Skip to content

CCM-8744: force refresh access tokens in middleware#337

Merged
harrim91 merged 16 commits intomainfrom
feature/CCM-8744_prevent-concurrent-sessions
Mar 20, 2025
Merged

CCM-8744: force refresh access tokens in middleware#337
harrim91 merged 16 commits intomainfrom
feature/CCM-8744_prevent-concurrent-sessions

Conversation

@harrim91
Copy link
Contributor

@harrim91 harrim91 commented Mar 7, 2025
edited
Loading

Description

  • Force refresh tokens in middleware
  • Use origin_jti claim for signing csrf tokens. This is linked to the refresh token and persists for the life of the refresh token so is a more stable session id. Fixing an existing bug where CSRF token would become invalid after the access token expired.
  • Remove CSRF token cookie when unauthenticated in middleware
  • Redirect to sign-out page when csrf validation fails instead of crashing
  • Sync and tidy a few things from the auth repo on the dev auth pages.

This goes hand in hand with NHSDigital/nhs-notify-iam-webauth#193

The intention was to prevent concurrent logins, but that wasn't feasible with Cognito. The auth PR changes the signout process to do global signout. This PR forces the refresh token to be used on every request - if global signout has been invoked then trying to use the revoked refresh token will cause auth failure and the user will be signed out.

Context

Intention was to prevent users from having concurrent sessions - recommendation from pen test. But just tidying and fixing things here.

Type of changes

  • Refactoring (non-breaking change)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would change existing functionality)
  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • I am familiar with the contributing guidelines
  • I have followed the code style of the project
  • I have added tests to cover my changes
  • I have updated the documentation accordingly
  • This PR is a result of pair or mob programming

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

  • I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

@harrim91 harrim91 requested a review from a team as a code owner March 7, 2025 17:13
@harrim91 harrim91 marked this pull request as draft March 7, 2025 17:13
@harrim91 harrim91 marked this pull request as ready for review March 10, 2025 16:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chris-elliott-nhsd chris-elliott-nhsd chris-elliott-nhsd approved these changes

@bhansell1 bhansell1 bhansell1 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@harrim91 @chris-elliott-nhsd @bhansell1