VIA-254 Check APIM expiry time when calling EliD and refresh if ness

donna-belsey-nhs · anoop-surej-nhs · commit 5bf67bc039d6 · 2025-09-22T11:08:33.000+01:00
Mitigates issue with being unable to set the secure cookie from a server
action (see comments on VIA-254 for details); allow EliD service to get
its own new token if the cached token has expired.
diff --git a/src/services/eligibility-api/gateway/fetch-eligibility-content.ts b/src/services/eligibility-api/gateway/fetch-eligibility-content.ts
@@ -41,7 +41,7 @@ export const fetchEligibilityContent = async (nhsNumber: NhsNumber): Promise<Eli
   };
 
   if (config.IS_APIM_AUTH_ENABLED) {
-    const apimAccessToken = await getApimAccessToken();
+    const apimAccessToken = await getApimAccessToken(config);
     headers = { ...headers, Authorization: `Bearer ${apimAccessToken}` };
   }
 
diff --git a/src/utils/auth/apim/get-apim-access-token.test.ts b/src/utils/auth/apim/get-apim-access-token.test.ts
@@ -1,7 +1,10 @@
 import { fetchAPIMAccessToken } from "@src/utils/auth/apim/fetch-apim-access-token";
 import { getApimAccessToken, retrieveApimCredentials } from "@src/utils/auth/apim/get-apim-access-token";
+import { _getOrRefreshApimCredentials } from "@src/utils/auth/callbacks/get-token";
 import { getJwtToken } from "@src/utils/auth/get-jwt-token";
 import { AccessToken, IdToken } from "@src/utils/auth/types";
+import { AppConfig } from "@src/utils/config";
+import { appConfigBuilder } from "@test-data/config/builders";
 
 jest.mock("@src/utils/auth/get-jwt-token", () => ({
   getJwtToken: jest.fn(),
@@ -12,25 +15,59 @@ jest.mock("@src/utils/auth/apim/fetch-apim-access-token", () => ({
 }));
 jest.mock("sanitize-data", () => ({ sanitize: jest.fn() }));
 
+jest.mock("@src/utils/auth/callbacks/get-token", () => ({
+  _getOrRefreshApimCredentials: jest.fn(),
+}));
+
+const mockConfig: AppConfig = appConfigBuilder().build();
+const nowInSeconds = 1000;
+
+const apimAccessTokenFromJwt = "test-access-token" as AccessToken;
+const mockJwtToken = {
+  apim: {
+    access_token: apimAccessTokenFromJwt,
+    expires_in: "600000",
+    refresh_token_expires_at: "700000",
+  },
+};
+
 describe("getApimAccessToken", () => {
-  it("should use access token from JWT token when APIM access token populated", async () => {
-    (getJwtToken as jest.Mock).mockResolvedValue({
-      apim: {
-        access_token: "test-access-token" as AccessToken,
-        expires_in: "600000",
-        refresh_token_expires_at: "700000",
-      },
+  beforeAll(() => {
+    jest.useFakeTimers();
+    jest.setSystemTime(nowInSeconds * 1000);
+  });
+
+  afterAll(() => {
+    jest.useRealTimers();
+  });
+
+  it("should pass JWT token to getOrRefresh method and return what it returns", async () => {
+    const getOrRefreshedApimAccessToken = "apim-access-token";
+    (_getOrRefreshApimCredentials as jest.Mock).mockResolvedValue({
+      accessToken: getOrRefreshedApimAccessToken,
+      expiresAt: nowInSeconds + 1111,
     });
 
-    const apimAccessToken = await getApimAccessToken();
+    (getJwtToken as jest.Mock).mockResolvedValue(mockJwtToken);
+
+    const apimAccessToken = await getApimAccessToken(mockConfig);
 
-    expect(apimAccessToken).toEqual("test-access-token" as AccessToken);
+    expect(_getOrRefreshApimCredentials).toHaveBeenCalledWith(mockConfig, mockJwtToken, nowInSeconds);
+    expect(apimAccessToken).toEqual(getOrRefreshedApimAccessToken as AccessToken);
   });
 
   it("should throw error if APIM access token not available in JWT token", async () => {
     (getJwtToken as jest.Mock).mockResolvedValue({ apim: {} });
 
-    await expect(getApimAccessToken()).rejects.toThrow("APIM access token is not present on JWT token");
+    await expect(getApimAccessToken(mockConfig)).rejects.toThrow("APIM access token is not present on JWT token");
+  });
+
+  it("should throw error if _getOrRefresh APIM access token returns undefined", async () => {
+    (_getOrRefreshApimCredentials as jest.Mock).mockResolvedValue(undefined);
+
+    (getJwtToken as jest.Mock).mockResolvedValue(mockJwtToken);
+
+    await expect(getApimAccessToken(mockConfig)).rejects.toThrow("getOrRefreshApimCredentials returned undefined");
   });
 });
 
diff --git a/src/utils/auth/apim/get-apim-access-token.ts b/src/utils/auth/apim/get-apim-access-token.ts
@@ -1,13 +1,15 @@
 import { ApimMissingTokenError } from "@src/utils/auth/apim/exceptions";
 import { fetchAPIMAccessToken } from "@src/utils/auth/apim/fetch-apim-access-token";
 import { ApimAccessCredentials, ApimTokenResponse } from "@src/utils/auth/apim/types";
+import { _getOrRefreshApimCredentials } from "@src/utils/auth/callbacks/get-token";
 import { getJwtToken } from "@src/utils/auth/get-jwt-token";
 import { AccessToken, ExpiresAt, IdToken } from "@src/utils/auth/types";
+import { AppConfig } from "@src/utils/config";
 import { logger } from "@src/utils/logger";
 
 const log = logger.child({ module: "utils-auth-apim-get-apim-access-token" });
 
-const getApimAccessToken = async (): Promise<AccessToken> => {
+const getApimAccessToken = async (config: AppConfig): Promise<AccessToken> => {
   /**
    * Gets the APIM access token from the JWT session cookie.
    *
@@ -22,8 +24,19 @@ const getApimAccessToken = async (): Promise<AccessToken> => {
     log.error({ context: { token } }, "APIM access token is not present on JWT token");
     throw new ApimMissingTokenError("APIM access token is not present on JWT token");
   }
-  log.info(`Preparing to fetch-eligibility-content: APIM expires at ${token.apim.expires_at}`);
-  return token.apim.access_token;
+
+  // Extract APIM token from token. Fetch a new one if it's about to expire
+  const nowInSeconds = Math.floor(Date.now() / 1000);
+  const apimAccessCredentials = await _getOrRefreshApimCredentials(config, token, nowInSeconds);
+
+  if (!apimAccessCredentials) {
+    // TODO: consider error type, message and re-word if ness
+    log.error("Error: getOrRefreshApimCredentials returned undefined");
+    throw new Error("getOrRefreshApimCredentials returned undefined");
+  } else {
+    log.info(`Preparing to fetch-eligibility-content: APIM expires at ${apimAccessCredentials.expiresAt}`);
+    return apimAccessCredentials.accessToken;
+  }
 };
 
 const retrieveApimCredentials = async (idToken: IdToken): Promise<ApimAccessCredentials> => {
diff --git a/src/utils/auth/callbacks/get-token.ts b/src/utils/auth/callbacks/get-token.ts
@@ -68,7 +68,8 @@ const getToken = async (
 };
 
 async function _getOrRefreshApimCredentials(config: AppConfig, token: JWT, nowInSeconds: number) {
-  let updatedApimCredentals: ApimAccessCredentials | undefined;
+  // Check the APIM creds on the token; if valid return them, else if empty or expiring soon fetch new creds
+  let apimCredentials: ApimAccessCredentials | undefined;
 
   const cryproAvailable = process.env.NEXT_RUNTIME === "nodejs";
   if (config.IS_APIM_AUTH_ENABLED && cryproAvailable) {
@@ -79,9 +80,12 @@ async function _getOrRefreshApimCredentials(config: AppConfig, token: JWT, nowIn
         { context: { existingApimCredentals: token.apim } },
         "getOrRefreshApimCredentials: Getting new APIM creds.",
       );
-      updatedApimCredentals = await retrieveApimCredentials(token.nhs_login.id_token);
-      log.info(`First APIM token fetched. expiry time: ${updatedApimCredentals.expiresAt}`);
-      log.debug({ context: { updatedApimCredentals } }, "getOrRefreshApimCredentials: New APIM creds retrieved.");
+      apimCredentials = await retrieveApimCredentials(token.nhs_login.id_token);
+      log.info(`First APIM token fetched. expiry time: ${apimCredentials.expiresAt}`);
+      log.debug(
+        { context: { updatedApimCredentals: apimCredentials } },
+        "getOrRefreshApimCredentials: New APIM creds retrieved.",
+      );
     } else {
       const expiryWriggleRoom = 30;
       const expiresSoonAt: ExpiresSoonAt = (token.apim?.expires_at - expiryWriggleRoom) as ExpiresSoonAt;
@@ -93,22 +97,26 @@ async function _getOrRefreshApimCredentials(config: AppConfig, token: JWT, nowIn
         );
 
         log.info(`APIM token expires soon ${token.apim.expires_at} ; fetching new token`);
-        updatedApimCredentals = await retrieveApimCredentials(token.nhs_login.id_token);
+        apimCredentials = await retrieveApimCredentials(token.nhs_login.id_token);
         log.debug(
-          { context: { updatedApimCredentals } },
+          { context: { updatedApimCredentals: apimCredentials } },
           "getOrRefreshApimCredentials: Refreshed APIM creds retrieved.",
         );
 
-        log.info(`New APIM token fetched. expiry time: ${updatedApimCredentals.expiresAt}`);
+        log.info(`New APIM token fetched. expiry time: ${apimCredentials.expiresAt}`);
       } else {
         log.debug(
           { context: { existingApimCredentals: token.apim, timeRemaining: expiresSoonAt - nowInSeconds } },
           "getOrRefreshApimCredentials: APIM creds still fresh.",
         );
+        apimCredentials = {
+          accessToken: token.apim.access_token,
+          expiresAt: token.apim.expires_at,
+        };
       }
     }
   }
-  return updatedApimCredentals;
+  return apimCredentials;
 }
 
 const fillMissingFieldsInTokenWithDefaultValues = (token: JWT, apimAccessCredentials?: ApimAccessCredentials): JWT => {
@@ -152,4 +160,4 @@ const updateTokenWithValuesFromAccountAndProfile = (
   return updatedToken;
 };
 
-export { getToken };
+export { getToken, _getOrRefreshApimCredentials };

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ export const fetchEligibilityContent = async (nhsNumber: NhsNumber): Promise<Eli`
`41`	`41`	`};`
`42`	`42`
`43`	`43`	`if (config.IS_APIM_AUTH_ENABLED) {`
`44`		`- const apimAccessToken = await getApimAccessToken();`
	`44`	`+ const apimAccessToken = await getApimAccessToken(config);`
`45`	`45`	headers = { ...headers, Authorization: `Bearer ${apimAccessToken}` };
`46`	`46`	`}`
`47`	`47`