Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FS-4805 - Adding authentication to FAB #119

Merged
merged 4 commits into from
Dec 12, 2024
Merged

FS-4805 - Adding authentication to FAB #119

merged 4 commits into from
Dec 12, 2024

Conversation

wjrm500
Copy link
Contributor

@wjrm500 wjrm500 commented Nov 29, 2024
edited
Loading

Ticket

Add authentication for FAB

Description

  • Instead of just an index route for the home page, we now have index, login and dashboard routes, following the pattern in Post-Award Submit: https://github.com/communitiesuk/funding-service-design-post-award-data-store/blob/main/submit/main/routes.py
  • Users landing at index (/) get redirected to dashboard (previously index) if authenticated, or login if not
  • At login, users are presented with a button "Sign in using Microsoft" that sends them to the Authenticator app, which in turn redirects them to Entra ID (see OAuth)
  • Users will be able to authenticate successfully with Microsoft if they are either members or guests of the MHCLG organisation in Microsoft
  • All routes are now decorated with the login_required decorator from our fsd-utils library, which simply checks whether users have authenticated successfully
  • All routes are also now decorated with the additional check_internal_user decorator, now also part of the fsd-utils library having recently been ported there from Post-Award Data Store. This decorator checks users have an email domain of either communities.gov.uk or test.communities.gov.uk, which prevents guest users on our Entra ID tenant (i.e., local authority users) from accessing
  • Functionality has also been added to support local development, including a DEBUG_USER backdoor

Testing instructions

General pre-requisites

  • Ensure the branch FS-4805_FAB-authentication is deployed to dev environment for this app
  • Ensure the branch FS-4805_FAB-authentication is deployed to dev environment for Authenticator

Test 1 - Unauthenticated user

1.0

  • Action: open an incognito / private mode browser window to ensure authentication begins afresh

1.1

  • Action: go to https://fund-application-builder.dev.access-funding.test.levellingup.gov.uk/dashboard
  • Expected behaviour: you will be redirected to https://authenticator.dev.access-funding.test.levellingup.gov.uk/service/sso/signed-out/no_token?return_app=fund-application-builder&return_path=%2Fdashboard and see a page saying "You are not logged in" with a "Sign in" button

Test 2- Authenticate as an internal user

2.0

  • Action: open an incognito / private mode browser window to ensure authentication begins afresh

2.1

  • Action: go to https://fund-application-builder.dev.access-funding.test.levellingup.gov.uk
  • Expected behaviour: you will be redirected to https://fund-application-builder.dev.access-funding.test.levellingup.gov.uk/login and see a page with a button "Sign in using Microsoft"

2.2

  • Action: click the button "Sign in using Microsoft"
  • Expected behaviour: you will be redirected to an Entra ID login page where you will be requested to enter your Microsoft credentials. Once you have done this, you will be redirected to https://fund-application-builder.dev.access-funding.test.levellingup.gov.uk/dashboard. You will see the normal FAB home page

2.3

  • Action: from the dashboard, click into "Manage Templates" and click one of the template name links (e.g., "Applicant Information COF")
  • Expected behaviour: you will be sent to a route in the domain https://forms.dev.access-funding.test.levellingup.gov.uk (e.g., https://forms.dev.access-funding.test.levellingup.gov.uk/apply-for-funding-to-save-an-asset-in-your-community/applicant-information), where you will be able to preview the form (e.g., you will see a page titled "Applicant information" with a "Continue" button)

Test 3 - Authenticate as an external user

Test-specific pre-requisites

  • You will need your personal email address included as a guest account in the Entra ID test tenant. I believe adding guests is something only admins can do (i.e., not me), so simplest solution for this test is to hop on a call with me and I can share my screen and run through the steps

3.0

  • Action: open an incognito / private mode browser window to ensure authentication begins afresh

3.1

  • Action: go to https://fund-application-builder.dev.access-funding.test.levellingup.gov.uk
  • Expected behaviour: you will be redirected to https://fund-application-builder.dev.access-funding.test.levellingup.gov.uk/login and see a page with a button "Sign in using Microsoft"

3.2

  • Action: click the button "Sign in using Microsoft"
  • Expected behaviour: you will be redirected to an Entra ID login page where you will be requested to enter your Microsoft credentials. You will have to enter a code sent to your email address. Once you have done this, you will be redirected to https://fund-application-builder.dev.access-funding.test.levellingup.gov.uk/dashboard. Instead of seeing the normal home page, you will see a page titled "You do not have permission to access this page"

@wjrm500 wjrm500 force-pushed the FS-4805_FAB-authentication branch from 9f820fa to 31afc3a Compare November 29, 2024 17:30
@wjrm500 wjrm500 force-pushed the FS-4805_FAB-authentication branch from 31afc3a to 5582660 Compare December 4, 2024 11:28
@wjrm500 wjrm500 force-pushed the FS-4805_FAB-authentication branch from 5582660 to eba29fa Compare December 6, 2024 11:48
@wjrm500 wjrm500 force-pushed the FS-4805_FAB-authentication branch from eba29fa to 35e6a7f Compare December 6, 2024 11:49
@wjrm500 wjrm500 force-pushed the FS-4805_FAB-authentication branch from 35e6a7f to cc1f11d Compare December 6, 2024 12:27
@wjrm500 wjrm500 force-pushed the FS-4805_FAB-authentication branch from cc1f11d to dcccc5a Compare December 6, 2024 17:58
@wjrm500 wjrm500 force-pushed the FS-4805_FAB-authentication branch from dcccc5a to d8e4ab1 Compare December 6, 2024 18:53
@wjrm500 wjrm500 force-pushed the FS-4805_FAB-authentication branch from d8e4ab1 to 2a2d776 Compare December 6, 2024 18:55
@wjrm500 wjrm500 force-pushed the FS-4805_FAB-authentication branch from 2a2d776 to ad86ef6 Compare December 7, 2024 08:41
@wjrm500 wjrm500 force-pushed the FS-4805_FAB-authentication branch from ad86ef6 to ef957f4 Compare December 7, 2024 09:12
@wjrm500 wjrm500 force-pushed the FS-4805_FAB-authentication branch from ef957f4 to e5cc1e4 Compare December 7, 2024 09:14
@wjrm500 wjrm500 force-pushed the FS-4805_FAB-authentication branch from 1c70fd3 to 32243c0 Compare December 10, 2024 12:24
@wjrm500 wjrm500 force-pushed the FS-4805_FAB-authentication branch from 32243c0 to 209ce70 Compare December 10, 2024 14:09
@wjrm500 wjrm500 force-pushed the FS-4805_FAB-authentication branch from 1053fea to f892c72 Compare December 10, 2024 16:30
@wjrm500 wjrm500 force-pushed the FS-4805_FAB-authentication branch from f892c72 to ea9e3dc Compare December 10, 2024 16:30
@wjrm500 wjrm500 force-pushed the FS-4805_FAB-authentication branch from e8b6f11 to 063521c Compare December 11, 2024 15:41
@wjrm500 wjrm500 force-pushed the FS-4805_FAB-authentication branch from 063521c to 69c99e0 Compare December 11, 2024 18:06
nuwan-samarasinghe
nuwan-samarasinghe previously approved these changes Dec 12, 2024
View reviewed changes
Copy link
Contributor

@nuwan-samarasinghe nuwan-samarasinghe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

nice work

samuelhwilliams
samuelhwilliams reviewed Dec 12, 2024
View reviewed changes
app/create_app.py Show resolved Hide resolved
app/create_app.py Outdated Show resolved Hide resolved
@wjrm500 wjrm500 force-pushed the FS-4805_FAB-authentication branch from 69c99e0 to bbcee2f Compare December 12, 2024 10:26
@wjrm500
FS-4805 - Centralising authentication route decoration
9328839 
Instead of having login_required and check_internal_user added above each and every route, we can have a central @app.before_request decorator to add the decorators to every route, except those that require public access - static, healthcheck, login and index.
@wjrm500
FS-4805 - Adding tests for auth behaviour on routes
f68a128
@wjrm500
FS-4805 - Using fsd-utils healthcheck rather than custom implementation
436d9ed
@wjrm500 wjrm500 force-pushed the FS-4805_FAB-authentication branch from bbcee2f to 436d9ed Compare December 12, 2024 10:28
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@wjrm500 wjrm500 merged commit f7a2c76 into main Dec 12, 2024
12 checks passed
@wjrm500 wjrm500 deleted the FS-4805_FAB-authentication branch December 12, 2024 10:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samuelhwilliams samuelhwilliams samuelhwilliams approved these changes

@nuwan-samarasinghe nuwan-samarasinghe nuwan-samarasinghe left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wjrm500 @samuelhwilliams @nuwan-samarasinghe