VIA-172 AS Extract auth signIn callback functionality into a new file

Author: anoop-surej-nhs

auth.ts

@@ -1,14 +1,13 @@
 import NHSLoginAuthProvider from "@src/app/api/auth/[...nextauth]/provider";
 import { SESSION_LOGOUT_ROUTE } from "@src/app/session-logout/constants";
 import { SSO_FAILURE_ROUTE } from "@src/app/sso-failure/constants";
-import type { DecodedToken } from "@src/utils/auth/types";
 import { AppConfig, configProvider } from "@src/utils/config";
 import { logger } from "@src/utils/logger";
 import NextAuth from "next-auth";
 import "next-auth/jwt";
-import { jwtDecode } from "jwt-decode";
 import { Logger } from "pino";
 import { generateClientAssertion } from "@src/utils/auth/generate-refresh-client-assertion";
+import { isValidSignIn } from "@src/utils/auth/callbacks/isValidSignIn";
 
 const log: Logger = logger.child({ module: "auth" });
 
@@ -34,23 +33,7 @@ export const { handlers, signIn, signOut, auth } = NextAuth(async () => {
     trustHost: true,
     callbacks: {
       async signIn({ account }) {
-        if (!account || typeof account.id_token !== "string") {
-          log.info("Access denied from signIn callback. Account or id_token missing.");
-          return false;
-        }
-
-        const decodedToken = jwtDecode<DecodedToken>(account.id_token);
-        const { iss, aud, identity_proofing_level } = decodedToken;
-
-        const isValidToken =
-          iss === config.NHS_LOGIN_URL &&
-          aud === config.NHS_LOGIN_CLIENT_ID &&
-          identity_proofing_level === "P9";
-
-        if (!isValidToken) {
-          log.info(`Access denied from signIn callback. iss: ${iss}, aud: ${aud}, identity_proofing_level: ${identity_proofing_level}`);
-        }
-        return isValidToken;
+        return isValidSignIn(config, log, account);
       },
 
       async jwt({ token, account, profile}) {

src/utils/auth/callbacks/isValidSignIn.test.ts

@@ -0,0 +1,77 @@
+import { isValidSignIn } from "@src/utils/auth/callbacks/isValidSignIn";
+import { AppConfig } from "@src/utils/config";
+import { Account } from "next-auth";
+import { jwtDecode } from "jwt-decode";
+import { Logger } from "pino";
+
+jest.mock("jwt-decode");
+
+describe("isValidSignIn", () => {
+  const mockConfig = {
+    NHS_LOGIN_URL: "https://mock.nhs.login",
+    NHS_LOGIN_CLIENT_ID: "mock-client-id",
+  } as AppConfig;
+
+  const mockLog = {
+    info: jest.fn(),
+  } as unknown as Logger;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it("should return false and logs if account is null", () => {
+    expect(isValidSignIn(mockConfig, mockLog, null)).toBe(false);
+    expect(mockLog.info).toHaveBeenCalledWith(
+      "Access denied from signIn callback. Account or id_token missing.",
+    );
+  });
+
+  it("should return false and logs if account is undefined", () => {
+    expect(isValidSignIn(mockConfig, mockLog, undefined)).toBe(false);
+    expect(mockLog.info).toHaveBeenCalledWith(
+      "Access denied from signIn callback. Account or id_token missing.",
+    );
+  });
+
+  it("should return false and logs if id_token is not a string", () => {
+    expect(
+      isValidSignIn(mockConfig, mockLog, {
+        id_token: 123,
+      } as unknown as Account),
+    ).toBe(false);
+    expect(mockLog.info).toHaveBeenCalledWith(
+      "Access denied from signIn callback. Account or id_token missing.",
+    );
+  });
+
+  it("should return true if token is valid", () => {
+    const mockAccount = { id_token: "valid-token" } as Account;
+
+    (jwtDecode as jest.Mock).mockReturnValue({
+      iss: mockConfig.NHS_LOGIN_URL,
+      aud: mockConfig.NHS_LOGIN_CLIENT_ID,
+      identity_proofing_level: "P9",
+    });
+
+    const result = isValidSignIn(mockConfig, mockLog, mockAccount);
+    expect(result).toBe(true);
+    expect(mockLog.info).not.toHaveBeenCalled();
+  });
+
+  it("should return false and logs if token is invalid", () => {
+    const mockAccount = { id_token: "invalid-token" } as Account;
+
+    (jwtDecode as jest.Mock).mockReturnValue({
+      iss: "incorrect-issuer",
+      aud: "incorrect-audience",
+      identity_proofing_level: "P0",
+    });
+
+    const result = isValidSignIn(mockConfig, mockLog, mockAccount);
+    expect(result).toBe(false);
+    expect(mockLog.info).toHaveBeenCalledWith(
+      "Access denied from signIn callback. iss: incorrect-issuer, aud: incorrect-audience, identity_proofing_level: P0",
+    );
+  });
+});

src/utils/auth/callbacks/isValidSignIn.ts

@@ -0,0 +1,35 @@
+import { Account } from "next-auth";
+import { AppConfig } from "@src/utils/config";
+import { jwtDecode } from "jwt-decode";
+import type { DecodedToken } from "@src/utils/auth/types";
+import { Logger } from "pino";
+
+const isValidSignIn = (
+  config: AppConfig,
+  log: Logger,
+  account: Account | null | undefined,
+) => {
+  if (!account || typeof account.id_token !== "string") {
+    log.info(
+      "Access denied from signIn callback. Account or id_token missing.",
+    );
+    return false;
+  }
+
+  const decodedToken = jwtDecode<DecodedToken>(account.id_token);
+  const { iss, aud, identity_proofing_level } = decodedToken;
+
+  const isValidToken =
+    iss === config.NHS_LOGIN_URL &&
+    aud === config.NHS_LOGIN_CLIENT_ID &&
+    identity_proofing_level === "P9";
+
+  if (!isValidToken) {
+    log.info(
+      `Access denied from signIn callback. iss: ${iss}, aud: ${aud}, identity_proofing_level: ${identity_proofing_level}`,
+    );
+  }
+  return isValidToken;
+};
+
+export { isValidSignIn };

src/utils/auth/generate-refresh-client-assertion.test.ts

@@ -28,14 +28,12 @@ describe("generateClientAssertion", () => {
   });
 
   beforeEach(() => {
-    // Reset mocks before each test
     (pemToCryptoKey as jest.Mock).mockReset();
     randomUUIDSpy.mockClear();
     subtleSignSpy.mockClear();
   });
 
   afterAll(() => {
-    // Restore original implementations after all tests in this describe block
     randomUUIDSpy.mockRestore();
     subtleSignSpy.mockRestore();
   });