Merge branch 'main' into MIJN-5123-aanvragen-stadspas-toggle

Amsterdam · Nov 6, 2023 · 8289e42 · 8289e42
2 parents f538de4 + dfd164f
commit 8289e42
Show file tree

Hide file tree

Showing 9 changed files with 70 additions and 13 deletions.
diff --git a/azure-pipeline-bff.yaml b/azure-pipeline-bff.yaml
@@ -4,6 +4,7 @@ trigger:
     include:
       - ontwikkelen
       - testen
+      - main
   paths:
     include:
       - src/server
@@ -56,6 +57,9 @@ variables:
   - ${{ if or(eq(variables['Build.SourceBranchName'], 'testen'), eq(variables['Build.Reason'], 'PullRequest')) }}:
       - name: dtapName
         value: t
+  - ${{ if eq(variables['Build.SourceBranchName'], 'az-acceptance') }}:
+      - name: dtapName
+        value: a
   - ${{ if eq(variables['Build.Reason'], 'PullRequest') }}:
       - name: btdDeploy
         value: false

diff --git a/azure-pipeline-ui.yaml b/azure-pipeline-ui.yaml
@@ -4,6 +4,7 @@ trigger:
     include:
       - ontwikkelen
       - testen
+      - main
   paths:
     include:
       - src/client
@@ -58,6 +59,9 @@ variables:
   - ${{ if or(eq(variables['Build.SourceBranchName'], 'testen'), eq(variables['Build.Reason'], 'PullRequest')) }}:
       - name: dtapName
         value: t
+  - ${{ if eq(variables['Build.SourceBranchName'], 'az-acceptance') }}:
+      - name: dtapName
+        value: a
   - ${{ if eq(variables['Build.Reason'], 'PullRequest') }}:
       - name: btdDeploy
         value: false

diff --git a/azure-pipelines.yaml b/azure-pipelines.yaml
@@ -26,8 +26,8 @@ parameters:
       - none
       - o
       - t
-      # - a
-      # - p
+      - a
+      - p
 
   - name: updateAppSettings
     type: boolean
@@ -47,6 +47,9 @@ variables:
   - ${{ if and(or(eq(variables['Build.SourceBranchName'], 'testen'), eq(variables['Build.Reason'], 'PullRequest')), eq(parameters.dtapName, 'none')) }}:
       - name: dtapName
         value: t
+  - ${{ if and(eq(variables['Build.SourceBranchName'], 'az-acceptance'), eq(parameters.dtapName, 'none')) }}:
+      - name: dtapName
+        value: a
   - ${{ if ne(parameters.dtapName, 'none') }}:
       - name: dtapName
         value: ${{ parameters.dtapName }}

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -82,7 +82,7 @@
     "express": "^4.17.3",
     "express-basic-auth": "^1.2.1",
     "express-http-proxy": "^1.6.3",
-    "express-openid-connect": "^2.5.2",
+    "express-openid-connect": "^2.17.1",
     "express-rate-limit": "^6.4.0",
     "flat-cache": "^3.0.4",
     "focus-trap-react": "^8.8.2",

diff --git a/src/server/config.ts b/src/server/config.ts
@@ -417,9 +417,8 @@ const oidcConfigBase: ConfigParams = {
   },
   routes: {
     login: false,
-    logout: AUTH_LOGOUT,
+    logout: false,
     callback: false,
-    postLogoutRedirect: process.env.MA_FRONTEND_URL,
   },
   afterCallback: (req, res, session) => {
     const claims = jose.JWT.decode(session.id_token) as {
@@ -456,10 +455,6 @@ export const oidcConfigYivi: ConfigParams = {
   ...oidcConfigBase,
   clientID: process.env.BFF_OIDC_CLIENT_ID_YIVI,
   authorizationParams: { prompt: 'login', max_age: 0, response_type: 'code' },
-  routes: {
-    ...oidcConfigBase.routes,
-    postLogoutRedirect: process.env.BFF_OIDC_YIVI_POST_LOGOUT_REDIRECT,
-  },
 };
 
 // Op 1.13 met ketenmachtiging

diff --git a/src/server/helpers/app.test.ts b/src/server/helpers/app.test.ts
@@ -90,6 +90,7 @@ describe('server/helpers/app', () => {
           "authMethod": "eherkenning",
           "id": "123-eherkenning-321",
           "profileType": "commercial",
+          "sid": undefined,
         },
         "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjhZTjNwTkRVVXloby10UUIyNWFmcThES0NyeHQyVi1iUzZXOWdSazBjZ2sifQ.eyJ1cm46ZXRvZWdhbmc6MS45OkVudGl0eUNvbmNlcm5lZElEOkt2S25yIjoiMTIzLWVoZXJrZW5uaW5nLTMyMSIsImF1ZCI6InRlc3QxIiwiaWF0IjoxNjUwNjIwMTMzfQ.qF2JLBflk_ajk11jiyrZqcLklB618aSVjnazeDAyljdRJMN_vUUqVZBNLgLI0CBZ_jTYQwbl2OQsizGIdp9_yUadu1FhU4xGHYFBXvtLmdUk049bLccJoFIFYrvJq9yMAUhhRrBLjUUPJN3M8KijF7JKG74QYwyKyL-MzvsvKOqQNLJKUgQ4wUbsY2n9SjPcWGtB6rvkHrbfGGZZmdozIKXWmsQMYP41cEL9E0S15iF78Zko8jaWiV9oUHNqy3CfyZJz-K0dCbPAhs73q_7NqZQF1UoRgw8cQCVpfami521KpS7U6PK6oYlrigF1sHhsN_MuCwVHeOtu_BvBo_IFMQ",
       }
@@ -119,6 +120,7 @@ describe('server/helpers/app', () => {
           "authMethod": "digid",
           "id": "000-digid-999",
           "profileType": "private",
+          "sid": undefined,
         },
         "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjhZTjNwTkRVVXloby10UUIyNWFmcThES0NyeHQyVi1iUzZXOWdSazBjZ2sifQ.eyJzdWIiOiIwMDAtZGlnaWQtOTk5IiwiYXVkIjoidGVzdDIiLCJpYXQiOjE2NTA2MTk4NDV9.QvPW0CYDnHiX77VZVAUmXahrQeJW1D0IrR4GBTyayH83nv3xe-nHnUMsXIchuYozmDwnF36CBsd1mm-C16x0PK1QD6-Fu-2PAekMxKaWpRWcI6ICOgliEVyV6a2B_KI3ZHshjlXxLyh59VL_2NegKZBQWEvTsFazn0fzbPmoKM3SVj19IiLug8Us4n-jYvzD8kplGzvWVujl4-1VYeNvn0vSfBrcSdLtGPJI7fcJafPxJs6gY2mrpwyeQ3Pan7DEEhXOqucjs81x9cwRRf4_JbRkehLKCwxb4u1USSusqTEqGhGQm7JGJlD4nZIdScNG7Xyx9LQcGm0EfnrjXOTGcw",
       }
@@ -133,38 +135,44 @@ describe('server/helpers/app', () => {
         sub: '-unused-',
         aud: 'test1',
         [EH_ATTR_PRIMARY_ID]: 'EHERKENNING-KVK',
+        sid: 'test',
       } as TokenData);
 
       expect(profile).toStrictEqual({
         authMethod: 'eherkenning',
         profileType: 'commercial',
         id: 'EHERKENNING-KVK',
+        sid: 'test',
       });
     }
 
     {
       const profile = getAuthProfile({
         aud: 'test2',
         [DIGID_ATTR_PRIMARY]: 'DIGID-BSN',
+        sid: 'test2',
       } as TokenData);
 
       expect(profile).toStrictEqual({
         authMethod: 'digid',
         profileType: 'private',
         id: 'DIGID-BSN',
+        sid: 'test2',
       });
     }
 
     {
       const profile = getAuthProfile({
         aud: 'test_x',
         [DIGID_ATTR_PRIMARY]: 'DIGID-BSN',
+        sid: 'test2b',
       } as TokenData);
 
       expect(profile).toStrictEqual({
         authMethod: 'digid',
         profileType: 'private',
         id: 'DIGID-BSN',
+        sid: 'test2b',
       });
     }
 
@@ -173,12 +181,14 @@ describe('server/helpers/app', () => {
         sub: '',
         aud: 'test1',
         [EH_ATTR_PRIMARY_ID]: 'EH-KVK1',
+        sid: 'test3',
       } as TokenData);
 
       expect(profile).toStrictEqual({
         authMethod: 'eherkenning',
         profileType: 'commercial',
         id: 'EH-KVK1',
+        sid: 'test3',
       });
     }
 
@@ -187,12 +197,14 @@ describe('server/helpers/app', () => {
         sub: '',
         aud: 'test1',
         [EH_ATTR_PRIMARY_ID_LEGACY]: 'EH-KVK1',
+        sid: 'test4',
       } as TokenData);
 
       expect(profile).toStrictEqual({
         authMethod: 'eherkenning',
         profileType: 'commercial',
         id: 'EH-KVK1',
+        sid: 'test4',
       });
     }
 
@@ -202,12 +214,14 @@ describe('server/helpers/app', () => {
         aud: 'test1',
         [EH_ATTR_INTERMEDIATE_PRIMARY_ID]: 'EH-KVK1',
         [EH_ATTR_INTERMEDIATE_SECONDARY_ID]: 'EH-KVK2',
+        sid: 'test5',
       } as TokenData);
 
       expect(profile).toStrictEqual({
         authMethod: 'eherkenning',
         profileType: 'commercial',
         id: 'EH-KVK1',
+        sid: 'test5',
       });
     }
   });

diff --git a/src/server/helpers/app.ts b/src/server/helpers/app.ts
@@ -35,6 +35,7 @@ export interface AuthProfile {
   authMethod: 'eherkenning' | 'digid' | 'yivi';
   profileType: ProfileType;
   id?: string;
+  sid?: string; // TMA Session ID
 }
 
 export function getAuthProfile(tokenData: TokenData): AuthProfile {
@@ -61,6 +62,7 @@ export function getAuthProfile(tokenData: TokenData): AuthProfile {
 
   return {
     id: tokenData[idAttr],
+    sid: tokenData.sid,
     authMethod,
     profileType,
   };
@@ -192,6 +194,7 @@ export function getOIDCToken(jweCookieString: string): string {
 export interface TokenData {
   sub: string;
   aud: string;
+  sid: string;
   [key: string]: any;
 }
 

diff --git a/src/server/router-oidc.ts b/src/server/router-oidc.ts
@@ -1,5 +1,5 @@
 import * as Sentry from '@sentry/node';
-import express from 'express';
+import express, { Request, Response } from 'express';
 import { attemptSilentLogin, auth } from 'express-openid-connect';
 import { FeatureToggle } from '../universal/config';
 import { apiSuccessResult } from '../universal/helpers';
@@ -269,3 +269,36 @@ router.get(BffEndpoints.AUTH_LOGOUT, async (req, res) => {
 
   return res.redirect(redirectUrl);
 });
+
+function logout(postLogoutRedirectUrl: string) {
+  return async (req: Request, res: Response) => {
+    if (!req.oidc.isAuthenticated()) {
+      return res.redirect(postLogoutRedirectUrl);
+    }
+
+    const auth = await getAuth(req);
+
+    res.oidc.logout({
+      returnTo: postLogoutRedirectUrl,
+      logoutParams: {
+        id_token_hint: null,
+        logout_hint: auth.profile.sid,
+      },
+    });
+  };
+}
+
+router.get(
+  BffEndpoints.AUTH_LOGOUT_DIGID,
+  logout(process.env.MA_FRONTEND_URL!)
+);
+
+router.get(
+  BffEndpoints.AUTH_LOGOUT_EHERKENNING,
+  logout(process.env.MA_FRONTEND_URL!)
+);
+
+router.get(
+  BffEndpoints.AUTH_LOGOUT_YIVI,
+  logout(process.env.BFF_OIDC_YIVI_POST_LOGOUT_REDIRECT!)
+);