Fix email parsing and remove roles check

gecBurton · claude · gecBurton · commit ac2b1e3b5d94 · 2026-02-21T09:49:09.000Z
- Fixed bug in auth.ts where email was discarded when realm_access was missing
- Simplified parseAuthToken to only return email (removed roles)
- Removed roles authorization check in middleware (redundant with ALB auth)
- Added debug logging for token parsing in post-message.ts
- Fixed TypeScript types in middleware

This fixes the "null value in column useremail" error by ensuring tokens
with just email field (no realm_access) are properly handled.

Co-Authored-By: Claude Sonnet 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/frontend/src/auth.ts b/frontend/src/auth.ts
@@ -5,7 +5,7 @@ import { decodeJwt } from 'jose';
 export async function parseAuthToken(header: string) {
   if (!header) {
     console.error('No auth token provided to parse');
-    return { email: null, roles: [] };
+    return { email: null };
   }
 
   // Decode without verification since we're using auth-at-the-edge and can trust all traffic
@@ -14,27 +14,16 @@ export async function parseAuthToken(header: string) {
     tokenContent = decodeJwt(header);
   } catch(error) {
     console.error('Malformed JWT during decoding: ' + header, error);
-    return { email: null, roles: [] };
+    return { email: null };
   }
 
   const email = tokenContent.email as string | undefined;
   if (!email) {
     console.error('No email found in token');
-    return null;
+    return { email: null };
   }
 
-  const realmAccess = tokenContent.realm_access as { roles?: string[] } | undefined;
-  if (!realmAccess) {
-    console.error('No realm access information found in token');
-    return { email: null, roles: [] };
-  }
-
-  const roles = realmAccess.roles || [];
-  // console.debug(`Roles found for user ${email}: ${roles}`);
-  return {
-    email,
-    roles,
-  };
+  return { email };
 }
 
 
diff --git a/frontend/src/middleware.ts b/frontend/src/middleware.ts
@@ -1,4 +1,5 @@
 import 'dotenv/config';
+import type { MiddlewareNext } from 'astro';
 import { parseAuthToken } from './auth.ts';
 
 // Define paths that should be public (no authorisation required)
@@ -11,7 +12,7 @@ const PUBLIC_PATHS = [
 ];
 const TEST_AUTHORISATION_JWT = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOiIxNzM5ODk2MTk5IiwiaWF0IjoiMTczOTg5NTg5OSIsImF1dGhfdGltZSI6IjE3Mzk4OTM1MjkiLCJqdGkiOiIyYmVmOGI1ZS0yOGY0LTQ2OWQtYWQ2My1lZjJlNDgxNzliODYiLCJpc3MiOiJodHRwczovL2xvY2FsLXRlc3Rpbmcub2JmdXNjYXRlZC50ZXN0LmRvbWFpbi5nb3YudWsvcmVhbG1zL29iZnVzY2F0ZWQiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYmMzNzNkZTQtNDAyMi00NmIyLTgxNTEtZjA0NjEzNzhlOWNiIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibWludXRlIiwic2lkIjoiYzM2NmE5ZmUtMDNiNC00MjIxLWI0ZWItOTE0MzMzNWFhNjUyIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwczovL2xvY2FsLXRlc3Rpbmcub2JmdXNjYXRlZC50ZXN0LmRvbWFpbi5nb3YudWsiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImxvY2FsLXRlc3RpbmciXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOiJ0cnVlIiwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdEB0ZXN0LmNvLnVrIiwiZW1haWwiOiJ0ZXN0QHRlc3QuY28udWsifQ.Pmlltl1M0Q9EAkU96J_zkPJUjjh2TGhQGzfi0v2J-IrxUt1KTnGEcnEk09TUJjdCuyIgO9YEH-uGj5MihnGj6PqCQjq17lWP5YUjYyjgrULfgM6jZ_659RK31wZdRg_72yiy-BeVd-c-v7UzRtdTXIMkwn_aWEIp7own__jfZV_E_32KfelgtwzljVGHjGXdz_Irg6_2B4lbRn8ipWAn3SDlM9Cj8aJw7q5qq7XPk9KkXclivi4bMQJ9RNgMxtgitFtdINRF1A9_pkbERM1LliAgvW-FTLwmVECAGDQyoE8xDQuti8JgixvM22WfpdznSLd2gWAWMiyYZJwRxzFSVw'; // pragma: allowlist secret
 
-export async function onRequest(context, next) {
+export async function onRequest(context: any, next: MiddlewareNext) {
   const pathname = new URL(context.request.url).pathname;
 
   // Check if the requested path is public
@@ -33,7 +34,7 @@ export async function onRequest(context, next) {
       return redirectToUnauthorised(context);
     }
 
-    const { email, roles } = await parseAuthToken(token);
+    const { email } = await parseAuthToken(token);
 
     // If the current user doesn't match the user for the session, destroy existing session data - it may be a shared device
     const storedUserEmail = await context.session.get('user-email');
@@ -42,18 +43,13 @@ export async function onRequest(context, next) {
       context.session.set('user-email', email);
     }
 
-    // allow any role (rather than the specific role for gov-ai-client)
-    if (!roles) {
-      return redirectToUnauthorised(context);
-    }
-
     return next();
   } catch(error) {
     console.error('Error authorising token:', error);
     return redirectToUnauthorised(context);
   }
 }
 
-function redirectToUnauthorised(context) {
+function redirectToUnauthorised(context: any) { // eslint-disable-line @typescript-eslint/no-explicit-any
   return context.redirect('/unauthorised');
 }
diff --git a/frontend/src/pages/post-message.ts b/frontend/src/pages/post-message.ts
@@ -31,7 +31,8 @@ export async function POST(context: APIContext) {
   // get user email from JWT
   const oidcDataToken = context.request.headers.get('x-amzn-oidc-data') || '';
   console.log('OIDC data token present:', !!oidcDataToken, 'length:', oidcDataToken.length);
-  const { email: userEmail } = await parseAuthToken(oidcDataToken);
+  const authResult = await parseAuthToken(oidcDataToken);
+  const userEmail = authResult.email;
   console.log('Parsed email from token:', userEmail);
 
   if (!userEmail) {
