Merge branch 'main' into feature/CCM-10893-add-account-header

Author: harrim91

frontend/src/__tests__/middleware.test.ts

@@ -74,7 +74,7 @@ describe('middleware function', () => {
     const csp = getCsp(response);
 
     expect(response.status).toBe(200);
-    expect(getClientIdFromTokenMock).toHaveBeenCalled();
+    expect(getClientIdFromTokenMock).toHaveBeenCalledTimes(1);
 
     expect(csp).toEqual([
       "base-uri 'self'",

lambdas/authorizer/src/__tests__/index.test.ts

@@ -43,6 +43,7 @@ const allowPolicy = {
   },
   context: {
     user: 'sub',
+    clientId: 'client-123',
   },
 };
 
@@ -72,10 +73,11 @@ afterEach(() => {
   process.env = originalEnv;
 });
 
-test('returns Allow policy on valid token', async () => {
+test('returns Allow policy on valid token with clientId', async () => {
   lambdaCognitoAuthorizer.authorize.mockResolvedValue({
     success: true,
     subject: 'sub',
+    clientId: 'client-123',
   });
 
   const res = await handler(

utils/utils/src/__tests__/lambda-cognito-authorizer.test.ts

@@ -175,7 +175,7 @@ describe('LambdaCognitoAuthorizer', () => {
     );
   });
 
-  test('returns failure on token with incorrect client_id claim', async () => {
+  test('returns failure on token with incorrect cognito client_id claim', async () => {
     const jwt = sign(
       {
         token_use: 'access',
@@ -282,6 +282,68 @@ describe('LambdaCognitoAuthorizer', () => {
     );
   });
 
+  test('returns failure when NHS Notify client ID claim is empty string', async () => {
+    const jwt = sign(
+      {
+        token_use: 'access',
+        client_id: 'user-pool-client-id',
+        iss: 'https://cognito-idp.eu-west-2.amazonaws.com/user-pool-id',
+        'nhs-notify:client-id': '',
+      },
+      'key',
+      {
+        keyid: 'key-id',
+      }
+    );
+
+    const res = await authorizer.authorize(userPoolId, userPoolClientId, jwt);
+
+    expect(res).toEqual({ success: false });
+    expect(mockLogger.logMessages).toContainEqual(
+      expect.objectContaining({
+        level: 'error',
+        message: expect.stringContaining('Failed to authorize'),
+        issues: expect.arrayContaining([
+          expect.objectContaining({
+            path: ['nhs-notify:client-id'],
+            message: 'Too small: expected string to have >=1 characters',
+          }),
+        ]),
+      })
+    );
+  });
+
+  test('returns failure when NHS Notify client ID claim is whitespace', async () => {
+    const jwt = sign(
+      {
+        token_use: 'access',
+        client_id: 'user-pool-client-id',
+        iss: 'https://cognito-idp.eu-west-2.amazonaws.com/user-pool-id',
+        'nhs-notify:client-id': '    ',
+      },
+      'key',
+      {
+        keyid: 'key-id',
+      }
+    );
+
+    const res = await authorizer.authorize(userPoolId, userPoolClientId, jwt);
+
+    expect(res).toEqual({ success: false });
+    expect(mockLogger.logMessages).toContainEqual(
+      expect.objectContaining({
+        level: 'error',
+        message: expect.stringContaining('Failed to authorize'),
+        issues: expect.arrayContaining([
+          expect.objectContaining({
+            path: ['nhs-notify:client-id'],
+            message: 'Too small: expected string to have >=1 characters',
+          }),
+        ]),
+      })
+    );
+  });
+
   test('returns failure on Cognito not validating the token', async () => {
     const cognitoErrorUserPool = 'user-pool-id-cognito-error';
 

utils/utils/src/lambda-cognito-authorizer.ts

@@ -12,7 +12,7 @@ const $AccessToken = z.object({
   client_id: z.string(),
   iss: z.string(),
   token_use: z.string(),
-  'nhs-notify:client-id': z.string(),
+  'nhs-notify:client-id': z.string().trim().nonempty(),
 });
 
 export class LambdaCognitoAuthorizer {