DTSCCI-136 authorise user coming from cui (#3695)

* DTSCCI-136 use openid connect to use existing session to connect.

* clean up

* Revert "clean up"

This reverts commit 29e0fb0.

* fix test

* fix logout

* config redirect when signing out so that it depends on the environment.

* Bumping chart version/ fixing aliases

* fix unit test

* add unit test

* clean up

* fix linking error

* redirect to claims detail page from CUI

* clean up

* fix test

* fix test (2)

* fix test (3)

* fix test (4)

* fix test (5)

* fix test (6)

* fix test (7)

* fix test + add more

* correct check for ocmc redirect url

* consider state not encoded

* fix test

* clean up import

* clean up

* update yarn-audit-known-issues

* set default redirect to false

* update yarn-audit-known-issues

* logout after scenario is done

* set parallel FT to 1

* Bumping chart version/ fixing aliases

* record step by step failed tests

* undo single FT run

* remove unnecessary chart config + clean up

* click sign out instead of using the url

* clean up test after method

* clean up config

* set custom env variable confirm value to boolean

* Add some logging

* Bumping chart version/ fixing aliases

* make sure flag is converted to boolean

* clean up after merging master

* update yarn-audit-known-issues

* remove logout call after certain test and just restart browser between tests

* Bumping chart version/ fixing aliases

* clean up

* clean up

* undo unnecessary changes

* test with toggle switched on

* Revert "test with toggle switched on"

This reverts commit 1d9e97b.

* remove logs

* clean up name for toggle

---------

Co-authored-by: hmcts-jenkins-a-to-c <62422075+hmcts-jenkins-a-to-c[bot]@users.noreply.github.com>
Co-authored-by: Nigel Dunne <12184413+nigeldunne@users.noreply.github.com>

Author: 3 people

charts/cmc-citizen-frontend/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: cmc-citizen-frontend
 home: https://github.com/hmcts/cmc-citizen-frontend
-version: 4.1.57
+version: 4.1.58
 description: Helm chart for the HMCTS CMC Citizen Frontend service
 # be aware when bumping version that it is used elsewhere, e.g.:
 # chart-cmc - demo: https://github.com/hmcts/chart-cmc/tree/master/cmc

charts/cmc-citizen-frontend/values.yaml

@@ -30,7 +30,7 @@ nodejs:
     DRAFT_STORE_URL: http://draft-store-service-{{ .Values.global.environment }}.service.core-compute-{{ .Values.global.environment }}.internal
     CLAIM_STORE_URL: http://cmc-claim-store-{{ .Values.global.environment }}.service.core-compute-{{ .Values.global.environment }}.internal
     CUI_DASHBOARD_URL: https://civil-citizen-ui.{{ .Values.global.environment }}.platform.hmcts.net/dashboard
-    CUI_DASHBOARD_REDIRECT: false
+    CUI_URL: https://civil-citizen-ui.{{ .Values.global.environment }}.platform.hmcts.net
 
     UV_THREADPOOL_SIZE: 64
 
@@ -54,6 +54,8 @@ nodejs:
     FEATURE_BREATHING_SPACE: false
     FEES_API_KEYWORDS_ENABLE: false
     FEATURE_DISABLE_PAGES: false
+    CUI_DASHBOARD_REDIRECT: false
+    CUI_SIGN_OUT_REDIRECT: false
 
   keyVaults:
     cmc:

config/custom-environment-variables.json

@@ -28,11 +28,16 @@
     "apiVersion": "DRAFT_STORE_API_VERSION"
   },
   "cui": {
+    "url": "CUI_URL",
+    "signOutRedirect": {
+      "__name": "CUI_SIGN_OUT_REDIRECT",
+      "__format": "boolean"
+    },
+    "dashboardUrl": "CUI_DASHBOARD_URL",
     "dashboardRedirect": {
       "__name": "CUI_DASHBOARD_REDIRECT",
       "__format": "boolean"
-    },
-    "dashboardUrl": "CUI_DASHBOARD_URL"
+    }
   },
   "analytics": {
     "gaTrackingId": "GA_TRACKING_ID"

config/default.json

@@ -3,12 +3,15 @@
     "referrerPolicy": "origin"
   },
   "cui": {
-    "dashboardRedirect": false,
-    "dashboardUrl": "https://www.moneyclaims.service.gov.uk/dashboard"
+    "url": "http://localhost:3001",
+    "signOutRedirect": false,
+    "dashboardUrl": "https://www.moneyclaims.service.gov.uk/dashboard",
+    "dashboardRedirect": false
   },
   "idam": {
     "authentication-web": {
-      "url": "http://localhost:9002"
+      "url": "http://localhost:9002",
+      "scope": "openid profile roles"
     },
     "api": {
       "url": "http://localhost:5000"

default.conf.js

@@ -31,7 +31,7 @@ exports.config = {
       browser: process.env.BROWSER || 'chrome',
       url: process.env.CITIZEN_APP_URL || 'https://localhost:3000',
       waitForTimeout: 60000,
-      restart: false,
+      restart: true,
       smartWait:5000,
       desiredCapabilities: {
         chromeOptions: {

src/main/app/idam/oAuthHelper.ts

@@ -2,25 +2,45 @@ import * as config from 'config'
 import * as uuid from 'uuid'
 import * as Cookies from 'cookies'
 import * as express from 'express'
+import * as toBoolean from 'to-boolean'
 import { buildURL } from 'utils/callbackBuilder'
 import { Paths } from 'paths'
 import { RoutablePath } from 'shared/router/routablePath'
 import { User } from 'idam/user'
+import { Base64 } from 'js-base64'
 
 const clientId = config.get<string>('oauth.clientId')
-
-const loginPath = `${config.get('idam.authentication-web.url')}/login`
+const scope = config.get('idam.authentication-web.scope')
+const baseCivilCitizenUrl = config.get('cui.url')
+const redirectToCivil = toBoolean(config.get('cui.signOutRedirect'))
+const idamWebUrl = config.get('idam.authentication-web.url')
+const loginPath = `${idamWebUrl}/login`
+const authorizePath = `${idamWebUrl}/o/authorize`
+const logoutPath = `${idamWebUrl}/o/endSession`
+export const redirectToClaimRegex = /^\/dashboard\/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\/(claimant|defendant)$/
 
 export class OAuthHelper {
 
   static forLogin (req: express.Request,
                    res: express.Response,
                    receiver: RoutablePath = Paths.receiver): string {
     const redirectUri = buildURL(req, receiver.uri)
-    const state = uuid()
-    OAuthHelper.storeStateCookie(req, res, state)
+    const stateId = uuid()
+    OAuthHelper.storeStateCookie(req, res, stateId)
+    let stateObj = { 'state': stateId }
+    if (req.originalUrl.match(redirectToClaimRegex)) {
+      stateObj['redirectToClaim'] = req.originalUrl
+    }
+    const state = Base64.encode(JSON.stringify(stateObj))
 
-    return `${loginPath}?response_type=code&state=${state}&client_id=${clientId}&redirect_uri=${redirectUri}`
+    return `${authorizePath}?response_type=code&state=${state}&client_id=${clientId}&redirect_uri=${redirectUri}&scope=${scope}`
+  }
+
+  static forLogout (req: express.Request,
+                   authToken: string,
+                   receiver: RoutablePath = Paths.receiver): string {
+    const redirectUri = redirectToCivil ? `${baseCivilCitizenUrl}/logout` : buildURL(req, receiver.uri)
+    return `${logoutPath}?id_token_hint=${authToken}&post_logout_redirect_uri=${redirectUri}`
   }
 
   static forPin (req: express.Request, res: express.Response, claimReference: string): string {

src/main/routes/logout.ts

@@ -2,36 +2,19 @@ import * as express from 'express'
 import * as config from 'config'
 import * as Cookies from 'cookies'
 
-import { IdamClient } from 'idam/idamClient'
-import { Logger } from '@hmcts/nodejs-logging'
-
 import { Paths } from 'paths'
-import { JwtExtractor } from 'idam/jwtExtractor'
-import { JwtUtils } from 'shared/utils/jwtUtils'
 import { ErrorHandling } from 'shared/errorHandling'
+import { OAuthHelper } from 'idam/oAuthHelper'
 
 const sessionCookie = config.get<string>('session.cookieName')
-const logger = Logger.getLogger('routes/logout')
 
 /* tslint:disable:no-default-export */
 export default express.Router()
   .get(Paths.logoutReceiver.uri,
     ErrorHandling.apply(async (req: express.Request, res: express.Response, next: express.NextFunction): Promise<void> => {
-      const jwt: string = JwtExtractor.extract(req)
-
-      if (jwt) {
-        try {
-          const user: User = await IdamClient.retrieveUserFor(jwt)
-          await IdamClient.invalidateSession(jwt, user.bearerToken)
-        } catch (error) {
-          const { id } = JwtUtils.decodePayload(jwt)
-          logger.error(`Failed invalidating JWT for userId  ${id}`)
-        }
-
-        const cookies = new Cookies(req, res)
-        cookies.set(sessionCookie, '')
-      }
-
-      res.redirect(Paths.homePage.uri)
+      const cookies = new Cookies(req, res)
+      const authToken = cookies.get(sessionCookie)
+      cookies.set(sessionCookie, '')
+      res.redirect(OAuthHelper.forLogout(req, authToken))
     })
   )

src/main/routes/receiver.ts

@@ -19,12 +19,13 @@ import { JwtExtractor } from 'idam/jwtExtractor'
 import { RoutablePath } from 'shared/router/routablePath'
 import { hasTokenExpired } from 'idam/authorizationMiddleware'
 import { Logger } from '@hmcts/nodejs-logging'
-import { OAuthHelper } from 'idam/oAuthHelper'
+import { OAuthHelper, redirectToClaimRegex } from 'idam/oAuthHelper'
 import { User } from 'idam/user'
 import { DraftService } from 'services/draftService'
 import { trackCustomEvent } from 'logging/customEventTracker'
 import { FeatureToggles } from 'utils/featureToggles'
 import { LaunchDarklyClient } from 'shared/clients/launchDarklyClient'
+import { Base64 } from 'js-base64'
 
 const logger = Logger.getLogger('router/receiver')
 
@@ -38,11 +39,24 @@ const eligibilityStore = new CookieEligibilityStore()
 
 const featureToggles: FeatureToggles = new FeatureToggles(new LaunchDarklyClient())
 
+function getPropertyFromQueryState (req: express.Request, property: string = 'state') {
+  const state = req.query.state as string
+  if (state) {
+    try {
+      return JSON.parse(Base64.decode(req.query.state))[property] as string
+    } catch {
+      return state
+    }
+  }
+  return undefined
+}
+
 async function getOAuthAccessToken (req: express.Request, receiver: RoutablePath): Promise<string> {
-  if (req.query.state !== OAuthHelper.getStateCookie(req)) {
+  const state = getPropertyFromQueryState(req)
+  if (state !== OAuthHelper.getStateCookie(req)) {
     trackCustomEvent('State cookie mismatch (citizen)',
       {
-        requestValue: req.query.state,
+        requestValue: state,
         cookieValue: OAuthHelper.getStateCookie(req)
       })
   }
@@ -70,7 +84,7 @@ async function getAuthToken (req: express.Request,
 
 function isDefendantFirstContactPinLogin (req: express.Request): boolean {
   if (req.query) {
-    const state = req.query.state as string
+    const state = getPropertyFromQueryState(req)
     return state ? !!state.match(/[\d]{3}MC[\d]{3}/) : false
   }
 }
@@ -91,6 +105,10 @@ function loginErrorHandler (req: express.Request,
 }
 
 async function retrieveRedirectForLandingPage (req: express.Request, res: express.Response): Promise<string> {
+  const redirectToClaim = getPropertyFromQueryState(req, 'redirectToClaim')
+  if (redirectToClaim && redirectToClaimRegex.test(redirectToClaim)) {
+    return redirectToClaim
+  }
   const eligibility: Eligibility = eligibilityStore.read(req, res)
   if (eligibility.eligible) {
     const redirectUri = ClaimPaths.taskListPage.uri
@@ -146,7 +164,8 @@ export default express.Router()
       if (res.locals.isLoggedIn) {
         if (isDefendantFirstContactPinLogin(req)) {
           // re-set state cookie as it was cleared above, we need it in this case
-          cookies.set(stateCookieName, req.query.state as string)
+          const state = getPropertyFromQueryState(req)
+          cookies.set(stateCookieName, state)
           return res.redirect(FirstContactPaths.claimSummaryPage.uri)
         } else {
           if (await featureToggles.isDashboardPaginationEnabled()) {
@@ -163,8 +182,9 @@ export default express.Router()
         }
       } else {
         if (res.locals.code) {
+          const state = getPropertyFromQueryState(req)
           trackCustomEvent('Authentication token undefined (jwt defined)',
-            { requestValue: req.query.state })
+            { requestValue: state })
         }
         res.redirect(OAuthHelper.forLogin(req, res))
       }

src/test/app/idam/oAuthHelper.ts

@@ -0,0 +1,82 @@
+import { OAuthHelper } from 'idam/oAuthHelper'
+import { Request } from 'express'
+import * as sinon from 'sinon'
+import { mockRes as res } from 'sinon-express-mock'
+import * as Cookies from 'cookies'
+import { expect } from 'chai'
+import * as config from 'config'
+import { Base64 } from 'js-base64'
+import { beforeEach } from 'mocha'
+import * as uuid from 'uuid'
+
+function extractStateValue (inputString: string): string {
+  const match = inputString.match(/state=([^\s&]+)/)
+  return match ? match[1] : ''
+}
+
+describe('oAuthHelper', () => {
+  describe('forLogin', () => {
+    const defaultLoginPagePattern = new RegExp(`${config.get('idam.authentication-web.url')}/o/authorize\\?response_type=code&state=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?&client_id=cmc_citizen&redirect_uri=https://localhost:[0-9]{1,5}/receiver&scope=openid profile roles`)
+
+    beforeEach(() => {
+      sinon.stub(Cookies.prototype, 'set')
+    })
+
+    afterEach(() => {
+      Cookies.prototype.set.restore()
+    })
+
+    it('should return login Idam page', () => {
+      const req = {
+        headers: {
+          host: 'localhost:3000'
+        },
+        originalUrl: ''
+      } as Request
+      const loginUrl = OAuthHelper.forLogin(req, res)
+      expect(loginUrl).to.match(defaultLoginPagePattern)
+    })
+
+    it('should return login Idam page with redirectToClaim to claimant claims detail', () => {
+      const redirectToClaim = `/dashboard/${uuid()}/claimant`
+      const req = {
+        headers: {
+          host: 'localhost:3000'
+        },
+        originalUrl: redirectToClaim
+      } as Request
+      const loginUrl = OAuthHelper.forLogin(req, res)
+      const state = extractStateValue(loginUrl)
+      const results = JSON.parse(Base64.decode(state))['redirectToClaim']
+      expect(results).to.equal(redirectToClaim)
+    })
+
+    it('should return login Idam page with redirectToClaim to defendant claims detail', () => {
+      const redirectToClaim = `/dashboard/${uuid()}/defendant`
+      const req = {
+        headers: {
+          host: 'localhost:3000'
+        },
+        originalUrl: redirectToClaim
+      } as Request
+      const loginUrl = OAuthHelper.forLogin(req, res)
+      const state = extractStateValue(loginUrl)
+      const results = JSON.parse(Base64.decode(state))['redirectToClaim']
+      expect(results).to.equal(redirectToClaim)
+    })
+
+    it('should return login Idam page without redirectToClaim to claims detail if it doesnt match the expect url', () => {
+      const redirectToClaim = '/dashboard/12345678906/defendant'
+      const req = {
+        headers: {
+          host: 'localhost:3000'
+        },
+        originalUrl: redirectToClaim
+      } as Request
+      const loginUrl = OAuthHelper.forLogin(req, res)
+      const state = extractStateValue(loginUrl)
+      const results = JSON.parse(Base64.decode(state))['redirectToClaim']
+      expect(results).to.equal(undefined)
+    })
+  })
+})

src/test/routes/authorization-check.ts

@@ -8,7 +8,7 @@ import 'test/routes/expectations'
 import * as idamServiceMock from 'test/http-mocks/idam'
 
 const cookieName: string = config.get<string>('session.cookieName')
-export const defaultAccessDeniedPagePattern = new RegExp(`${config.get('idam.authentication-web.url')}/login\\?response_type=code&state=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}&client_id=cmc_citizen&redirect_uri=https://127.0.0.1:[0-9]{1,5}/receiver`)
+export const defaultAccessDeniedPagePattern = new RegExp(`${config.get('idam.authentication-web.url')}/o/authorize\\?response_type=code&state=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?&client_id=cmc_citizen&redirect_uri=https://127.0.0.1:[0-9]{1,5}/receiver&scope=openid%20profile%20roles`)
 
 export function checkAuthorizationGuards (app: any,
                                           method: string,