VIA-529 SB Check vot (Vectors of Trust) value from NHS Login.

acerathereinspirative-nhs-nvir · acerathereinspirative-nhs-nvir · commit cccd8dfa8927 · 2025-10-08T10:46:20.000+01:00
diff --git a/src/utils/auth/callbacks/is-valid-signin.test.ts b/src/utils/auth/callbacks/is-valid-signin.test.ts
@@ -36,19 +36,63 @@ describe("isValidSignIn", () => {
       iss: mockConfig.NHS_LOGIN_URL,
       aud: mockConfig.NHS_LOGIN_CLIENT_ID,
       identity_proofing_level: "P9",
+      vot: "P9.Cp.Ck",
     });
 
     const result = isValidSignIn(mockAccount, mockConfig);
     expect(result).toBe(true);
   });
 
-  it("should return false and logs if token is invalid", () => {
+  it("should return false and logs if iss is invalid", () => {
     const mockAccount = { id_token: "invalid-token" } as Account;
 
     (jwtDecode as jest.Mock).mockReturnValue({
       iss: "incorrect-issuer",
+      aud: mockConfig.NHS_LOGIN_CLIENT_ID,
+      identity_proofing_level: "P9",
+      vot: "P9.Cp.Ck",
+    });
+
+    const result = isValidSignIn(mockAccount, mockConfig);
+    expect(result).toBe(false);
+  });
+
+  it("should return false and logs if aud is invalid", () => {
+    const mockAccount = { id_token: "invalid-token" } as Account;
+
+    (jwtDecode as jest.Mock).mockReturnValue({
+      iss: mockConfig.NHS_LOGIN_URL,
       aud: "incorrect-audience",
+      identity_proofing_level: "P9",
+      vot: "P9.Cp.Ck",
+    });
+
+    const result = isValidSignIn(mockAccount, mockConfig);
+    expect(result).toBe(false);
+  });
+
+  it("should return false and logs if identity_proofing_level is invalid", () => {
+    const mockAccount = { id_token: "invalid-token" } as Account;
+
+    (jwtDecode as jest.Mock).mockReturnValue({
+      iss: mockConfig.NHS_LOGIN_URL,
+      aud: mockConfig.NHS_LOGIN_CLIENT_ID,
       identity_proofing_level: "P0",
+      vot: "P9.Cp.Ck",
+    });
+
+    const result = isValidSignIn(mockAccount, mockConfig);
+    expect(result).toBe(false);
+  });
+
+  it("should return false and logs if vot is invalid", () => {
+    const mockAccount = { id_token: "invalid-token" } as Account;
+
+    (jwtDecode as jest.Mock).mockReturnValue({
+      iss: mockConfig.NHS_LOGIN_URL,
+      aud: mockConfig.NHS_LOGIN_CLIENT_ID,
+      identity_proofing_level: "P9",
+      vot: "P9.Sausages",
     });
 
     const result = isValidSignIn(mockAccount, mockConfig);
diff --git a/src/utils/auth/callbacks/is-valid-signin.ts b/src/utils/auth/callbacks/is-valid-signin.ts
@@ -9,17 +9,22 @@ const log: Logger = logger.child({
   module: "utils-auth-callbacks-is-valid-signin",
 });
 
+const ACCEPTED_VOTS = ["P9.Cp.Cd", "P9.Cp.Ck", "P9.Cm"];
+
 const isValidSignIn = (account: Account | null | undefined, config: AppConfig) => {
   if (!account || typeof account.id_token !== "string") {
     log.info("Access denied from signIn callback. Account or id_token missing.");
     return false;
   }
 
   const decodedToken = jwtDecode<DecodedIdToken>(account.id_token);
-  const { iss, aud, identity_proofing_level } = decodedToken;
+  const { iss, aud, identity_proofing_level, vot } = decodedToken;
 
   const isValidToken =
-    iss === config.NHS_LOGIN_URL && aud === config.NHS_LOGIN_CLIENT_ID && identity_proofing_level === "P9";
+    iss === config.NHS_LOGIN_URL &&
+    aud === config.NHS_LOGIN_CLIENT_ID &&
+    identity_proofing_level === "P9" &&
+    ACCEPTED_VOTS.includes(vot);
 
   if (!isValidToken) {
     log.info({ context: decodedToken }, "Access denied from signIn callback.");
diff --git a/src/utils/auth/types.d.ts b/src/utils/auth/types.d.ts
@@ -15,6 +15,7 @@ export interface DecodedIdToken {
   aud: string;
   identity_proofing_level: string;
   jti: string;
+  vot: string;
 }
 
 export type APIMClientAssertionPayload = {

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@ export interface DecodedIdToken {`
`15`	`15`	`aud: string;`
`16`	`16`	`identity_proofing_level: string;`
`17`	`17`	`jti: string;`
	`18`	`+ vot: string;`
`18`	`19`	`}`
`19`	`20`
`20`	`21`	`export type APIMClientAssertionPayload = {`