FS-4565: Improvement - Form Runner - JWT auth and Session Management

designer/Dockerfile

@@ -2,7 +2,7 @@
 # Stage 1
 # Base image contains the node version and app user creation
 # It also configures the non-root user that will be given permission to copied files/folders in every subsequent stages
-FROM node:16-alpine AS base-image
+FROM node:20-alpine AS base-image
 RUN mkdir -p /usr/src/app/digital-form-builder-adapter && \
     addgroup -g 1001 appuser && \
     adduser -S -u 1001 -G appuser appuser && \

designer/package.json

@@ -3,9 +3,9 @@
   "version": "1.0.0",
   "main": "server/index.ts",
   "scripts": {
-    "dev": "yarn start:local",
+    "dev": "NODE_OPTIONS=--openssl-legacy-provider && yarn start:local",
     "production": "yarn start:prod",
-    "build": "NODE_ENV=production webpack",
+    "build": "NODE_ENV=production && NODE_OPTIONS=--openssl-legacy-provider && webpack",
     "start:prod": "NODE_ENV=production nodemon dist/server.js",
     "start:local": "NODE_ENV=development PERSISTENT_BACKEND=preview ts-node-dev --inspect --respawn --transpile-only server/index.ts"
   },

runner/Dockerfile

@@ -2,7 +2,7 @@
 # Stage 1
 # Base image contains the node version and app user creation
 # It also configures the non-root user that will be given permission to copied files/folders in every subsequent stages
-FROM node:16-alpine AS base-image
+FROM node:20-alpine AS base-image
 RUN mkdir -p /usr/src/app/digital-form-builder-adapter/runner/public/static && \
     addgroup -g 1001 appuser && \
     adduser -S -u 1001 -G appuser appuser && \

runner/config/custom-environment-variables.json

@@ -37,6 +37,9 @@
   "lastCommit": "LAST_COMMIT",
   "lastTag": "LAST_TAG",
   "apiEnv": "API_ENV",
+  "jwtAuthEnabled": "JWT_AUTH_ENABLED",
+  "jwtAuthCookieName": "JWT_AUTH_COOKIE_NAME",
+  "jwtRedirectToAuthenticationUrl": "JWT_REDIRECT_TO_AUTHENTICATION_URL",
   "authEnabled": "AUTH_ENABLED",
   "authClientId": "AUTH_CLIENT_ID",
   "authClientSecret": "AUTH_CLIENT_SECRET",
@@ -49,8 +52,6 @@
   "awsBucketName": "AWS_BUCKET_NAME",
   "awsRegion": "AWS_REGION",
   "awsEndpointOverride": "AWS_ENDPOINT_OVERRIDE",
-  "jwtAuthCookieName": "JWT_AUTH_COOKIE_NAME",
-  "jwtRedirectToAuthenticationUrl": "JWT_REDIRECT_TO_AUTHENTICATION_URL",
   "rsa256PublicKeyBase64": "RSA256_PUBLIC_KEY_BASE64",
   "logoutUrl": "LOGOUT_URL",
   "multifundDashboard": "MULTIFUND_URL",

runner/config/default.js

@@ -1,9 +1,9 @@
 const nanoid = require("nanoid");
 const minute = 60 * 1000;
-const { deferConfig } = require("config/defer");
+const {deferConfig} = require("config/defer");
 const dotEnv = require("dotenv");
 if (process.env.NODE_ENV !== "test") {
-  dotEnv.config({ path: ".env" });
+  dotEnv.config({path: ".env"});
 }
 
 module.exports = {
@@ -117,8 +117,11 @@ module.exports = {
   // authClientAuthUrl: "", // oAuth client secret
   // authClientTokenUrl: "", // oAuth client token endpoint
   // authClientProfileUrl: "" // oAuth client user profile endpoint
+  jwtAuthEnabled: true,
+  jwtAuthCookieName: "fsd_user_token",
+  jwtRedirectToAuthenticationUrl: "http://localhost:3004/sessions/sign-out",
   logoutUrl: "/logout",
-  multifundDashboard: "/account", //This is used to to redirect to the multifund dashboard
+  multifundDashboard: "/account", //This is used to redirect to the multifund dashboard
   basicAuthOn: false,
   overwriteInitialisedSession: true,
 

runner/package.json

@@ -10,7 +10,7 @@
     "static-content:dist-push": "mkdir -p dist/digital-form-builder-adapter/runner/public/static && cp -r ../digital-form-builder/runner/public/static dist/digital-form-builder-adapter/runner/public",
     "scss:build": "node compile-scss.js",
     "clean:build": "rm -rf dist",
-    "dev": "NODE_ENV=development nodemon dist/digital-form-builder-adapter/runner/index.js",
+    "dev": "NODE_ENV=development NODE_OPTIONS=--openssl-legacy-provider nodemon dist/digital-form-builder-adapter/runner/index.js",
     "production": "NODE_ENV=development nodemon dist/digital-form-builder-adapter/runner/index.js"
   },
   "author": "Communities UK",

runner/src/server/index.ts

@@ -5,30 +5,22 @@ import Scooter from "@hapi/scooter";
 import inert from "@hapi/inert";
 import Schmervice from "schmervice";
 import blipp from "blipp";
-import config from "../../../digital-form-builder/runner/src/server/config";
 
 import {ConfigureFormsPlugin} from "./plugins/ConfigureFormsPlugin";
 import {configureRateLimitPlugin} from "../../../digital-form-builder/runner/src/server/plugins/rateLimit";
 import {configureBlankiePlugin} from "../../../digital-form-builder/runner/src/server/plugins/blankie";
 import {configureCrumbPlugin} from "../../../digital-form-builder/runner/src/server/plugins/crumb";
-import {
-    configureInitialiseSessionPlugin
-} from "../../../digital-form-builder/runner/src/server/plugins/initialiseSession/configurePlugin";
 
 import pluginLocale from "../../../digital-form-builder/runner/src/server/plugins/locale";
 import pluginSession from "../../../digital-form-builder/runner/src/server/plugins/session";
-import pluginAuth from "../../../digital-form-builder/runner/src/server/plugins/auth";
+import pluginAuth from "./plugins/engine/Auth";
 import pluginApplicationStatus from "./plugins/engine/application-status";
-import pluginErrorPages from "../../../digital-form-builder/runner/src/server/plugins/errorPages";
 import pluginPulse from "../../../digital-form-builder/runner/src/server/plugins/pulse";
 import {
     AddressService,
-    CacheService,
     catboxProvider,
     NotifyService,
     PayService,
-    StatusService,
-    UploadService,
     MockUploadService,
     WebhookService,
 } from "../../../digital-form-builder/runner/src/server/services";
@@ -41,6 +33,12 @@ import {PgBossQueueService} from "../../../digital-form-builder/runner/src/serve
 import {ViewLoaderPlugin} from "./plugins/ViewLoaderPlugin";
 import {pluginLog} from "./plugins/logging";
 import publicRouterPlugin from "./plugins/engine/PublicRouterPlugin";
+import {config} from "./plugins/utils/AdapterConfigurationSchema";
+import errorHandlerPlugin from "./plugins/ErrorHandlerPlugin";
+import {AdapterCacheService} from "./services";
+import {AdapterStatusService} from "./services";
+import {configureInitialiseSessionPlugin} from "./plugins/initialize-session/SessionManagementPlugin";
+import {AdapterUploadService} from "./services/AdapterUploadService";
 
 const serverOptions = (): ServerOptions => {
     const hasCertificate = config.sslKey && config.sslCert;
@@ -107,11 +105,11 @@ async function createServer(routeConfig: RouteConfig) {
     await server.register(Schmervice);
     await server.register(pluginAuth);
 
-    server.registerService([CacheService, NotifyService, PayService, WebhookService, AddressService]);
+    server.registerService([AdapterCacheService, NotifyService, PayService, WebhookService, AddressService]);
     if (!config.documentUploadApiUrl) {
         server.registerService([Schmervice.withName("uploadService", MockUploadService),]);
     } else {
-        server.registerService([UploadService]);
+        server.registerService([AdapterUploadService]);
     }
 
     if (config.enableQueueService) {
@@ -123,7 +121,7 @@ async function createServer(routeConfig: RouteConfig) {
         ]);
     } else {
         // @ts-ignore
-        server.registerService(StatusService);
+        server.registerService(AdapterStatusService);
     }
 
     server.ext(
@@ -171,7 +169,7 @@ async function createServer(routeConfig: RouteConfig) {
     await server.register(ConfigureFormsPlugin(formFileName, formFilePath, options));
     await server.register(pluginApplicationStatus);
     await server.register(publicRouterPlugin);
-    await server.register(pluginErrorPages);
+    await server.register(errorHandlerPlugin);
     await server.register(blipp);
 
     server.state("cookies_policy", {

runner/src/server/plugins/ConfigureFormsPlugin.ts

@@ -6,9 +6,10 @@ import {idFromFilename} from "../../../../digital-form-builder/runner/src/server
 import {
     FormConfiguration
 } from "../../../../../digital-form-builder/runner/src/server/plugins/engine/services/configurationService";
-import config from "../../../../digital-form-builder/runner/src/server/config";
+
 import {EngineOptions} from "./engine/types/EngineOptions";
 import {ConfigureEnginePluginType} from "./engine/types/ConfigureEnginePluginType";
+import {config} from "./utils/AdapterConfigurationSchema";
 
 const relativeTo = __dirname;
 

runner/src/server/plugins/ErrorHandlerPlugin.ts

@@ -0,0 +1,53 @@
+import {HapiRequest, HapiResponseToolkit} from "../types";
+import {config} from "./utils/AdapterConfigurationSchema";
+
+/*
+ * Add an `onPreResponse` listener to return error pages
+ */
+export default {
+    plugin: {
+        name: "error-pages",
+        register: (server) => {
+            server.ext(
+                "onPreResponse",
+                (request: HapiRequest, h: HapiResponseToolkit) => {
+                    const response = request.response;
+
+                    if ("isBoom" in response && response.isBoom) {
+                        // An error was raised during
+                        // processing the request
+                        const statusCode = response.output.statusCode;
+                        const errorMessage = `${response.message}\n${response.stack || ""}`;
+
+                        // In the event of 404
+                        // return the `404` view
+                        if (statusCode === 404) {
+                            return h.view("404").code(statusCode);
+                        }
+
+                        // In the event of 401
+                        // redirect to authentication url
+                        if (statusCode === 401 || statusCode === 403) {
+                            console.log(`Getting an authentication error code: ${statusCode} and message: ${errorMessage}`);
+                            return h.redirect(
+                                config.jwtRedirectToAuthenticationUrl +
+                                "?referrer=" +
+                                request.url
+                            );
+                        }
+                        request.logger.error(errorMessage);
+                        request.log("error", {
+                            statusCode: statusCode,
+                            data: response.data,
+                            message: response.message,
+                        });
+
+                        // The return the `500` view
+                        return h.view("500").code(statusCode);
+                    }
+                    return h.continue;
+                }
+            );
+        },
+    },
+};

runner/src/server/plugins/engine/Auth.ts

@@ -0,0 +1,66 @@
+import {HapiServer} from "../../types";
+import {config} from "../utils/AdapterConfigurationSchema";
+import JwtPlugin from "hapi-auth-jwt2"
+
+export const jwtAuthStrategyName = "jwt_auth";
+
+// rsa256Options()
+// Returns configuration options for rsa256 auth strategy
+export function rsa256Options(jwtAuthCookieName) {
+    return {
+        key: keyFunc,
+        validate,
+        verifyOptions: {
+            algorithms: ["RS256"],
+        },
+        urlKey: false,
+        cookieKey: jwtAuthCookieName,
+    };
+}
+
+// keyFunc returns the key and any additonal context required to
+// passed to validate function (below) to validate signature
+// this is normally used to look up keys from list in a multi-tenant scenario
+const keyFunc = async function (decoded) {
+    const key = Buffer.from(config.rsa256PublicKeyBase64 ?? "", "base64");
+    return {key, additional: decoded};
+};
+
+// validate()
+// Checks validity of user credentials
+// @ts-ignore
+const validate = async function (decoded, request, h) {
+    // This runs if the jwt signature is verified
+    // It must return an object with an 'isValid' boolean property,
+    // this allows the user to continue if true or raises a 401 if false
+    const credentials = decoded;
+    if (request.plugins["hapi-auth-jwt2"]) {
+        credentials.extraInfo = request.plugins["hapi-auth-jwt2"].extraInfo;
+    }
+    if (!decoded.accountId) {
+        request.logger.error(
+            "JWT token has no accountID in jwt: " + credentials.extraInfo.toString()
+        );
+        return {isValid: false};
+    } else {
+        return {isValid: true, credentials};
+    }
+};
+
+export default {
+    plugin: {
+        name: "auth",
+        register: async (server: HapiServer) => {
+            if (config.jwtAuthEnabled) {
+                await server.register(JwtPlugin);
+                console.log(`JWT Authentication Enabled: ${config.jwtAuthEnabled}`);
+                console.log(`JWT Authentication cookie name: ${config.jwtAuthCookieName}`);
+                console.log(`JWT Authentication sign out url: ${config.jwtRedirectToAuthenticationUrl}`);
+                console.log(`JWT Authentication strategy name: ${jwtAuthStrategyName}`);
+                server.auth.strategy(jwtAuthStrategyName, "jwt", rsa256Options(config.jwtAuthCookieName));
+            } else {
+                return;
+            }
+        },
+    },
+};

runner/src/server/plugins/engine/api/RegisterApplicationStatusApi.ts

@@ -2,18 +2,14 @@ import {RegisterApi} from "./RegisterApi";
 import {HapiRequest, HapiResponseToolkit, HapiServer} from "../../../types";
 import {Options} from "../types/PluginOptions";
 import Joi from "joi";
-import {redirectTo} from "../../../../../../digital-form-builder/runner/src/server/plugins/engine";
+import {redirectTo} from "../util/helper";
+import {retryPay} from "../application-status/RetryPay";
+import {handleUserWithConfirmationViewModel} from "../application-status/HandleUserWithConfirmationViewModel";
+import {checkUserCompletedSummary} from "../application-status/CheckUserCompletedSummary";
 import {
     continueToPayAfterPaymentSkippedWarning,
     paymentSkippedWarning
-} from "../../../../../../digital-form-builder/runner/src/server/plugins/applicationStatus/paymentSkippedWarning";
-import {retryPay} from "../../../../../../digital-form-builder/runner/src/server/plugins/applicationStatus/retryPay";
-import {
-    handleUserWithConfirmationViewModel
-} from "../../../../../../digital-form-builder/runner/src/server/plugins/applicationStatus/handleUserWithConfirmationViewModel";
-import {
-    checkUserCompletedSummary
-} from "../../../../../../digital-form-builder/runner/src/server/plugins/applicationStatus/checkUserCompletedSummary";
+} from "../application-status/PaymentSkippedWarning";
 
 export class RegisterApplicationStatusApi implements RegisterApi {
 
@@ -24,14 +20,14 @@ export class RegisterApplicationStatusApi implements RegisterApi {
             method: "post",
             path: "/{id}/status",
             handler: async (request: HapiRequest, h: HapiResponseToolkit) => {
-                const {payService, cacheService} = request.services([]);
+                const {payService, adapterCacheService} = request.services([]);
                 //@ts-ignore
-                const {pay} = await cacheService.getState(request);
+                const {pay} = await adapterCacheService.getState(request);
                 const {meta} = pay;
                 meta.attempts++;
                 const res = await payService.payRequestFromMeta(meta);
                 //@ts-ignore
-                await cacheService.mergeState(request, {
+                await adapterCacheService.mergeState(request, {
                     webhookData: {
                         fees: {
                             paymentReference: res.reference,