WIP: Adds check for access token to lambda

We're only checking the access token is coming through properly formed here, we need to assert the client-service relationship after this
govuk-one-login · Sep 10, 2024 · f958309 · f958309
1 parent 99046dc
commit f958309
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 2 deletions.
diff --git a/backend/api/src/handlers/step-functions/update-service.ts b/backend/api/src/handlers/step-functions/update-service.ts
@@ -2,5 +2,27 @@ import {APIGatewayProxyEvent, APIGatewayProxyResult, Context} from "aws-lambda";
 import {stepFunctionHandler} from "./step-function-handler";
 
 export const doUpdateServiceHandler = async (event: APIGatewayProxyEvent, context: Context): Promise<APIGatewayProxyResult> => {
+    const authHeader = event.headers.Authorization;
+
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+        return {
+            statusCode: 401,
+            body: "Missing access token"
+        };
+    }
+
+    const authToken = authHeader.substring(7);
+    //We trust the signature as this token is attached from
+    //the frontend which does the validation
+    const tokenParts = authToken.split(".");
+
+    if (tokenParts.length !== 3) {
+        return {
+            statusCode: 400,
+            body: "Invalid access token"
+        };
+    }
+
+    //TODO: Read table and check the user - service association
     return stepFunctionHandler(event, context);
 };
diff --git a/backend/api/tests/handlers/step-functions/update-service.test.ts b/backend/api/tests/handlers/step-functions/update-service.test.ts
@@ -2,7 +2,7 @@ import {SFNClient, StartSyncExecutionCommand, SyncExecutionStatus} from "@aws-sd
 import {mockClient} from "aws-sdk-client-mock";
 import {constructTestApiGatewayEvent, mockLambdaContext} from "../utils";
 import {doUpdateServiceHandler} from "../../../src/handlers/step-functions/update-service";
-import {TEST_SERVICE_ID, TEST_SERVICE_NAME, TEST_USER_EMAIL} from "../constants";
+import {TEST_ACCESS_TOKEN, TEST_SERVICE_ID, TEST_SERVICE_NAME, TEST_USER_EMAIL} from "../constants";
 import {TEST_STATE_MACHINE_ARN} from "../../setup";
 import "aws-sdk-client-mock-jest";
 
@@ -17,7 +17,10 @@ const TEST_UPDATE_SERVICE = {
 };
 const TEST_NEW_CLIENT_EVENT = constructTestApiGatewayEvent({
     body: JSON.stringify(TEST_UPDATE_SERVICE),
-    pathParameters: {}
+    pathParameters: {},
+    headers: {
+        Authorization: TEST_ACCESS_TOKEN
+    }
 });
 const mockSfnClient = mockClient(SFNClient);