ATO-1291: Add max_age support to query params

We added it for request object so we need to have the equivalent validation for query params
govuk-one-login · Jan 13, 2025 · 52eea6a · 52eea6a
1 parent ffa42af
commit 52eea6a
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 1 deletion.
diff --git a/src/validators/tests/validate-auth-request-query-params.test.ts b/src/validators/tests/validate-auth-request-query-params.test.ts
@@ -18,7 +18,7 @@ const defaultAuthRequest = {
   nonce: "987654321",
   scope: ["openid"],
   claims: [validClaim],
-  vtr: [],
+  vtr: '["Cl.Cm"]',
   prompt: [],
   ui_locales: [],
   max_age: 123,
@@ -185,4 +185,24 @@ describe("validateAuthRequestQueryParams tests", () => {
       })
     );
   });
+
+  it("throws an invalid request error for max_age less than -1", () => {
+    expect(() =>
+      validateAuthRequestQueryParams(
+        {
+          ...defaultAuthRequest,
+          max_age: -100,
+        },
+        config
+      )
+    ).toThrow(
+      new AuthoriseRequestError({
+        errorCode: "invalid_request",
+        errorDescription: "Max age is negative in query params",
+        httpStatusCode: 302,
+        redirectUri: defaultAuthRequest.redirect_uri,
+        state: defaultAuthRequest.state,
+      })
+    );
+  });
 });
diff --git a/src/validators/validate-auth-request-query-params.ts b/src/validators/validate-auth-request-query-params.ts
@@ -95,4 +95,15 @@ export const validateAuthRequestQueryParams = (
     queryParams.state,
     queryParams.redirect_uri
   );
+
+  if (queryParams.max_age && queryParams.max_age < -1) {
+    logger.error("Negative max_age in authorise request");
+    throw new AuthoriseRequestError({
+      errorCode: "invalid_request",
+      errorDescription: "Max age is negative in query params",
+      httpStatusCode: 302,
+      redirectUri: queryParams.redirect_uri,
+      state: queryParams.state,
+    });
+  }
 };