VIA-87 AS Implement sessions using iron-session and nextjs middleware to secure routes

Author: anoop-surej-nhs

.env.local

@@ -15,6 +15,7 @@ VACCINATION_APP_URL=http://localhost:3000
 
 # NHS Login
 NHS_LOGIN_URL=https://auth.sandpit.signin.nhs.uk
-NHS_LOGIN_CLIENT_ID=should-not-be-checked-in
+NHS_LOGIN_CLIENT_ID=client-id-to-be-replaced
 NHS_LOGIN_SCOPE='openid profile gp_registration_details'
-NHS_LOGIN_PRIVATE_KEY_FILE_PATH=
+NHS_LOGIN_PRIVATE_KEY_FILE_PATH=path-to-key-file-from-root-of-this-repo
+SESSION_SECRET=secret-to-encyrpt-sessions

package-lock.json

@@ -59,6 +59,7 @@
     "@aws-sdk/client-ssm": "^3.777.0",
     "axios": "^1.8.4",
     "dotenv": "^16.4.7",
+    "iron-session": "^8.0.4",
     "isomorphic-dompurify": "^2.22.0",
     "next": "15.2.4",
     "nhsuk-react-components": "^5.0.0",

package.json

@@ -2,12 +2,12 @@ import { NextRequest, NextResponse } from "next/server";
 import { logger } from "@src/utils/logger";
 import { getClientConfig } from "@src/utils/auth/get-client-config";
 import * as client from "openid-client";
+import { getSession } from "@src/utils/auth/session";
 
 const log = logger.child({ module: "callback-route" });
 
 export async function GET(request: NextRequest) {
-  // TODO: Check if the state we receive back with the callback is the same as the one in session?
-  // TEMP CODE: Using the state from request, just until we have sessions in place
+  const session = await getSession();
   const state = request.nextUrl.searchParams.get("state");
 
   if (!state) {
@@ -26,24 +26,26 @@ export async function GET(request: NextRequest) {
       },
     );
 
-    console.log("Token Set:", tokenSet);
     const { access_token } = tokenSet;
     const claims = tokenSet.claims()!;
     const { sub } = claims;
-
-    // call userinfo endpoint to get user info
     const userinfo = await client.fetchUserInfo(
       clientConfig!,
       access_token,
       sub,
     );
 
-    console.log("User Info:", userinfo);
+    session.isLoggedIn = true;
+    session.access_token = access_token;
+    session.state = state;
+    session.userInfo = {
+      sub: userinfo.sub,
+    };
+
+    await session.save();
+
+    return NextResponse.redirect(request.nextUrl.origin);
   } catch (e) {
     log.error(e);
   }
-
-  return NextResponse.json({
-    content: "Hello World",
-  });
 }

src/app/auth/callback/route.ts src/app/api/auth/callback/route.tssrc/app/auth/callback/route.ts renamed to src/app/api/auth/callback/route.ts

@@ -0,0 +1,16 @@
+import { defaultSession, getSession } from "@src/utils/auth/session";
+
+export async function GET() {
+  try {
+    const session = await getSession();
+    if (!session) {
+      return Response.json({ defaultSession });
+    }
+    return Response.json({
+      isLoggedIn: session.isLoggedIn,
+      userInfo: session.userInfo,
+    });
+  } catch (e) {
+    return Response.json({ error: e }, { status: 500 });
+  }
+}

src/app/api/auth/session/route.ts

@@ -3,7 +3,7 @@
  */
 
 import { NextRequest, NextResponse } from "next/server";
-import { GET } from "@src/app/auth/sso/route";
+import { GET } from "@src/app/api/auth/sso/route";
 import { getAuthConfig } from "@src/utils/auth/get-auth-config";
 import { getClientConfig } from "@src/utils/auth/get-client-config";
 import * as client from "openid-client";

src/app/auth/sso/route.test.ts src/app/api/auth/sso/route.test.tssrc/app/auth/sso/route.test.ts renamed to src/app/api/auth/sso/route.test.ts

@@ -7,7 +7,6 @@ import * as client from "openid-client";
 const log = logger.child({ module: "sso-route" });
 
 export async function GET(request: NextRequest) {
-  console.log(request);
   const assertedLoginIdentity = request.nextUrl.searchParams.get(
     "assertedLoginIdentity",
   );
@@ -27,7 +26,6 @@ export async function GET(request: NextRequest) {
       asserted_login_identity: assertedLoginIdentity,
     };
     const redirectTo = client.buildAuthorizationUrl(clientConfig, parameters);
-    // TODO: Save state to session so it can be reused in the /token call in /auth/callback route
 
     return NextResponse.redirect(redirectTo);
   } catch (e) {

src/app/auth/sso/route.ts src/app/api/auth/sso/route.tssrc/app/auth/sso/route.ts renamed to src/app/api/auth/sso/route.ts

@@ -0,0 +1,5 @@
+const SsoErrorPage = () => {
+  return <div>Error occured during SSO. Please try again later.</div>;
+};
+
+export default SsoErrorPage;

src/app/sso-error/page.tsx

@@ -0,0 +1,35 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSession } from "@src/utils/auth/session";
+import { logger } from "@src/utils/logger";
+
+const log = logger.child({ name: "middleware" });
+
+export async function middleware(request: NextRequest) {
+  const sessionCookie = await getSession();
+  logger.info(sessionCookie, "session");
+
+  if (!sessionCookie || !sessionCookie.access_token) {
+    log.error("Session cookie not found");
+    return NextResponse.redirect(`${request.nextUrl.origin}/sso-error`);
+  }
+
+  try {
+    return NextResponse.next();
+  } catch (error) {
+    log.error(error, "Error occurred during redirection");
+    return NextResponse.redirect(`${request.nextUrl.origin}/sso-error`);
+  }
+}
+
+export const config = {
+  matcher: [
+    /*
+     * Apply middleware to all pages except:
+     * 1. /api/* (exclude all API routes)
+     * 2. /sso/* (exclude sso route used for initiating auth flow)
+     * 2. /login (exclude the login page)
+     * 3. /_next/* (exclude Next.js assets, e.g., /_next/static/*)
+     */
+    "/((?!api|sso|_next/static|_next/image).*)",
+  ],
+};

src/middleware.ts

@@ -19,8 +19,6 @@ describe("getAuthConfig", () => {
     jest.clearAllMocks();
   });
   it("is constructed with values from configProvider", async () => {
-    // TODO: VIA-87 22/04/24 Might have to change this, as we haven't decided on the way we'll handle storing/generating
-    //       the URL of the application
     jest.replaceProperty(process, "env", {
       ...process.env,
       VACCINATION_APP_URL: mockVaccinationAppUrl,
@@ -30,7 +28,7 @@ describe("getAuthConfig", () => {
       audience: mockVaccinationAppUrl,
       client_id: mockNhsLoginClientId,
       scope: mockNhsLoginScope,
-      redirect_uri: `${mockVaccinationAppUrl}/auth/callback`,
+      redirect_uri: `${mockVaccinationAppUrl}/api/auth/callback`,
       response_type: "code",
       grant_type: "authorization_code",
       post_login_route: `${mockVaccinationAppUrl}`,