VIA-254 Extract inspecting token for APIM creds and checking expiry into separate method

donna-belsey-nhs · anoop-surej-nhs · commit ffaddf74d3fa · 2025-09-22T11:08:33.000+01:00
Previously a private method in getToken file, now called from two places
(getToken and the EliD fetch service).

Modify method to return existing token if available (this required
adding login in specifically for the Edge runtime to ensure existing
tokens are not dropped).
diff --git a/src/utils/auth/apim/get-apim-access-token.test.ts b/src/utils/auth/apim/get-apim-access-token.test.ts
@@ -1,6 +1,6 @@
 import { fetchAPIMAccessToken } from "@src/utils/auth/apim/fetch-apim-access-token";
 import { getApimAccessToken, retrieveApimCredentials } from "@src/utils/auth/apim/get-apim-access-token";
-import { _getOrRefreshApimCredentials } from "@src/utils/auth/callbacks/get-token";
+import { _getOrRefreshApimCredentials } from "@src/utils/auth/apim/get-or-refresh-apim-credentials";
 import { getJwtToken } from "@src/utils/auth/get-jwt-token";
 import { AccessToken, IdToken } from "@src/utils/auth/types";
 import { AppConfig } from "@src/utils/config";
@@ -15,7 +15,7 @@ jest.mock("@src/utils/auth/apim/fetch-apim-access-token", () => ({
 }));
 jest.mock("sanitize-data", () => ({ sanitize: jest.fn() }));
 
-jest.mock("@src/utils/auth/callbacks/get-token", () => ({
+jest.mock("@src/utils/auth/apim/get-or-refresh-apim-credentials", () => ({
   _getOrRefreshApimCredentials: jest.fn(),
 }));
 
diff --git a/src/utils/auth/apim/get-apim-access-token.ts b/src/utils/auth/apim/get-apim-access-token.ts
@@ -1,7 +1,7 @@
 import { ApimMissingTokenError } from "@src/utils/auth/apim/exceptions";
 import { fetchAPIMAccessToken } from "@src/utils/auth/apim/fetch-apim-access-token";
+import { _getOrRefreshApimCredentials } from "@src/utils/auth/apim/get-or-refresh-apim-credentials";
 import { ApimAccessCredentials, ApimTokenResponse } from "@src/utils/auth/apim/types";
-import { _getOrRefreshApimCredentials } from "@src/utils/auth/callbacks/get-token";
 import { getJwtToken } from "@src/utils/auth/get-jwt-token";
 import { AccessToken, ExpiresAt, IdToken } from "@src/utils/auth/types";
 import { AppConfig } from "@src/utils/config";
@@ -25,12 +25,10 @@ const getApimAccessToken = async (config: AppConfig): Promise<AccessToken> => {
     throw new ApimMissingTokenError("APIM access token is not present on JWT token");
   }
 
-  // Extract APIM token from token. Fetch a new one if it's about to expire
   const nowInSeconds = Math.floor(Date.now() / 1000);
   const apimAccessCredentials = await _getOrRefreshApimCredentials(config, token, nowInSeconds);
 
   if (!apimAccessCredentials) {
-    // TODO: consider error type, message and re-word if ness
     log.error("Error: getOrRefreshApimCredentials returned undefined");
     throw new Error("getOrRefreshApimCredentials returned undefined");
   } else {
diff --git a/src/utils/auth/apim/get-or-refresh-apim-credentials.test.ts b/src/utils/auth/apim/get-or-refresh-apim-credentials.test.ts
@@ -0,0 +1,145 @@
+import { retrieveApimCredentials } from "@src/utils/auth/apim/get-apim-access-token";
+import { _getOrRefreshApimCredentials } from "@src/utils/auth/apim/get-or-refresh-apim-credentials";
+import { AppConfig } from "@src/utils/config";
+import { appConfigBuilder } from "@test-data/config/builders";
+import { JWT } from "next-auth/jwt";
+
+jest.mock("@src/utils/auth/apim/get-apim-access-token", () => ({
+  retrieveApimCredentials: jest.fn(),
+}));
+
+jest.mock("sanitize-data", () => ({ sanitize: jest.fn() }));
+
+describe("getOrRefreshApimCredentials", () => {
+  describe("when AUTH APIM is available", () => {
+    const oldNEXT_RUNTIME = process.env.NEXT_RUNTIME;
+
+    const mockConfig: AppConfig = appConfigBuilder().andIS_APIM_AUTH_ENABLED(true).build();
+
+    const nowInSeconds = 1749052001;
+
+    beforeEach(() => {
+      jest.clearAllMocks();
+      jest.useFakeTimers().setSystemTime(nowInSeconds * 1000);
+      process.env.NEXT_RUNTIME = "nodejs";
+    });
+
+    beforeEach(async () => {
+      (retrieveApimCredentials as jest.Mock).mockResolvedValue({
+        accessToken: "new-apim-access-token",
+        expiresAt: nowInSeconds + 1111,
+      });
+    });
+
+    afterEach(() => {
+      jest.resetAllMocks();
+      process.env.NEXT_RUNTIME = oldNEXT_RUNTIME;
+    });
+
+    afterAll(() => {
+      jest.useRealTimers();
+    });
+
+    it("should return undefined and logs error if token does not contain id_token", async () => {
+      const token = { apim: {}, nhs_login: {} } as JWT;
+
+      const result = await _getOrRefreshApimCredentials(mockConfig, token, nowInSeconds);
+
+      expect(result).toBeUndefined();
+    });
+
+    it("should return new APIM creds if stored creds are empty", async () => {
+      const token = { apim: {}, nhs_login: { id_token: "id-token" } } as JWT;
+
+      const result = await _getOrRefreshApimCredentials(mockConfig, token, nowInSeconds);
+
+      expect(result).toMatchObject({
+        accessToken: "new-apim-access-token",
+        expiresAt: nowInSeconds + 1111,
+      });
+    });
+
+    it("should return stored APIM creds if fresh", async () => {
+      const token = {
+        apim: {
+          access_token: "old-access-token",
+          expires_at: nowInSeconds + 60,
+        },
+        nhs_login: { id_token: "old-id-token" },
+      } as JWT;
+
+      const result = await _getOrRefreshApimCredentials(mockConfig, token, nowInSeconds);
+
+      expect(result).toEqual({
+        accessToken: "old-access-token",
+        expiresAt: nowInSeconds + 60,
+      });
+    });
+
+    it("should return new APIM creds if expired", async () => {
+      const token = {
+        apim: { access_token: "old-access-token", expires_at: nowInSeconds - 60 },
+        nhs_login: { id_token: "id-token" },
+      } as JWT;
+
+      const result = await _getOrRefreshApimCredentials(mockConfig, token, nowInSeconds);
+
+      expect(result).toEqual({
+        accessToken: "new-apim-access-token",
+        expiresAt: nowInSeconds + 1111,
+      });
+    });
+
+    describe("when invoked from Edge runtime", () => {
+      it("should return stored APIM creds without checking expiry", async () => {
+        process.env.NEXT_RUNTIME = "edge";
+        const token = {
+          apim: { access_token: "stored-access-token", expires_at: 88 },
+          nhs_login: { id_token: "id-token" },
+        } as JWT;
+
+        const result = await _getOrRefreshApimCredentials(mockConfig, token, nowInSeconds);
+
+        expect(result).toEqual({
+          accessToken: "stored-access-token",
+          expiresAt: 88,
+        });
+      });
+
+      it("should return undefined if APIM creds empty", async () => {
+        process.env.NEXT_RUNTIME = "edge";
+        const token = { apim: {}, nhs_login: { id_token: "id-token" } } as JWT;
+
+        const result = await _getOrRefreshApimCredentials(mockConfig, token, nowInSeconds);
+        expect(result).toBeUndefined();
+      });
+    });
+  });
+
+  describe("when AUTH APIM is not available", () => {
+    const mockConfig: AppConfig = appConfigBuilder().andIS_APIM_AUTH_ENABLED(false).build();
+
+    const nowInSeconds = 1749052001;
+
+    beforeEach(() => {
+      jest.clearAllMocks();
+      jest.useFakeTimers().setSystemTime(nowInSeconds * 1000);
+    });
+
+    afterEach(() => {
+      jest.resetAllMocks();
+    });
+
+    afterAll(() => {
+      jest.useRealTimers();
+    });
+
+    it("should return undefined if APIM auth is not enabled", async () => {
+      const token = { apim: {}, nhs_login: { id_token: "id-token" } } as JWT;
+
+      const result = await _getOrRefreshApimCredentials(mockConfig, token, nowInSeconds);
+
+      expect(result).toBeUndefined();
+    });
+  });
+});
diff --git a/src/utils/auth/apim/get-or-refresh-apim-credentials.ts b/src/utils/auth/apim/get-or-refresh-apim-credentials.ts
@@ -0,0 +1,74 @@
+import { retrieveApimCredentials } from "@src/utils/auth/apim/get-apim-access-token";
+import { ApimAccessCredentials } from "@src/utils/auth/apim/types";
+import { ExpiresSoonAt } from "@src/utils/auth/types";
+import { AppConfig } from "@src/utils/config";
+import { logger } from "@src/utils/logger";
+import { JWT } from "next-auth/jwt";
+import { Logger } from "pino";
+
+const log: Logger = logger.child({ module: "get-or-refresh-apim-credentials" });
+
+async function _getOrRefreshApimCredentials(config: AppConfig, token: JWT, nowInSeconds: number) {
+  // Return the APIM creds from the token if still valid, or fetch new creds from APIM if expiring soon or empty
+  let apimCredentials: ApimAccessCredentials | undefined;
+
+  const cryproAvailable = process.env.NEXT_RUNTIME === "nodejs";
+
+  if (!cryproAvailable) {
+    // edge runtime
+    if (token?.apim?.access_token && token?.apim?.expires_at) {
+      return {
+        accessToken: token?.apim?.access_token,
+        expiresAt: token?.apim?.expires_at,
+      };
+    } else return undefined;
+  }
+
+  if (config.IS_APIM_AUTH_ENABLED && cryproAvailable) {
+    if (!token.nhs_login?.id_token) {
+      log.debug("getOrRefreshApimCredentials: No NHS login ID token available. Not getting APIM creds.");
+    } else if (!token.apim?.access_token || token.apim.access_token === "") {
+      log.debug(
+        { context: { existingApimCredentals: token.apim } },
+        "getOrRefreshApimCredentials: Getting new APIM creds.",
+      );
+      apimCredentials = await retrieveApimCredentials(token.nhs_login.id_token);
+      log.info(`First APIM token fetched. expiry time: ${apimCredentials.expiresAt}`);
+      log.debug(
+        { context: { updatedApimCredentals: apimCredentials } },
+        "getOrRefreshApimCredentials: New APIM creds retrieved.",
+      );
+    } else {
+      const expiryWriggleRoom = 30;
+      const expiresSoonAt: ExpiresSoonAt = (token.apim?.expires_at - expiryWriggleRoom) as ExpiresSoonAt;
+
+      if (expiresSoonAt < nowInSeconds) {
+        log.debug(
+          { context: { existingApimCredentals: token.apim } },
+          "getOrRefreshApimCredentials: Refreshing APIM creds.",
+        );
+
+        log.info(`APIM token expires soon ${token.apim.expires_at} ; fetching new token`);
+        apimCredentials = await retrieveApimCredentials(token.nhs_login.id_token);
+        log.debug(
+          { context: { updatedApimCredentals: apimCredentials } },
+          "getOrRefreshApimCredentials: Refreshed APIM creds retrieved.",
+        );
+
+        log.info(`New APIM token fetched. expiry time: ${apimCredentials.expiresAt}`);
+      } else {
+        log.debug(
+          { context: { existingApimCredentals: token.apim, timeRemaining: expiresSoonAt - nowInSeconds } },
+          "getOrRefreshApimCredentials: APIM creds still fresh.",
+        );
+        apimCredentials = {
+          accessToken: token.apim.access_token,
+          expiresAt: token.apim.expires_at,
+        };
+      }
+    }
+  }
+  return apimCredentials;
+}
+
+export { _getOrRefreshApimCredentials };
diff --git a/src/utils/auth/callbacks/get-token.test.ts b/src/utils/auth/callbacks/get-token.test.ts
diff --git a/src/utils/auth/callbacks/get-token.ts b/src/utils/auth/callbacks/get-token.ts
