npm - @dwp/govuk-casa - Versions diffs - 8.16.1 → 8.16.3 - Mend

@dwp/govuk-casa 8.16.1 → 8.16.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (189) hide show

package/dist/assets/css/casa-ie8.css +1 -1
package/dist/assets/css/casa.css +1 -1
package/dist/casa.d.ts +13 -13
package/dist/casa.js +17 -7
package/dist/casa.js.map +1 -1
package/dist/lib/CasaTemplateLoader.d.ts +1 -1
package/dist/lib/CasaTemplateLoader.js +13 -14
package/dist/lib/CasaTemplateLoader.js.map +1 -1
package/dist/lib/JourneyContext.d.ts +10 -4
package/dist/lib/JourneyContext.js +57 -47
package/dist/lib/JourneyContext.js.map +1 -1
package/dist/lib/MutableRouter.d.ts +1 -1
package/dist/lib/MutableRouter.js +22 -23
package/dist/lib/MutableRouter.js.map +1 -1
package/dist/lib/Plan.d.ts +5 -5
package/dist/lib/Plan.js +49 -36
package/dist/lib/Plan.js.map +1 -1
package/dist/lib/ValidationError.d.ts +1 -1
package/dist/lib/ValidationError.js +9 -9
package/dist/lib/ValidationError.js.map +1 -1
package/dist/lib/ValidatorFactory.js +4 -7
package/dist/lib/ValidatorFactory.js.map +1 -1
package/dist/lib/configuration-ingestor.d.ts +75 -14
package/dist/lib/configuration-ingestor.js +156 -64
package/dist/lib/configuration-ingestor.js.map +1 -1
package/dist/lib/configure.js +11 -10
package/dist/lib/configure.js.map +1 -1
package/dist/lib/constants.js +8 -8
package/dist/lib/context-id-generators.d.ts +1 -1
package/dist/lib/context-id-generators.js +7 -4
package/dist/lib/context-id-generators.js.map +1 -1
package/dist/lib/end-session.js +2 -2
package/dist/lib/field.d.ts +6 -6
package/dist/lib/field.js +15 -21
package/dist/lib/field.js.map +1 -1
package/dist/lib/index.d.ts +13 -13
package/dist/lib/index.js +17 -7
package/dist/lib/index.js.map +1 -1
package/dist/lib/logger.js +7 -7
package/dist/lib/logger.js.map +1 -1
package/dist/lib/mount.js +3 -3
package/dist/lib/mount.js.map +1 -1
package/dist/lib/nunjucks-filters.d.ts +5 -1
package/dist/lib/nunjucks-filters.js +37 -23
package/dist/lib/nunjucks-filters.js.map +1 -1
package/dist/lib/nunjucks.d.ts +2 -2
package/dist/lib/nunjucks.js +6 -7
package/dist/lib/nunjucks.js.map +1 -1
package/dist/lib/utils.js +52 -42
package/dist/lib/utils.js.map +1 -1
package/dist/lib/validators/dateObject.d.ts +3 -3
package/dist/lib/validators/dateObject.js +44 -37
package/dist/lib/validators/dateObject.js.map +1 -1
package/dist/lib/validators/email.d.ts +2 -2
package/dist/lib/validators/email.js +4 -5
package/dist/lib/validators/email.js.map +1 -1
package/dist/lib/validators/inArray.d.ts +2 -2
package/dist/lib/validators/inArray.js +5 -6
package/dist/lib/validators/inArray.js.map +1 -1
package/dist/lib/validators/index.d.ts +10 -10
package/dist/lib/validators/index.js.map +1 -1
package/dist/lib/validators/nino.d.ts +2 -2
package/dist/lib/validators/nino.js +10 -7
package/dist/lib/validators/nino.js.map +1 -1
package/dist/lib/validators/postalAddressObject.d.ts +2 -2
package/dist/lib/validators/postalAddressObject.js +52 -39
package/dist/lib/validators/postalAddressObject.js.map +1 -1
package/dist/lib/validators/range.d.ts +2 -2
package/dist/lib/validators/range.js +6 -7
package/dist/lib/validators/range.js.map +1 -1
package/dist/lib/validators/regex.d.ts +2 -2
package/dist/lib/validators/regex.js +4 -5
package/dist/lib/validators/regex.js.map +1 -1
package/dist/lib/validators/required.d.ts +2 -2
package/dist/lib/validators/required.js +6 -9
package/dist/lib/validators/required.js.map +1 -1
package/dist/lib/validators/strlen.d.ts +2 -2
package/dist/lib/validators/strlen.js +8 -9
package/dist/lib/validators/strlen.js.map +1 -1
package/dist/lib/validators/wordCount.d.ts +2 -2
package/dist/lib/validators/wordCount.js +10 -9
package/dist/lib/validators/wordCount.js.map +1 -1
package/dist/lib/waypoint-url.d.ts +4 -4
package/dist/lib/waypoint-url.js +23 -23
package/dist/lib/waypoint-url.js.map +1 -1
package/dist/middleware/body-parser.d.ts +27 -5
package/dist/middleware/body-parser.js +37 -6
package/dist/middleware/body-parser.js.map +1 -1
package/dist/middleware/csrf.d.ts +3 -0
package/dist/middleware/csrf.js +3 -0
package/dist/middleware/csrf.js.map +1 -1
package/dist/middleware/data.d.ts +22 -5
package/dist/middleware/data.js +37 -7
package/dist/middleware/data.js.map +1 -1
package/dist/middleware/gather-fields.d.ts +1 -1
package/dist/middleware/gather-fields.js +4 -3
package/dist/middleware/gather-fields.js.map +1 -1
package/dist/middleware/i18n.d.ts +11 -2
package/dist/middleware/i18n.js +26 -17
package/dist/middleware/i18n.js.map +1 -1
package/dist/middleware/post.d.ts +3 -1
package/dist/middleware/post.js +35 -18
package/dist/middleware/post.js.map +1 -1
package/dist/middleware/pre.d.ts +1 -1
package/dist/middleware/pre.js +44 -21
package/dist/middleware/pre.js.map +1 -1
package/dist/middleware/progress-journey.d.ts +1 -1
package/dist/middleware/progress-journey.js +5 -5
package/dist/middleware/progress-journey.js.map +1 -1
package/dist/middleware/sanitise-fields.d.ts +2 -2
package/dist/middleware/sanitise-fields.js +13 -11
package/dist/middleware/sanitise-fields.js.map +1 -1
package/dist/middleware/serve-first-waypoint.d.ts +1 -1
package/dist/middleware/serve-first-waypoint.js +6 -4
package/dist/middleware/serve-first-waypoint.js.map +1 -1
package/dist/middleware/session.d.ts +27 -8
package/dist/middleware/session.js +53 -25
package/dist/middleware/session.js.map +1 -1
package/dist/middleware/skip-waypoint.d.ts +1 -1
package/dist/middleware/skip-waypoint.js +3 -3
package/dist/middleware/skip-waypoint.js.map +1 -1
package/dist/middleware/steer-journey.d.ts +1 -1
package/dist/middleware/steer-journey.js +15 -13
package/dist/middleware/steer-journey.js.map +1 -1
package/dist/middleware/strip-proxy-path.d.ts +1 -1
package/dist/middleware/strip-proxy-path.js +3 -3
package/dist/middleware/strip-proxy-path.js.map +1 -1
package/dist/middleware/validate-fields.d.ts +2 -2
package/dist/middleware/validate-fields.js +2 -5
package/dist/middleware/validate-fields.js.map +1 -1
package/dist/routes/ancillary.d.ts +2 -2
package/dist/routes/ancillary.js +3 -3
package/dist/routes/ancillary.js.map +1 -1
package/dist/routes/journey.d.ts +1 -1
package/dist/routes/journey.js +85 -31
package/dist/routes/journey.js.map +1 -1
package/dist/routes/static.d.ts +2 -2
package/dist/routes/static.js +18 -18
package/dist/routes/static.js.map +1 -1
package/package.json +39 -42
package/src/casa.js +13 -13
package/src/lib/CasaTemplateLoader.js +21 -17
package/src/lib/JourneyContext.js +118 -79
package/src/lib/MutableRouter.js +30 -26
package/src/lib/Plan.js +109 -62
package/src/lib/ValidationError.js +13 -10
package/src/lib/ValidatorFactory.js +7 -8
package/src/lib/configuration-ingestor.js +200 -74
package/src/lib/configure.js +31 -30
package/src/lib/constants.js +8 -8
package/src/lib/context-id-generators.js +39 -38
package/src/lib/end-session.js +3 -3
package/src/lib/field.js +48 -32
package/src/lib/index.js +12 -12
package/src/lib/logger.js +9 -9
package/src/lib/mount.js +68 -73
package/src/lib/nunjucks-filters.js +57 -44
package/src/lib/nunjucks.js +20 -16
package/src/lib/utils.js +69 -44
package/src/lib/validators/dateObject.js +57 -48
package/src/lib/validators/email.js +8 -9
package/src/lib/validators/inArray.js +8 -9
package/src/lib/validators/index.js +11 -11
package/src/lib/validators/nino.js +25 -12
package/src/lib/validators/postalAddressObject.js +73 -55
package/src/lib/validators/range.js +9 -11
package/src/lib/validators/regex.js +7 -8
package/src/lib/validators/required.js +13 -14
package/src/lib/validators/strlen.js +11 -12
package/src/lib/validators/wordCount.js +17 -12
package/src/lib/waypoint-url.js +48 -33
package/src/middleware/body-parser.js +44 -10
package/src/middleware/csrf.js +4 -1
package/src/middleware/data.js +62 -25
package/src/middleware/gather-fields.js +8 -8
package/src/middleware/i18n.js +49 -39
package/src/middleware/post.js +47 -21
package/src/middleware/pre.js +60 -35
package/src/middleware/progress-journey.js +32 -18
package/src/middleware/sanitise-fields.js +43 -20
package/src/middleware/serve-first-waypoint.js +12 -10
package/src/middleware/session.js +97 -65
package/src/middleware/skip-waypoint.js +7 -9
package/src/middleware/steer-journey.js +39 -27
package/src/middleware/strip-proxy-path.js +8 -7
package/src/middleware/validate-fields.js +5 -12
package/src/routes/ancillary.js +4 -6
package/src/routes/journey.js +158 -78
package/src/routes/static.js +61 -28

package/src/middleware/pre.js CHANGED Viewed

@@ -1,15 +1,15 @@
-import { randomBytes } from 'crypto';
-import helmet from 'helmet';
+import { randomBytes } from "crypto";
+import helmet from "helmet";
 /**
  * @access private
  * @typedef {import('../casa').HelmetConfigurator} HelmetConfigurator
  */
-const GA_DOMAIN = '*.google-analytics.com';
-const GA_ANALYTICS_DOMAIN = '*.analytics.google.com';
-const GTM_DOMAIN = '*.googletagmanager.com';
-const GTM_PREVIEW_DOMAIN = 'https://tagmanager.google.com';
+const GA_DOMAIN = "*.google-analytics.com";
+const GA_ANALYTICS_DOMAIN = "*.analytics.google.com";
+const GTM_DOMAIN = "*.googletagmanager.com";
+const GTM_PREVIEW_DOMAIN = "https://tagmanager.google.com";
 /**
  * Extracts the CSP nonce used in every template, and makes it available as a
@@ -34,14 +34,14 @@ function casaCspNonce(req, res) {
  * @param {HelmetConfigurator} opts.helmetConfigurator Function to customise Helmet configuration
  * @returns {Function[]} List of middleware
  */
-export default ({
-  helmetConfigurator = (config) => (config),
-} = {}) => [
+export default ({ helmetConfigurator = (config) => config } = {}) => [
   // Only allow certain request methods
   (req, res, next) => {
-    if (req.method !== 'GET' && req.method !== 'POST') {
-      const err = new Error(`Unaccepted request method, "${String(req.method).substr(0, 7)}"`);
-      err.code = 'unaccepted_request_method';
+    if (req.method !== "GET" && req.method !== "POST") {
+      const err = new Error(
+        `Unaccepted request method, "${String(req.method).substr(0, 7)}"`,
+      );
+      err.code = "unaccepted_request_method";
       next(err);
     } else {
       next();
@@ -53,39 +53,64 @@ export default ({
   // The `no-store` setting is to specifically disable the bfcache and prevent
   // possible leakage of information.
   (req, res, next) => {
-    res.set('cache-control', 'no-cache, no-store, must-revalidate, private');
-    res.set('pragma', 'no-cache');
-    res.set('expires', 0);
-    res.set('x-robots-tag', 'noindex, nofollow');
+    res.set("cache-control", "no-cache, no-store, must-revalidate, private");
+    res.set("pragma", "no-cache");
+    res.set("expires", 0);
+    res.set("x-robots-tag", "noindex, nofollow");
     next();
   },
   // Generate nonces ready for use in Content-Security-Policy header and
   // govuk-frontend template. This same none can be used wherever required.
   (req, res, next) => {
-    res.locals.cspNonce = randomBytes(16).toString('hex');
+    res.locals.cspNonce = randomBytes(16).toString("hex");
     next();
   },
   // Helmet suite of headers
-  helmet(helmetConfigurator({
-    // Allows GA which is typically used, and a known inline script nonce
-    contentSecurityPolicy: {
-      useDefaults: true,
-      directives: {
-        'default-src': ["'none'"],
-        'script-src': ["'self'", GA_DOMAIN, GTM_DOMAIN, GTM_PREVIEW_DOMAIN, casaCspNonce],
-        'img-src': ["'self'", GA_DOMAIN, GA_ANALYTICS_DOMAIN, GTM_DOMAIN, 'https://ssl.gstatic.com', 'https://www.gstatic.com', 'https://fonts.gstatic.com'],
-        'connect-src': ["'self'", GA_DOMAIN, GA_ANALYTICS_DOMAIN, GTM_DOMAIN],
-        'frame-src': ["'self'", GTM_DOMAIN],
-        'frame-ancestors': ["'self'"],
-        'form-action': ["'self'"],
-        'style-src': ["'self'", 'https://fonts.googleapis.com', GTM_PREVIEW_DOMAIN, GTM_DOMAIN, casaCspNonce, "'sha256-xWGOGGMGQQ+IV0Om4xzgbDHXUh/+L1c375p0Pb6vF9A='", "'sha256-9HGruJg4WccHXas5I1NmLn7tI1TDh6N26o6+/dy8sm4='", "'sha256-oM0kKtU+nugIwjuYHkXXVoKGVNhC/DCUnIVdSVBMkaQ='"],
-        'font-src': ["'self'", 'data:', 'https://fonts.gstatic.com'],
+  helmet(
+    helmetConfigurator({
+      // Allows GA which is typically used, and a known inline script nonce
+      contentSecurityPolicy: {
+        useDefaults: true,
+        directives: {
+          "default-src": ["'none'"],
+          "script-src": [
+            "'self'",
+            GA_DOMAIN,
+            GTM_DOMAIN,
+            GTM_PREVIEW_DOMAIN,
+            casaCspNonce,
+          ],
+          "img-src": [
+            "'self'",
+            GA_DOMAIN,
+            GA_ANALYTICS_DOMAIN,
+            GTM_DOMAIN,
+            "https://ssl.gstatic.com",
+            "https://www.gstatic.com",
+            "https://fonts.gstatic.com",
+          ],
+          "connect-src": ["'self'", GA_DOMAIN, GA_ANALYTICS_DOMAIN, GTM_DOMAIN],
+          "frame-src": ["'self'", GTM_DOMAIN],
+          "frame-ancestors": ["'self'"],
+          "form-action": ["'self'"],
+          "style-src": [
+            "'self'",
+            "https://fonts.googleapis.com",
+            GTM_PREVIEW_DOMAIN,
+            GTM_DOMAIN,
+            casaCspNonce,
+            "'sha256-xWGOGGMGQQ+IV0Om4xzgbDHXUh/+L1c375p0Pb6vF9A='",
+            "'sha256-9HGruJg4WccHXas5I1NmLn7tI1TDh6N26o6+/dy8sm4='",
+            "'sha256-oM0kKtU+nugIwjuYHkXXVoKGVNhC/DCUnIVdSVBMkaQ='",
+          ],
+          "font-src": ["'self'", "data:", "https://fonts.gstatic.com"],
+        },
       },
-    },
-    // // Require referrer to aid navigation
-    // referrerPolicy: 'no-referrer, same-origin',
-  })),
+      // // Require referrer to aid navigation
+      // referrerPolicy: 'no-referrer, same-origin',
+    }),
+  ),
 ];

package/src/middleware/progress-journey.js CHANGED Viewed

@@ -2,13 +2,13 @@
 // We assume that the waypoint has been validated prior to reaching this
 // middleware.
-import Plan from '../lib/Plan.js';
-import JourneyContext from '../lib/JourneyContext.js';
-import waypointUrl from '../lib/waypoint-url.js';
-import logger from '../lib/logger.js';
-import { REQUEST_PHASE_REDIRECT } from '../lib/constants.js';
+import Plan from "../lib/Plan.js";
+import JourneyContext from "../lib/JourneyContext.js";
+import waypointUrl from "../lib/waypoint-url.js";
+import logger from "../lib/logger.js";
+import { REQUEST_PHASE_REDIRECT } from "../lib/constants.js";
-const log = logger('middleware:progress-journey');
+const log = logger("middleware:progress-journey");
 const saveAndRedirect = (session, journeyContext, url, res, next) => {
   JourneyContext.putContext(session, journeyContext, {
@@ -25,10 +25,7 @@ const saveAndRedirect = (session, journeyContext, url, res, next) => {
   });
 };
-export default ({
-  waypoint,
-  plan,
-}) => [
+export default ({ waypoint, plan }) => [
   (req, res, next) => {
     // Determine the next available waypoint after the current one
     const traversed = plan.traverse(req.casa.journeyContext);
@@ -38,7 +35,9 @@ export default ({
       Math.min(currentIndex + 1, traversed.length - 1),
     );
     const nextWaypoint = traversed[parseInt(nextIndex, 10)];
-    log.trace(`currentIndex = ${currentIndex}, nextIndex = ${nextIndex}, currentWaypoint = ${waypoint}, nextWaypoint = ${nextWaypoint}`);
+    log.trace(
+      `currentIndex = ${currentIndex}, nextIndex = ${nextIndex}, currentWaypoint = ${waypoint}, nextWaypoint = ${nextWaypoint}`,
+    );
     // Edit mode
     // Attempt to take the user back to their original URL. We rely on the
@@ -55,14 +54,21 @@ export default ({
     // they want to force the user to re-visit particular waypoints during this
     // "jumping" phase.
     if (req.casa.editMode && req.casa.editOrigin) {
-      const url = new URL(req.casa.editOrigin, 'https://placeholder.test/');
-      url.searchParams.append('edit', 'true');
-      url.searchParams.append('editorigin', req.casa.editOrigin);
-      const redirectUrl = waypointUrl({ waypoint: url.pathname }) + url.search.toString();
+      const url = new URL(req.casa.editOrigin, "https://placeholder.test/");
+      url.searchParams.append("edit", "true");
+      url.searchParams.append("editorigin", req.casa.editOrigin);
+      const redirectUrl =
+        waypointUrl({ waypoint: url.pathname }) + url.search.toString();
       log.debug(`Edit mode detected; redirecting to ${redirectUrl}`);
-      return saveAndRedirect(req.session, req.casa.journeyContext, redirectUrl, res, next);
+      return saveAndRedirect(
+        req.session,
+        req.casa.journeyContext,
+        redirectUrl,
+        res,
+        next,
+      );
     }
     // If the next URL is an "exit node", we need to flag that node as
@@ -76,7 +82,9 @@ export default ({
     //   setRoute('b', 'url:///otherapp/')
     //   setRoute('url:////otherapp/', 'c', (r, c) => checkIfOtherAppIsFinished())
     if (Plan.isExitNode(nextWaypoint)) {
-      log.trace(`Next waypoint is an exit node; clearing validation state on ${nextWaypoint}`);
+      log.trace(
+        `Next waypoint is an exit node; clearing validation state on ${nextWaypoint}`,
+      );
       req.casa.journeyContext.clearValidationErrorsForPage(nextWaypoint);
     }
@@ -91,6 +99,12 @@ export default ({
     // Save and move on
     log.trace(`Redirecting to ${nextUrl}`);
-    return saveAndRedirect(req.session, req.casa.journeyContext, nextUrl, res, next);
+    return saveAndRedirect(
+      req.session,
+      req.casa.journeyContext,
+      nextUrl,
+      res,
+      next,
+    );
   },
 ];

package/src/middleware/sanitise-fields.js CHANGED Viewed

@@ -2,19 +2,32 @@
 // - Coerce each field to its correct type
 // - Remove an extraneous fields that are not know to the application
-import _ from 'lodash';
-import fieldFactory from '../lib/field.js';
-import JourneyContext from '../lib/JourneyContext.js';
+import _ from "lodash";
+import fieldFactory from "../lib/field.js";
+import JourneyContext from "../lib/JourneyContext.js";
-export default ({
-  waypoint,
-  fields = [],
-}) => {
+export default ({ waypoint, fields = [] }) => {
   // Add some common, transient fields to ensure they survive beyond this sanitisation process
-  fields.push(fieldFactory('_csrf', { persist: false }).processor((value) => String(value)));
-  fields.push(fieldFactory('contextid', { persist: false }).processor((value) => String(value)));
-  fields.push(fieldFactory('edit', { persist: false }).processor((value) => String(value)));
-  fields.push(fieldFactory('editorigin', { persist: false }).processor((value) => String(value)));
+  fields.push(
+    fieldFactory("_csrf", { persist: false }).processor((value) =>
+      String(value),
+    ),
+  );
+  fields.push(
+    fieldFactory("contextid", { persist: false }).processor((value) =>
+      String(value),
+    ),
+  );
+  fields.push(
+    fieldFactory("edit", { persist: false }).processor((value) =>
+      String(value),
+    ),
+  );
+  fields.push(
+    fieldFactory("editorigin", { persist: false }).processor((value) =>
+      String(value),
+    ),
+  );
   // Middleware
   return [
@@ -25,27 +38,37 @@ export default ({
       /* eslint-disable security/detect-object-injection */
       const prunedBody = Object.create(null);
       for (let i = 0, l = fields.length; i < l; i++) {
-        if (_.has(req.body, fields[i].name) && req.body[fields[i].name] !== undefined) {
+        if (
+          _.has(req.body, fields[i].name) &&
+          req.body[fields[i].name] !== undefined
+        ) {
           prunedBody[fields[i].name] = req.body[fields[i].name];
         }
       }
       /* eslint-enable security/detect-object-injection */
-      const journeyContext = JourneyContext.fromContext(req.casa.journeyContext, req);
+      const journeyContext = JourneyContext.fromContext(
+        req.casa.journeyContext,
+        req,
+      );
       journeyContext.setDataForPage(waypoint, prunedBody);
       // Second, prune any fields that do not pass the validation conditional,
       // and process those that do.
       const sanitisedBody = Object.create(null);
       for (let i = 0, l = fields.length; i < l; i++) {
-        const field = fields[i]; /* eslint-disable-line security/detect-object-injection */
+        const field =
+          fields[i]; /* eslint-disable-line security/detect-object-injection */
         const fieldValue = field.getValue(prunedBody);
-        if (fieldValue !== undefined && field.testConditions({
-          fieldValue,
-          waypoint,
-          journeyContext,
-        })) {
+        if (
+          fieldValue !== undefined &&
+          field.testConditions({
+            fieldValue,
+            waypoint,
+            journeyContext,
+          })
+        ) {
           field.putValue(sanitisedBody, field.applyProcessors(fieldValue));
         }
       }
@@ -55,4 +78,4 @@ export default ({
       next();
     },
   ];
-}
+};

package/src/middleware/serve-first-waypoint.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { validateUrlPath } from '../lib/utils.js';
+import { validateUrlPath } from "../lib/utils.js";
 /**
  * @access private
@@ -17,12 +17,14 @@ import { validateUrlPath } from '../lib/utils.js';
  * @param {Plan} plan CASA Plan
  * @returns {ExpressRequestHandler[]} Array of middleware
  */
-export default ({
-  plan,
-}) => [(req, res) => {
-  const reqUrl = new URL(req.url, 'https://placeholder.test/');
-  const reqPath = validateUrlPath(`${req.baseUrl}${reqUrl.pathname}${plan.getWaypoints()[0]}`);
-  let reqParams = reqUrl.searchParams.toString();
-  reqParams = reqParams ? `?${reqParams}` : '';
-  res.redirect(302, `${reqPath}${reqParams}`);
-}];
+export default ({ plan }) => [
+  (req, res) => {
+    const reqUrl = new URL(req.url, "https://placeholder.test/");
+    const reqPath = validateUrlPath(
+      `${req.baseUrl}${reqUrl.pathname}${plan.getWaypoints()[0]}`,
+    );
+    let reqParams = reqUrl.searchParams.toString();
+    reqParams = reqParams ? `?${reqParams}` : "";
+    res.redirect(302, `${reqPath}${reqParams}`);
+  },
+];

package/src/middleware/session.js CHANGED Viewed

@@ -1,69 +1,94 @@
 // A last-modified cookie is used to control whether the end user sees a
 // session-timeout page, or they are simply given a new session without
 // interrupting their journey.
-import expressSession, { MemoryStore } from 'express-session';
-import logger from '../lib/logger.js';
-import { validateUrlPath } from '../lib/utils.js';
+import expressSession, { MemoryStore } from "express-session";
+import logger from "../lib/logger.js";
+import { validateUrlPath } from "../lib/utils.js";
-const log = logger('middleware:session');
+/**
+ * @typedef {import("express").RequestHandler} RequestHandler
+ * @access private
+ */
-const sessionExpiryMiddleware = (
-  ttl,
-  getCookie,
-  touchCookie,
-  removeCookie,
-) => (req, res, next) => {
-  const lastModified = getCookie(req);
-  const age = Math.floor(Date.now() * 0.001) - lastModified;
+const log = logger("middleware:session");
+const sessionExpiryMiddleware =
+  (ttl, getCookie, touchCookie, removeCookie) => (req, res, next) => {
+    const lastModified = getCookie(req);
+    const age = Math.floor(Date.now() * 0.001) - lastModified;
-  if (lastModified === 0) {
-    // New session, or grace period cookie no longer available after
-    // expiring; generate a new session, and create grace-period cookie.
-    // This will invalidate any CSRF tokens, so by letting the request POST
-    // requests through the user may see a 500 error response.
-    log.info('Session is new, or grace period has expired. Regenerating session.');
-    req.session.regenerate((err) => {
-      if (err) {
-        next(err);
-      } else {
-        touchCookie(res);
-        if (req.method === 'POST') {
-          log.info('The CSRF token for this POST request will now be invalid for this regenerated session. Redirecting to app mount point.');
-          res.redirect(302, validateUrlPath(`${req.baseUrl}/`));
+    if (lastModified === 0) {
+      // New session, or grace period cookie no longer available after
+      // expiring; generate a new session, and create grace-period cookie.
+      // This will invalidate any CSRF tokens, so by letting the request POST
+      // requests through the user may see a 500 error response.
+      log.info(
+        "Session is new, or grace period has expired. Regenerating session.",
+      );
+      req.session.regenerate((err) => {
+        if (err) {
+          next(err);
         } else {
-          next();
+          touchCookie(res);
+          if (req.method === "POST") {
+            log.info(
+              "The CSRF token for this POST request will now be invalid for this regenerated session. Redirecting to app mount point.",
+            );
+            res.redirect(302, validateUrlPath(`${req.baseUrl}/`));
+          } else {
+            next();
+          }
         }
-      }
-    });
-  } else if (age > ttl) {
-    // Cookie has become stale and server session will have been removed;
-    // redirect to session-timeout
-    log.info('Session has timed out within grace period. Destroying session and redirecting to timeout page.');
-    const language = req.session.language ?? 'en';
-    req.session.destroy((err) => {
-      if (err) {
-        next(err);
-      } else {
-        removeCookie(res);
-        const params = new URLSearchParams({
-          referrer: req.originalUrl,
-          lang: language,
-        });
-        /* eslint-disable-next-line prefer-template */
-        res.redirect(302, validateUrlPath(`${req.baseUrl}/session-timeout`) + `?${params.toString()}`);
-      }
-    });
-  } else {
-    // Touch cookie and continue
-    touchCookie(res);
-    next();
-  }
-};
+      });
+    } else if (age > ttl) {
+      // Cookie has become stale and server session will have been removed;
+      // redirect to session-timeout
+      log.info(
+        "Session has timed out within grace period. Destroying session and redirecting to timeout page.",
+      );
+      const language = req.session.language ?? "en";
+      req.session.destroy((err) => {
+        if (err) {
+          next(err);
+        } else {
+          removeCookie(res);
+          const params = new URLSearchParams({
+            referrer: req.originalUrl,
+            lang: language,
+          });
+          res.redirect(
+            302,
+            validateUrlPath(`${req.baseUrl}/session-timeout`) +
+              `?${params.toString()}`,
+          );
+        }
+      });
+    } else {
+      // Touch cookie and continue
+      touchCookie(res);
+      next();
+    }
+  };
-// 3 middleware:
-// - set the session cookie
-// - parse request cookies
-// - handle expiry of server-side session
+/**
+ * Produces three middleware functions:
+ *
+ * - Set the session cookie
+ * - Parse request cookies
+ * - Handle expiry of server-side session
+ *
+ * @param {object} opts Options
+ * @param {RequestHandler} opts.cookieParserMiddleware Cookie parsing middleware
+ * @param {string} opts.secret Session encryption secret
+ * @param {string} opts.name Session cookie name
+ * @param {boolean} opts.secure Secure cookies only
+ * @param {number} opts.ttl Session data time-to-live
+ * @param {boolean | string} [opts.cookieSameSite] Cooke SameSite setting
+ * @param {string} [opts.cookiePath] Cookie path
+ * @param {object} [opts.store] Storage instance
+ * @returns {RequestHandler[]} Middleware functions
+ */
 export default function sessionMiddleware({
   cookieParserMiddleware,
   secret,
@@ -71,7 +96,7 @@ export default function sessionMiddleware({
   secure,
   ttl,
   cookieSameSite = true,
-  cookiePath = '/',
+  cookiePath = "/",
   store = new MemoryStore(),
 }) {
   const commonCookieOptions = {
@@ -81,7 +106,8 @@ export default function sessionMiddleware({
   };
   if (cookieSameSite !== false) {
-    commonCookieOptions.sameSite = cookieSameSite === true ? 'Strict' : cookieSameSite;
+    commonCookieOptions.sameSite =
+      cookieSameSite === true ? "Strict" : cookieSameSite;
   }
   const ttlGrace = 1800; // user will see session-timeout if session expires within 30mins
@@ -94,22 +120,28 @@ export default function sessionMiddleware({
   const getCookie = (req) => {
     // Disabled eslint as `touchCookieName` is a constant, known value
-    /* eslint-disable-next-line security/detect-object-injection */
-    const lastModified = Date.parse(String(req.signedCookies[touchCookieName] ?? '1970-01-01T00:00:00+0000'));
+    const lastModified = Date.parse(
+      String(req.signedCookies[touchCookieName] ?? "1970-01-01T00:00:00+0000"),
+    );
     return Number.isNaN(lastModified) ? 0 : Math.floor(lastModified * 0.001);
-  }
+  };
   const touchCookie = (res) => {
     // Touch cookie expiry is a short period after the session ttl. This gives
     // a small period of time where a user will see the session-timeout message,
     // which is important to avoid the confusion of simply being redirected back
     // to the start of their journey.
-    res.cookie(touchCookieName, (new Date(Date.now())).toUTCString(), touchCookieOptions);
-  }
+    res.cookie(
+      touchCookieName,
+      new Date(Date.now()).toUTCString(),
+      touchCookieOptions,
+    );
+  };
   const removeCookie = (res) => {
     res.clearCookie(touchCookieName, touchCookieOptions);
-  }
+  };
   return [
     expressSession({

package/src/middleware/skip-waypoint.js CHANGED Viewed

@@ -1,19 +1,17 @@
 // Mark a waypoint as skipped
-import lodash from 'lodash';
-import JourneyContext from '../lib/JourneyContext.js';
-import waypointUrl from '../lib/waypoint-url.js';
-import logger from '../lib/logger.js';
+import lodash from "lodash";
+import JourneyContext from "../lib/JourneyContext.js";
+import waypointUrl from "../lib/waypoint-url.js";
+import logger from "../lib/logger.js";
 const { has } = lodash;
-const log = logger('middleware:skip-waypoint');
+const log = logger("middleware:skip-waypoint");
-export default ({
-  waypoint,
-}) => [
+export default ({ waypoint }) => [
   (req, res, next) => {
-    if (!has(req.query, 'skipto')) {
+    if (!has(req.query, "skipto")) {
       return next();
     }
     const skipTo = String(req.query.skipto);