Merge pull request #1635 from govuk-one-login/AUT-2578/use-common-hea…

…ders-in-all-services Aut 2578/use common headers in all services
govuk-one-login · May 22, 2024 · 20a7a10 · 20a7a10
2 parents b8b7608 + 4726215
commit 20a7a10
Show file tree

Hide file tree

Showing 82 changed files with 645 additions and 362 deletions.
diff --git a/src/components/account-creation/resend-mfa-code/resend-mfa-code-controller.ts b/src/components/account-creation/resend-mfa-code/resend-mfa-code-controller.ts
@@ -83,6 +83,7 @@ export const resendMfaCodePost = (
       req.ip,
       persistentSessionId,
       xss(req.cookies.lng as string),
+      req,
       journeyType,
       phoneNumber
     );

diff --git a/src/components/account-creation/resend-mfa-code/tests/resend-mfa-code-controller.test.ts b/src/components/account-creation/resend-mfa-code/tests/resend-mfa-code-controller.test.ts
@@ -81,6 +81,7 @@ describe("resend mfa controller", () => {
         "127.0.0.1",
         "123123-djjad",
         "",
+        req,
         "ACCOUNT_RECOVERY"
       );
     });
@@ -110,6 +111,7 @@ describe("resend mfa controller", () => {
         "127.0.0.1",
         "123123-djjad",
         "",
+        req,
         "REGISTRATION"
       );
     });

diff --git a/src/components/account-intervention/account-intervention-service.ts b/src/components/account-intervention/account-intervention-service.ts
@@ -1,6 +1,6 @@
 import {
   createApiResponse,
-  getRequestConfig,
+  getInternalRequestConfigWithSecurityHeaders,
   Http,
   http,
 } from "../../utils/http";
@@ -10,6 +10,7 @@ import {
   AccountInterventionsInterface,
 } from "./types";
 import { ApiResponseResult } from "../../types";
+import { Request } from "express";
 
 export function accountInterventionService(
   axios: Http = http
@@ -19,19 +20,24 @@ export function accountInterventionService(
     emailAddress: string,
     sourceIp: string,
     clientSessionId: string,
-    persistentSessionId: string
+    persistentSessionId: string,
+    req: Request
   ): Promise<ApiResponseResult<AccountInterventionStatus>> {
     const response = await axios.client.post<AccountInterventionStatus>(
       API_ENDPOINTS.ACCOUNT_INTERVENTIONS,
       {
         email: emailAddress.toLowerCase(),
       },
-      getRequestConfig({
-        sessionId: sessionId,
-        sourceIp: sourceIp,
-        clientSessionId: clientSessionId,
-        persistentSessionId: persistentSessionId,
-      })
+      getInternalRequestConfigWithSecurityHeaders(
+        {
+          sessionId: sessionId,
+          sourceIp: sourceIp,
+          clientSessionId: clientSessionId,
+          persistentSessionId: persistentSessionId,
+        },
+        req,
+        API_ENDPOINTS.ACCOUNT_INTERVENTIONS
+      )
     );
 
     return createApiResponse<AccountInterventionStatus>(response);

diff --git a/src/components/account-intervention/tests/account-intervention-service.test.ts b/src/components/account-intervention/tests/account-intervention-service.test.ts
@@ -5,12 +5,14 @@ import { accountInterventionService } from "../account-intervention-service";
 import {
   checkApiCallMadeWithExpectedBodyAndHeaders,
   commonVariables,
-  expectedHeadersFromCommonVarsWithoutSecurityHeaders,
+  expectedHeadersFromCommonVarsWithSecurityHeaders,
+  requestHeadersWithIpAndAuditEncoded,
   resetApiKeyAndBaseUrlEnvVars,
   setupApiKeyAndBaseUrlEnvVars,
 } from "../../../../test/helpers/service-test-helper";
-import { API_ENDPOINTS } from "../../../app.constants";
+import { API_ENDPOINTS, PATH_NAMES } from "../../../app.constants";
 import { Http } from "../../../utils/http";
+import { createMockRequest } from "../../../../test/helpers/mock-request-helper";
 
 describe("account interventions service", () => {
   const httpInstance = new Http();
@@ -29,26 +31,30 @@ describe("account interventions service", () => {
   });
 
   it("successfully calls the API to check a user's account interventions status", async () => {
+    const { sessionId, clientSessionId, email, ip, diPersistentSessionId } =
+      commonVariables;
+    const req = createMockRequest(PATH_NAMES.AUTH_CODE, {
+      headers: requestHeadersWithIpAndAuditEncoded,
+    });
     const axiosResponse = Promise.resolve({
       data: {},
       status: 200,
       statusText: "OK",
     });
     postStub.resolves(axiosResponse);
-    const { sessionId, clientSessionId, email, ip, diPersistentSessionId } =
-      commonVariables;
 
     const result = await service.accountInterventionStatus(
       sessionId,
       email,
       ip,
       clientSessionId,
-      diPersistentSessionId
+      diPersistentSessionId,
+      req
     );
 
     const expectedApiCallDetails = {
       expectedPath: API_ENDPOINTS.ACCOUNT_INTERVENTIONS,
-      expectedHeaders: expectedHeadersFromCommonVarsWithoutSecurityHeaders,
+      expectedHeaders: expectedHeadersFromCommonVarsWithSecurityHeaders,
       expectedBody: { email: commonVariables.email },
     };
 

diff --git a/src/components/account-intervention/types.ts b/src/components/account-intervention/types.ts
@@ -1,12 +1,14 @@
 import { ApiResponseResult, DefaultApiResponse } from "../../types";
+import { Request } from "express";
 
 export interface AccountInterventionsInterface {
   accountInterventionStatus: (
     sessionId: string,
     emailAddress: string,
     sourceIp: string,
     clientSessionId: string,
-    persistentSessionId: string
+    persistentSessionId: string,
+    req: Request
   ) => Promise<ApiResponseResult<AccountInterventionStatus>>;
 }
 

diff --git a/src/components/account-not-found/account-not-found-controller.ts b/src/components/account-not-found/account-not-found-controller.ts
@@ -48,6 +48,7 @@ export function accountNotFoundPost(
       req.ip,
       persistentSessionId,
       xss(req.cookies.lng as string),
+      req,
       JOURNEY_TYPE.REGISTRATION
     );
 

diff --git a/src/components/account-recovery/check-your-email-security-codes/send-email-otp-middleware.ts b/src/components/account-recovery/check-your-email-security-codes/send-email-otp-middleware.ts
@@ -31,6 +31,7 @@ export function sendEmailOtp(
       req.ip,
       persistentSessionId,
       xss(req.cookies.lng as string),
+      req,
       JOURNEY_TYPE.ACCOUNT_RECOVERY
     );
 

diff --git a/src/components/authorize/authorize-controller.ts b/src/components/authorize/authorize-controller.ts
@@ -60,6 +60,7 @@ export function authorizeGet(
       clientSessionId,
       req.ip,
       persistentSessionId,
+      req,
       claims.reauthenticate
     );
 

diff --git a/src/components/authorize/authorize-service.ts b/src/components/authorize/authorize-service.ts
@@ -3,11 +3,12 @@ import { ApiResponseResult } from "../../types";
 import { API_ENDPOINTS } from "../../app.constants";
 import {
   createApiResponse,
-  getRequestConfig,
+  getInternalRequestConfigWithSecurityHeaders,
   http,
   Http,
 } from "../../utils/http";
 import { supportReauthentication } from "../../config";
+import { Request } from "express";
 
 export function authorizeService(
   axios: Http = http
@@ -17,6 +18,7 @@ export function authorizeService(
     clientSessionId: string,
     sourceIp: string,
     persistentSessionId: string,
+    req: Request,
     reauthenticate?: string
   ): Promise<ApiResponseResult<StartAuthResponse>> {
     let reauthenticateOption = undefined;
@@ -25,13 +27,17 @@ export function authorizeService(
     }
     const response = await axios.client.get<StartAuthResponse>(
       API_ENDPOINTS.START,
-      getRequestConfig({
-        sessionId: sessionId,
-        clientSessionId: clientSessionId,
-        sourceIp: sourceIp,
-        persistentSessionId: persistentSessionId,
-        reauthenticate: reauthenticateOption,
-      })
+      getInternalRequestConfigWithSecurityHeaders(
+        {
+          sessionId: sessionId,
+          clientSessionId: clientSessionId,
+          sourceIp: sourceIp,
+          persistentSessionId: persistentSessionId,
+          reauthenticate: reauthenticateOption,
+        },
+        req,
+        API_ENDPOINTS.START
+      )
     );
 
     return createApiResponse<StartAuthResponse>(response);

diff --git a/src/components/authorize/tests/authorize-service.test.ts b/src/components/authorize/tests/authorize-service.test.ts
@@ -3,44 +3,58 @@ import { expect } from "chai";
 import { Http } from "../../../utils/http";
 import { authorizeService } from "../authorize-service";
 import { sinon } from "../../../../test/utils/test-utils";
-import { API_ENDPOINTS } from "../../../app.constants";
+import { API_ENDPOINTS, PATH_NAMES } from "../../../app.constants";
 import { SinonStub } from "sinon";
 import { AuthorizeServiceInterface } from "../types";
+import { createMockRequest } from "../../../../test/helpers/mock-request-helper";
+import {
+  commonVariables,
+  expectedHeadersFromCommonVarsWithSecurityHeaders,
+  requestHeadersWithIpAndAuditEncoded,
+  resetApiKeyAndBaseUrlEnvVars,
+  setupApiKeyAndBaseUrlEnvVars,
+} from "../../../../test/helpers/service-test-helper";
 
 describe("authorize service", () => {
-  const sessionId = "some-session-id";
-  const clientSessionId = "client-session-id";
-  const ip = "123.123.123.123";
-  const persistentSessionId = "persistent-session-id";
   let getStub: SinonStub;
   let service: AuthorizeServiceInterface;
+  const { sessionId, clientSessionId, ip, diPersistentSessionId } =
+    commonVariables;
+  const req = createMockRequest(PATH_NAMES.AUTHORIZE, {
+    headers: requestHeadersWithIpAndAuditEncoded,
+  });
 
   beforeEach(() => {
-    process.env.API_KEY = "api-key";
-    process.env.FRONTEND_API_BASE_URL = "some-base-url";
+    setupApiKeyAndBaseUrlEnvVars();
     process.env.API_BASE_URL = "another-base-url";
     const httpInstance = new Http();
     service = authorizeService(httpInstance);
     getStub = sinon.stub(httpInstance.client, "get");
   });
 
   afterEach(() => {
+    resetApiKeyAndBaseUrlEnvVars();
+    delete process.env.SUPPORT_REAUTHENTICATION;
     getStub.reset();
   });
 
-  it("sends a request with the reauth header set to true when reauth is requested and the feature flag is set", () => {
+  it("sends a request with the correct headers set to true when reauth is requested and the feature flag is set", () => {
     process.env.SUPPORT_REAUTHENTICATION = "1";
     service.start(
       sessionId,
       clientSessionId,
       ip,
-      persistentSessionId,
+      diPersistentSessionId,
+      req,
       "123456"
     );
 
     expect(
-      getStub.calledWithMatch(API_ENDPOINTS.START, {
-        headers: { Reauthenticate: true },
+      getStub.calledOnceWithExactly(API_ENDPOINTS.START, {
+        headers: {
+          ...expectedHeadersFromCommonVarsWithSecurityHeaders,
+          Reauthenticate: true,
+        },
         proxy: false,
       })
     ).to.be.true;
@@ -52,25 +66,26 @@ describe("authorize service", () => {
       sessionId,
       clientSessionId,
       ip,
-      persistentSessionId,
+      diPersistentSessionId,
+      req,
       "123456"
     );
 
     expect(
-      getStub.calledWithMatch(API_ENDPOINTS.START, {
-        headers: { Reauthenticate: undefined },
+      getStub.calledOnceWithExactly(API_ENDPOINTS.START, {
+        headers: { ...expectedHeadersFromCommonVarsWithSecurityHeaders },
         proxy: false,
       })
     ).to.be.true;
   });
 
   it("sends a request without a reauth header when reauth is not requested", () => {
     process.env.SUPPORT_REAUTHENTICATION = "1";
-    service.start(sessionId, clientSessionId, ip, persistentSessionId);
+    service.start(sessionId, clientSessionId, ip, diPersistentSessionId, req);
 
     expect(
-      getStub.calledWithMatch(API_ENDPOINTS.START, {
-        headers: { Reauthenticate: undefined },
+      getStub.calledOnceWithExactly(API_ENDPOINTS.START, {
+        headers: { ...expectedHeadersFromCommonVarsWithSecurityHeaders },
         proxy: false,
       })
     ).to.be.true;

diff --git a/src/components/authorize/types.ts b/src/components/authorize/types.ts
@@ -1,5 +1,6 @@
 import { ApiResponseResult, DefaultApiResponse } from "../../types";
 import { Claims } from "./claims-config";
+import { Request } from "express";
 
 export interface StartAuthResponse extends DefaultApiResponse {
   user: UserSessionInfo;
@@ -23,6 +24,7 @@ export interface AuthorizeServiceInterface {
     clientSessionId: string,
     sourceIp: string,
     persistentSessionId: string,
+    req: Request,
     reauthenticate?: string
   ) => Promise<ApiResponseResult<StartAuthResponse>>;
 }

diff --git a/...raud-block/checkEmailFraudBlockService.ts → ...-block/check-email-fraud-block-service.ts b/...raud-block/checkEmailFraudBlockService.ts → ...-block/check-email-fraud-block-service.ts
@@ -1,6 +1,6 @@
 import {
   createApiResponse,
-  getRequestConfig,
+  getInternalRequestConfigWithSecurityHeaders,
   Http,
   http,
 } from "../../utils/http";
@@ -10,6 +10,7 @@ import {
   CheckEmailFraudBlockInterface,
   CheckEmailFraudBlockResponse,
 } from "./types";
+import { Request } from "express";
 
 export function checkEmailFraudBlockService(
   axios: Http = http
@@ -19,19 +20,24 @@ export function checkEmailFraudBlockService(
     sessionId: string,
     sourceIp: string,
     clientSessionId: string,
-    persistentSessionId: string
+    persistentSessionId: string,
+    req: Request
   ): Promise<ApiResponseResult<CheckEmailFraudBlockResponse>> {
     const response = await axios.client.post<CheckEmailFraudBlockResponse>(
       API_ENDPOINTS.CHECK_EMAIL_FRAUD_BLOCK,
       {
         email: email.toLowerCase(),
       },
-      getRequestConfig({
-        sessionId: sessionId,
-        sourceIp: sourceIp,
-        clientSessionId: clientSessionId,
-        persistentSessionId: persistentSessionId,
-      })
+      getInternalRequestConfigWithSecurityHeaders(
+        {
+          sessionId: sessionId,
+          sourceIp: sourceIp,
+          clientSessionId: clientSessionId,
+          persistentSessionId: persistentSessionId,
+        },
+        req,
+        API_ENDPOINTS.CHECK_EMAIL_FRAUD_BLOCK
+      )
     );
     return createApiResponse<CheckEmailFraudBlockResponse>(response);
   };
-Original file line number
+Diff line change
@@ Expand Up / @@ -48,6 +48,7 @@ export function accountNotFoundPost( @@
           req.ip,
           persistentSessionId,
           xss(req.cookies.lng as string),
+          req,
           JOURNEY_TYPE.REGISTRATION
         );
@@ Expand Down @@