Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MIJN-9699-Bug - Bypasss IDP logout if token is expired #1633

Merged
merged 8 commits into from
Nov 28, 2024
Merged

MIJN-9699-Bug - Bypasss IDP logout if token is expired #1633

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
f8a67c8
Remove ttl
timvanoostrom Nov 27, 2024
2395093
Add missing template file for testing
timvanoostrom Nov 27, 2024
2f9e5ab
Fix name
timvanoostrom Nov 27, 2024
823c224
Boyscout - remove junk
timvanoostrom Nov 27, 2024
128ef5e
Add timeout
timvanoostrom Nov 27, 2024
d1e234b
Change to absolute duration, add expiresAt in session data
timvanoostrom Nov 27, 2024
3cbfd0a
Restore rolling, bypass IDP logout if token is expired
timvanoostrom Nov 27, 2024
6addd1a
Add tests for bypassing expiry
timvanoostrom Nov 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 1 addition & 3 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ WORKDIR /build-space
COPY package-lock.json /build-space/
COPY package.json /build-space/
COPY vite.config.ts /build-space/
COPY .env.local.template /build-space/
COPY vendor /build-space/vendor
COPY mocks/fixtures /build-space/mocks/fixtures

Expand Down Expand Up @@ -74,9 +75,6 @@ ENV MA_TEST_ACCOUNTS=$MA_TEST_ACCOUNTS
ARG REACT_APP_BFF_API_URL=/api/v1
ENV REACT_APP_BFF_API_URL=$REACT_APP_BFF_API_URL

ARG REACT_APP_SENTRY_DSN=
ENV REACT_APP_SENTRY_DSN=$REACT_APP_SENTRY_DSN

ARG REACT_APP_ANALYTICS_ID=
ENV REACT_APP_ANALYTICS_ID=$REACT_APP_ANALYTICS_ID

Expand Down
50 changes: 29 additions & 21 deletions src/server/app.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,27 +25,35 @@ describe('app', async () => {
vi.resetModules();
});

test('app middleware OT', async () => {
const appModule = await import('./app');
const app = appModule.forTesting.app;
expect(
app._router.stack.some((layer: ILayer) =>
'BFF_ID' in layer.handle ? layer.handle.BFF_ID === 'router-dev' : false
)
).toBe(true);
expect(
app._router.stack.some((layer: ILayer) =>
'BFF_ID' in layer.handle ? layer.handle.BFF_ID === 'router-oidc' : false
)
).toBe(false);
expect(
app._router.stack.some((layer: ILayer) =>
'BFF_ID' in layer.handle
? layer.handle.BFF_ID === 'router-protected'
: false
)
).toBe(true);
});
test(
'app middleware OT',
async () => {
const appModule = await import('./app');
const app = appModule.forTesting.app;
expect(
app._router.stack.some((layer: ILayer) =>
'BFF_ID' in layer.handle
? layer.handle.BFF_ID === 'router-dev'
: false
)
).toBe(true);
expect(
app._router.stack.some((layer: ILayer) =>
'BFF_ID' in layer.handle
? layer.handle.BFF_ID === 'router-oidc'
: false
)
).toBe(false);
expect(
app._router.stack.some((layer: ILayer) =>
'BFF_ID' in layer.handle
? layer.handle.BFF_ID === 'router-protected'
: false
)
).toBe(true);
},
{ timeout: 10000 }
);

test('app middleware AP', async () => {
mocks.IS_AP = true;
Expand Down
1 change: 0 additions & 1 deletion src/server/auth/auth-config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,6 @@ export const oidcConfigBase: ConfigParams = {
getFromEnv('MA_APP_MODE') !== 'unittest'
? getSessionStore(openIdAuth as typeof expressSession, {
tableName: OIDC_SESSIONS_TABLE_NAME,
ttlSeconds: OIDC_SESSION_MAX_AGE_SECONDS, // NOTE: Not sure if this works with rollingDuration
})
: undefined,
},
Expand Down
46 changes: 27 additions & 19 deletions src/server/auth/auth-helpers.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import {
} from './auth-types';
import { FeatureToggle } from '../../universal/config/feature-toggles';
import { AppRoutes } from '../../universal/config/routes';
import { ONE_SECOND_MS } from '../config/app';
import { ExternalConsumerEndpoints } from '../routing/bff-routes';
import { generateFullApiUrlBFF } from '../routing/route-helpers';
import { captureException } from '../services/monitoring';
Expand Down Expand Up @@ -89,6 +90,7 @@ export function getAuth(req: Request) {
return {
token: oidcToken,
profile,
expiresAt: maSession.expires_at,
};
}

Expand Down Expand Up @@ -126,31 +128,37 @@ export function decodeToken<T extends Record<string, string>>(
return jose.decodeJwt(jwtToken) as unknown as T;
}

function isIDPSessionExpired(expiresAt: string) {
return new Date(parseInt(expiresAt, 10) * ONE_SECOND_MS) < new Date();
timvanoostrom marked this conversation as resolved.
Show resolved Hide resolved
}

export function createLogoutHandler(
postLogoutRedirectUrl: string,
doIDPLogout: boolean = true
) {
return async (req: AuthenticatedRequest, res: Response) => {
if (req.oidc.isAuthenticated() && doIDPLogout) {
const auth = getAuth(req);
if (auth) {
// Add the session ID to a blacklist. This way the jwt id_token, which itself has longer lifetime, cannot be reused after logging out at IDP.
if (auth.profile.sid) {
await addToBlackList(auth.profile.sid);
}

return res.oidc.logout({
returnTo: postLogoutRedirectUrl,
logoutParams: {
id_token_hint: !FeatureToggle.oidcLogoutHintActive
? auth.token
: null,
logout_hint: FeatureToggle.oidcLogoutHintActive
? req[OIDC_SESSION_COOKIE_NAME]?.TMASessionID
: null,
},
});
const auth = getAuth(req);
if (
auth &&
req.oidc.isAuthenticated() &&
(doIDPLogout ? isIDPSessionExpired(auth.expiresAt) : false)
) {
// Add the session ID to a blacklist. This way the jwt id_token, which itself has longer lifetime, cannot be reused after logging out at IDP.
if (auth.profile.sid) {
await addToBlackList(auth.profile.sid);
}

return res.oidc.logout({
returnTo: postLogoutRedirectUrl,
logoutParams: {
id_token_hint: !FeatureToggle.oidcLogoutHintActive
? auth.token
: null,
logout_hint: FeatureToggle.oidcLogoutHintActive
? req[OIDC_SESSION_COOKIE_NAME]?.TMASessionID
: null,
},
});
}

if (hasSessionCookie(req)) {
Expand Down
2 changes: 0 additions & 2 deletions src/server/auth/auth-session-store.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ import { pool } from '../services/db/postgres';

type SessionStoreOptions = {
tableName: string;
ttlSeconds?: number;
};

export function getSessionStore<T extends typeof expressSession>(
Expand All @@ -25,7 +24,6 @@ export function getSessionStore<T extends typeof expressSession>(
tableName: options.tableName,
pool,
createTableIfMissing: true,
ttl: options.ttlSeconds,
}) as unknown as SessionStore<Session>;
}

Expand Down
1 change: 1 addition & 0 deletions src/server/auth/auth-types.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ export interface MaSession extends Session {
TMASessionID: string; // TMA Session ID
profileType: ProfileType;
authMethod: AuthMethod;
expires_at: string;
}

export interface AuthProfileAndToken {
Expand Down
2 changes: 2 additions & 0 deletions src/server/routing/route-handlers.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,11 +58,13 @@ export function verifyAuthenticated(
) {
return async (req: Request, res: Response) => {
if (await isRequestAuthenticated(req, authMethod)) {
const auth = getAuth(req);
return res.send(
apiSuccessResult({
isAuthenticated: true,
profileType,
authMethod,
expiresAt: auth?.expiresAt,
})
);
}
Expand Down
Loading