, and no access token is obtained, redirect to auth page', async () => {
+  it('if request path is protected, and no access/id token is obtained, redirect to auth page', async () => {
     const url = new URL('https://url.com/message-templates');
     const request = new NextRequest(url);
     request.cookies.set('csrf_token', 'some-csrf-value');
 
     getTokenMock.mockResolvedValueOnce({
       accessToken: undefined,
       clientId: undefined,
+      idToken: undefined,
     });
 
     const response = await middleware(request);
@@ -50,17 +61,21 @@ describe('middleware function', () => {
     expect(response.cookies.get('csrf_token')?.value).toEqual('');
   });
 
-  it('if request path is protected, and access token is obtained, respond with CSP', async () => {
+  it('if request path is protected, tokens exist AND token has client-id, respond with CSP', async () => {
     getTokenMock.mockResolvedValueOnce({
-      accessToken: 'token',
+      accessToken: 'access-token',
       clientId: 'client1',
+      idToken: 'id-token',
     });
 
     const url = new URL('https://url.com/message-templates');
     const request = new NextRequest(url);
     const response = await middleware(request);
     const csp = getCsp(response);
 
+    expect(response.status).toBe(200);
+    expect(getClientIdFromTokenMock).toHaveBeenCalledTimes(2);
+
     expect(csp).toEqual([
       "base-uri 'self'",
       "default-src 'none'",
@@ -79,12 +94,59 @@ describe('middleware function', () => {
     ]);
   });
 
+  it('if request path is protected, tokens exist BUT token missing client-id, redirect to request-to-be-added page', async () => {
+    getTokenMock.mockResolvedValueOnce({
+      accessToken: 'access-token',
+      idToken: 'id-token',
+    });
+
+    getClientIdFromTokenMock.mockReturnValueOnce(undefined);
+    getClientIdFromTokenMock.mockReturnValueOnce(undefined);
+
+    const url = new URL('https://url.com/message-templates');
+    const request = new NextRequest(url);
+    const response = await middleware(request);
+
+    expect(response.status).toBe(307);
+    expect(response.headers.get('location')).toBe(
+      'https://url.com/auth/request-to-be-added-to-a-service?redirect=%2Ftemplates%2Fmessage-templates'
+    );
+  });
+
   it('if request path is not protected, respond with CSP', async () => {
     const url = new URL('https://url.com/create-and-submit-templates');
     const request = new NextRequest(url);
     const response = await middleware(request);
     const csp = getCsp(response);
 
+    expect(response.status).toBe(200);
+    expect(csp).toEqual([
+      "base-uri 'self'",
+      "default-src 'none'",
+      "frame-ancestors 'none'",
+      "font-src 'self' https://assets.nhs.uk",
+      "form-action 'self'",
+      "frame-src 'self'",
+      "connect-src 'self' https://cognito-idp.eu-west-2.amazonaws.com",
+      "img-src 'self'",
+      "manifest-src 'self'",
+      "object-src 'none'",
+      expect.stringMatching(/^script-src 'self' 'nonce-[\dA-Za-z]+'$/),
+      expect.stringMatching(/^style-src 'self' 'nonce-[\dA-Za-z]+'$/),
+      'upgrade-insecure-requests',
+      '',
+    ]);
+  });
+
+  it('public path (/auth/request-to-be-added-to-a-service) responds with CSP', async () => {
+    const url = new URL(
+      'https://url.com/auth/request-to-be-added-to-a-service'
+    );
+    const request = new NextRequest(url);
+    const response = await middleware(request);
+    const csp = getCsp(response);
+
+    expect(response.status).toBe(200);
     expect(csp).toEqual([
       "base-uri 'self'",
       "default-src 'none'",

frontend/src/__tests__/utils/amplify-utils.test.ts

@@ -3,11 +3,7 @@
  */
 import { sign } from 'jsonwebtoken';
 import { fetchAuthSession } from 'aws-amplify/auth/server';
-import {
-  getSessionServer,
-  getSessionId,
-  getClientId,
-} from '../../utils/amplify-utils';
+import { getSessionServer, getSessionId } from '../../utils/amplify-utils';
 
 jest.mock('aws-amplify/auth/server');
 
@@ -160,25 +156,4 @@ describe('amplify-utils', () => {
       expect(sessionId).toEqual('jti');
     });
   });
-
-  describe('getClientId', () => {
-    test('returns undefined when client ID not found', async () => {
-      const mockAccessToken = sign({}, 'key');
-
-      const clientId = await getClientId(mockAccessToken);
-
-      expect(clientId).toBeUndefined();
-    });
-
-    test('retrieves client id from access token param', async () => {
-      const mockAccessToken = sign(
-        { ['nhs-notify:client-id']: 'client2' },
-        'key'
-      );
-
-      const clientId = await getClientId(mockAccessToken);
-
-      expect(clientId).toEqual('client2');
-    });
-  });
 });

frontend/src/__tests__/utils/token-utils.test.ts

@@ -2,7 +2,12 @@
  * @jest-environment node
  */
 import { sign } from 'jsonwebtoken';
-import { decodeJwt, getClaim, getIdTokenClaims } from '@utils/token-utils';
+import {
+  decodeJwt,
+  getClaim,
+  getClientIdFromToken,
+  getIdTokenClaims,
+} from '@utils/token-utils';
 import { JWT } from 'aws-amplify/auth';
 
 describe('token-utils', () => {
@@ -134,4 +139,25 @@ describe('token-utils', () => {
       expect(claims.displayName).toBeUndefined();
     });
   });
+
+  describe('getClientIdFromToken', () => {
+    test('returns undefined when client ID not found', async () => {
+      const mockAccessToken = sign({}, 'key');
+
+      const clientId = await getClientIdFromToken(mockAccessToken);
+
+      expect(clientId).toBeUndefined();
+    });
+
+    test('retrieves client id from access token param', async () => {
+      const mockAccessToken = sign(
+        { ['nhs-notify:client-id']: 'client2' },
+        'key'
+      );
+
+      const clientId = await getClientIdFromToken(mockAccessToken);
+
+      expect(clientId).toEqual('client2');
+    });
+  });
 });

frontend/src/middleware.ts

@@ -1,6 +1,7 @@
 import { NextResponse, type NextRequest } from 'next/server';
 import { getSessionServer } from '@utils/amplify-utils';
 import { getBasePath } from '@utils/get-base-path';
+import { getClientIdFromToken } from '@utils/token-utils';
 
 const protectedPaths = [
   /^\/choose-a-template-type$/,
@@ -42,6 +43,7 @@ const publicPaths = [
   /^\/auth\/signin$/,
   /^\/auth\/signout$/,
   /^\/auth\/idle$/,
+  /^\/auth\/request-to-be-added-to-a-service$/,
 ];
 
 function getContentSecurityPolicy(nonce: string) {
@@ -96,14 +98,14 @@ export async function middleware(request: NextRequest) {
     return new NextResponse('Page not found', { status: 404 });
   }
 
-  const { accessToken } = await getSessionServer({ forceRefresh: true });
+  const { accessToken, idToken } = await getSessionServer({
+    forceRefresh: true,
+  });
 
-  if (!accessToken) {
+  if (!accessToken || !idToken) {
     const redirectResponse = NextResponse.redirect(
       new URL(
-        `/auth?redirect=${encodeURIComponent(
-          `${getBasePath()}${request.nextUrl.pathname}`
-        )}`,
+        `/auth?redirect=${encodeURIComponent(`${getBasePath()}${pathname}`)}`,
         request.url
       )
     );
@@ -115,6 +117,21 @@ export async function middleware(request: NextRequest) {
     return redirectResponse;
   }
 
+  const hasClientId =
+    getClientIdFromToken(accessToken) || getClientIdFromToken(idToken);
+
+  if (!hasClientId) {
+    const missingClientIdRedirect = new URL(
+      `/auth/request-to-be-added-to-a-service?redirect=${encodeURIComponent(
+        `${getBasePath()}${pathname}`
+      )}`,
+      request.url
+    );
+    const redirectResponse = NextResponse.redirect(missingClientIdRedirect);
+
+    return redirectResponse;
+  }
+
   const response = NextResponse.next({
     request: {
       headers: requestHeaders,

frontend/src/utils/amplify-utils.ts

@@ -6,7 +6,7 @@ import { cookies } from 'next/headers';
 import { createServerRunner } from '@aws-amplify/adapter-nextjs';
 import { fetchAuthSession } from 'aws-amplify/auth/server';
 import { FetchAuthSessionOptions } from 'aws-amplify/auth';
-import { decodeJwt, getClaim } from './token-utils';
+import { decodeJwt, getClaim, getClientIdFromToken } from './token-utils';
 
 const config = require('@/amplify_outputs.json');
 
@@ -29,7 +29,7 @@ export async function getSessionServer(
   });
 
   const accessToken = session?.tokens?.accessToken?.toString();
-  const clientId = accessToken && getClientId(accessToken);
+  const clientId = accessToken && getClientIdFromToken(accessToken);
 
   const idToken = session?.tokens?.idToken?.toString();
 
@@ -52,7 +52,3 @@ const getAccessTokenParam = async (key: string) => {
 export const getSessionId = async () => {
   return getAccessTokenParam('origin_jti');
 };
-
-export const getClientId = (accessToken: string) => {
-  return getClaim(decodeJwt(accessToken), 'nhs-notify:client-id');
-};

frontend/src/utils/token-utils.ts

@@ -12,6 +12,10 @@ export const getClaim = (
   return value == null ? undefined : String(value);
 };
 
+export const getClientIdFromToken = (token: string) => {
+  return getClaim(decodeJwt(token), 'nhs-notify:client-id');
+};
+
 export const getIdTokenClaims = (
   idToken: string
 ): {