VIA-254 Allow session token to be created even if APIM unavailable

donna-belsey-nhs · donna-belsey-nhs · commit 15a2c7d4171b · 2025-09-25T12:50:20.000+01:00
diff --git a/src/utils/auth/callbacks/get-token.test.ts b/src/utils/auth/callbacks/get-token.test.ts
@@ -1,3 +1,4 @@
+import { ApimHttpError } from "@src/utils/auth/apim/exceptions";
 import { getOrRefreshApimCredentials } from "@src/utils/auth/apim/get-or-refresh-apim-credentials";
 import { getToken } from "@src/utils/auth/callbacks/get-token";
 import { MaxAgeInSeconds } from "@src/utils/auth/types";
@@ -8,7 +9,6 @@ import { Account, Profile } from "next-auth";
 import { JWT } from "next-auth/jwt";
 import { ReadonlyHeaders } from "next/dist/server/web/spec-extension/adapters/headers";
 import { headers } from "next/headers";
-import { ApimHttpError } from "@src/utils/auth/apim/exceptions";
 
 jest.mock("@project/auth", () => ({
   auth: jest.fn(),
@@ -172,6 +172,44 @@ describe("getToken", () => {
 
       expect(result).toBeNull();
     });
+
+    it("should still return login token even if fetching APIM credentials fails", async () => {
+      (getOrRefreshApimCredentials as jest.Mock).mockRejectedValue(new ApimHttpError("Error getting APIM token"));
+
+      (jwtDecode as jest.Mock).mockReturnValue({
+        jti: "jti_test",
+      });
+      const token = { apim: {}, nhs_login: { id_token: "id-token" } } as JWT;
+
+      const account = {
+        expires_at: nowInSeconds + 1000,
+        access_token: "newAccess",
+        refresh_token: "newRefresh",
+        id_token: "newIdToken",
+      } as Account;
+
+      const profile = {
+        nhs_number: "test_nhs_number",
+      };
+
+      const maxAgeInSeconds = 600 as MaxAgeInSeconds;
+
+      const result = await getToken(token, account, profile, mockConfig, maxAgeInSeconds);
+
+      expect(result).toMatchObject({
+        user: {
+          nhs_number: profile.nhs_number,
+        },
+        nhs_login: {
+          id_token: "newIdToken",
+        },
+        apim: {
+          access_token: "",
+          expires_at: 0,
+        },
+        fixedExpiry: nowInSeconds + maxAgeInSeconds,
+      });
+    });
   });
 
   describe("when AUTH APIM is not available", () => {
diff --git a/src/utils/auth/callbacks/get-token.ts b/src/utils/auth/callbacks/get-token.ts
@@ -45,8 +45,21 @@ const getToken = async (
       return null;
     }
 
-    // TODO VIA-254 - can we do this only once? https://www.youtube.com/watch?v=A4I9DMSvJxg
-    const apimAccessCredentials = await getOrRefreshApimCredentials(config, token, nowInSeconds);
+    let apimAccessCredentials = undefined;
+
+    try {
+      // TODO VIA-254 - can we do this only once? https://www.youtube.com/watch?v=A4I9DMSvJxg
+      apimAccessCredentials = await getOrRefreshApimCredentials(config, token, nowInSeconds);
+    } catch (error) {
+      let errorMessage = undefined;
+      if (error instanceof Error) {
+        errorMessage = error.message;
+      }
+      log.error(
+        { context: { errorMessage: errorMessage } },
+        "Error fetching APIM credentials; continuing to create session with empty APIM fields",
+      );
+    }
 
     // Inspect the token (which was either returned from login or fetched from session), fill missing or blank values with defaults
     let updatedToken: JWT = fillMissingFieldsInTokenWithDefaultValues(token, apimAccessCredentials);
