@dwp/govuk-casa 8.7.9 → 8.8.0

package/src/middleware/body-parser.js

@@ -0,0 +1,31 @@
+import { urlencoded as expressBodyParser } from 'express';
+
+const rProto = /__proto__/i;
+const rPrototype = /prototype[='"[\]]/i;
+const rConstructor = /constructor[='"[\]]/i;
+
+export function verifyBody(req, res, buf, encoding) {
+  const body = decodeURI(buf.toString(encoding)).replace(/[\s\u200B-\u200D\uFEFF]/g, '');
+  if (rProto.test(body)) {
+    throw new Error('Request body verification failed (__proto__)');
+  }
+  if (rPrototype.test(body)) {
+    throw new Error('Request body verification failed (prototype)');
+  }
+  if (rConstructor.test(body)) {
+    throw new Error('Request body verification failed (constructor)');
+  }
+}
+
+export default function bodyParserMiddleware() {
+  return [
+    expressBodyParser({
+      extended: true,
+      type: 'application/x-www-form-urlencoded',
+      inflate: true,
+      parameterLimit: 25, // TODO: make configurable?
+      limit: 1024 * 50, // TODO: make configurable?
+      verify: verifyBody,
+    }),
+  ];
+}

package/src/middleware/csrf.js

@@ -0,0 +1,29 @@
+import csurf from 'csurf';
+
+// 2 middleware: one to generate the csrf token and check its validity (POST
+// only), and one to provide that token to templates via the `casa.csrfToken`
+// variable.
+
+export default function csrfMiddleware() {
+  return [
+    csurf({
+      cookie: false,
+      sessionKey: 'session',
+      // value: (req) => {
+      //   // Here we clear the token after extracting to maintain cleaner data. It
+      //   // is only used for this CSRF purpose.
+      //   const token = String(req.body._csrf);
+      //   delete req.body._csrf;
+      //   return token;
+      //   /* eslint-enable no-underscore-dangle */
+      // },
+    }),
+    (req, res, next) => {
+      res.locals.casa = {
+        ...res.locals?.casa,
+        csrfToken: req.csrfToken(),
+      };
+      next();
+    },
+  ];
+}

package/src/middleware/data.js

@@ -0,0 +1,105 @@
+// Decorates the request with some contextual data about the user's journey
+// through the application. This is used by downstream middleware and templates.
+
+import lodash from 'lodash';
+import JourneyContext from '../lib/JourneyContext.js';
+import { validateUrlPath } from '../lib/utils.js';
+import waypointUrl from '../lib/waypoint-url.js';
+
+const { has } = lodash;
+
+const editOrigin = (req) => {
+  if (has(req.query, 'editorigin')) {
+    return waypointUrl({ waypoint: req.query.editorigin });
+  }
+  if (has(req?.body, 'editorigin')) {
+    return waypointUrl({ waypoint: req.body.editorigin });
+  }
+  return '';
+}
+
+export default function dataMiddleware({
+  plan,
+  events,
+}) {
+  return [
+    (req, res, next) => {
+      /* ------------------------------------------------ Request decorations */
+
+      // CASA
+      req.casa = {
+        ...req?.casa,
+
+        // The plan
+        plan,
+
+        // Current journey context, loaded from session, specified by
+        // `contextid` request parameter
+        journeyContext: JourneyContext.extractContextFromRequest(req).addEventListeners(events),
+
+        // Edit mode
+        editMode: (has(req?.query, 'edit') && has(req?.query, 'editorigin')) || (has(req?.body, 'edit') && has(req?.body, 'editorigin')),
+        editOrigin: editOrigin(req),
+      };
+
+      // Grab chosen language from session
+      req.casa.journeyContext.nav.language = req.session.language;
+
+      /* ------------------------------------------------- Template variables */
+
+      // Capture mount URL that will be used in generating all browser URLs
+      const mountUrl = validateUrlPath(`${req.baseUrl}/`.replace(/\/+/g, '/'));
+
+      // If this CASA app is mounted on a parameterised route, then all of its
+      // static assets (served by `staticRouter`) will, by default, be served
+      // from that dynamic path, for example:
+      //   markup:       <link href="{{ mountUrl }}css/static.css" />
+      //   resolved URL: /mount/<some-id-here>/css/static.css
+      //   baseUrl:      /mount/<some-id>
+      //
+      // From a performance point of view, this is very inefficient as we can't
+      // take advantage of any intermediate caches. So we instead provide am
+      // alternative URL path in the `staticMountUrl` property that excludes the
+      // parameterised element, eg:
+      //   markup:       <link href="{{ staticMountUrl }}css/static.css" />
+      //   resolved URL: /mount/css/static.css
+      //   baseUrl:      /mount
+      //
+      // As the staticRouter is mounted on both the CASA app, and its internal
+      // Router, the `baseUrl` is different in each case, so we cannot rely
+      // on it to be consistent. Hence the need for this property, which will
+      // always be the non-parameterised version of the baseUrl.
+      const staticMountUrl = validateUrlPath(`${req.unparameterisedBaseUrl}/`.replace(/\/+/g, '/'));
+
+      // CASA and userland templates
+      res.locals.casa = {
+        mountUrl,
+        staticMountUrl,
+        editMode: req.casa.editMode,
+        editOrigin: req.casa.editOrigin,
+      };
+      res.locals.locale = req.language;
+
+      // Used by govuk-frontend template
+      //   htmlLang = req.language is provided by i18n-http-middleware
+      //   assetPath = used for linking to static assets in the govuk-frontend module
+      res.locals.htmlLang = req.language;
+      res.locals.assetPath = `${staticMountUrl}govuk/assets`;
+
+      // Function for building URLs. This will be curried with the `mountUrl`,
+      // `journeyContext`, `edit` and `editOrigin` for convenience. This means
+      // the template author does not have to be concerned about the current
+      // "state" when generating URLs, but still has the ability to override
+      // these curried defaults if needs be.
+      res.locals.waypointUrl = (args) => waypointUrl({
+        mountUrl,
+        journeyContext: req.casa.journeyContext,
+        edit: req.casa.editMode,
+        editOrigin: req.casa.editOrigin,
+        ...args,
+      });
+
+      next();
+    },
+  ];
+}

package/src/middleware/dirname.cjs

@@ -0,0 +1 @@
+module.exports = __dirname;

package/src/middleware/gather-fields.js

@@ -0,0 +1,51 @@
+// Gather the field data from `req.body` into the current JourneyContext
+// - Store in the current session
+// - Update the user's journey context with the new data
+// - Remove validation date of JourneyContext so it can re-evaluted
+
+import JourneyContext from '../lib/JourneyContext.js';
+
+/**
+ * @access private
+ * @typedef {import('../lib/field').PageField} PageField
+ */
+
+/**
+ * Gather the field data from `req.body` into the current JourneyContext
+ * - Store in the current session
+ * - Update the user's journey context with the new data
+ * - Remove validation date of JourneyContext so it can re-evaluted
+ *
+ * @param {object} obj Options
+ * @param {string} obj.waypoint Waypoint
+ * @param {PageField[]} [obj.fields=[]] Fields
+ * @returns {Array} Array of middleware
+ */
+export default ({
+  waypoint,
+  fields = [],
+}) => [
+  (req, res, next) => {
+    // Store a copy of the journey context before modifying it. This is useful
+    // for any comparison work that may be done in subsequent middleware.
+    req.casa.archivedJourneyContext = JourneyContext.fromContext(req.casa.journeyContext);
+
+    // Ignore data for any non-persistent fields
+    // ESLint disabled as `fields`, `i` and `name` are dev-controlled
+    /* eslint-disable security/detect-object-injection */
+    const persistentBody = Object.create(null);
+    for (let i = 0, l = fields.length; i < l; i++) {
+      if (fields[i].meta.persist && fields[i].getValue(req.body) !== undefined) {
+        persistentBody[fields[i].name] = fields[i].getValue(req.body);
+      }
+    }
+    /* eslint-enable security/detect-object-injection */
+
+    // Update data and validation context in the current request, and store
+    req.casa.journeyContext.setDataForPage(waypoint, persistentBody);
+    req.casa.journeyContext.removeValidationStateForPage(waypoint);
+    JourneyContext.putContext(req.session, req.casa.journeyContext);
+
+    next();
+  },
+];

package/src/middleware/i18n.js

@@ -0,0 +1,106 @@
+import i18next from 'i18next';
+import { LanguageDetector, handle } from 'i18next-http-middleware';
+import { resolve, basename } from 'path';
+import { existsSync, readFileSync, readdirSync } from 'fs';
+import deepmerge from 'deepmerge';
+import yaml from 'js-yaml';
+import logger from '../lib/logger.js';
+
+const log = logger('middleware:i18n');
+
+const loadJson = (file) => {
+  // Strip out newlines (this is a legacy feature which we're keeping for
+  // backwards compatibility).
+  const json = readFileSync(file, 'utf8');
+  return JSON.parse(json.replace(/[\r\n]/g, ''));
+}
+
+const loadYaml = (file) => yaml.load(readFileSync(file, 'utf8'))
+
+const extract = (file) => {
+  const ext = /.yaml$/i.test(file) ? '.yaml' : '.json';
+  const data = ext === '.yaml' ? loadYaml(file) : loadJson(file);
+
+  return {
+    ns: basename(file, ext),
+    data,
+  };
+}
+
+const loadResources = (languages, directories) => {
+  const store = Object.create(null);
+
+  languages.forEach((language) => {
+    // ESLint disabled as `store`, `language` and `ns` are all dev-controlled,
+    // and this function is only called once, at boot-time.
+    /* eslint-disable security/detect-object-injection */
+    store[language] = Object.create(null);
+
+    directories.forEach((basedir) => {
+      const dir = resolve(basedir, language);
+      if (!existsSync(dir)) {
+        return;
+      }
+
+      log.info('Loading %s language from %s ...', language, dir);
+      readdirSync(dir).forEach((file) => {
+        const { ns, data } = extract(resolve(dir, file));
+
+        if (store[language][ns] === undefined) {
+          store[language][ns] = Object.create(null);
+        }
+
+        store[language][ns] = deepmerge(store[language][ns], data);
+      });
+    });
+    /* eslint-enable security/detect-object-injection */
+  });
+
+  return store;
+}
+
+export default function i18nMiddleware({
+  languages = ['en', 'cy'],
+  directories = [],
+}) {
+  // Load _all_ translations, from all directories into memory.
+  const resources = loadResources(languages, directories);
+
+  // Configure i18next
+  const i18nInstance = i18next.createInstance();
+  i18nInstance
+    .use(LanguageDetector)
+    .init({
+      initImmediate: false, // because we need synchronous loading
+      supportedLngs: languages,
+      fallbackLng: false,
+      defaultNS: 'common',
+      // debug: true,
+
+      // All translation resources
+      resources,
+
+      // LanguageDetector options
+      detection: {
+        lookupQuerystring: 'lang',
+        lookupSession: 'language',
+        order: ['querystring', 'session'],
+      },
+    });
+
+  // 2 middleware: one to read/set the session language, and one to enhance the
+  // req/res objects with i18n features
+  return [
+    (req, res, next) => {
+      if (!req.session.language) {
+        /* eslint-disable-next-line prefer-destructuring */
+        req.session.language = languages[0];
+      }
+      if (req?.query.lang && languages.includes(req.query.lang)) {
+        req.session.language = String(req.query.lang);
+      }
+      next();
+    },
+    handle(i18nInstance),
+  ];
+}

package/src/middleware/post.js

@@ -0,0 +1,61 @@
+// 2 middleware: one as a fallback 404 handler, one to handle thrown errors
+import logger from '../lib/logger.js';
+
+const log = logger('middleware:post');
+
+export default function postMiddleware() {
+  return [
+    (req, res) => {
+      res.status(404).render('casa/errors/404.njk');
+    },
+    /* eslint-disable-next-line no-unused-vars */
+    (err, req, res, next) => {
+      // In some cases, an error may have been thrown before the template assets
+      // have had a chance to initialise. So we use a hardcoded template in
+      // these cases to ensure the user sees an appropriate message.
+      let TEMPLATE = 'casa/errors/500.njk';
+      if (!res.locals.t) {
+        res.locals.t = () => ('');
+        res.locals.casa = {
+          ...res.locals?.casa,
+          mountUrl: `${req.baseUrl}/`,
+        };
+        TEMPLATE = 'casa/errors/static.njk';
+      }
+
+      // CSRF token is invalid in some way
+      if (err?.code === 'EBADCSRFTOKEN') {
+        log.info('CSRF validation has failed. This may be caused by the user submitting a stale form from a previous session [EBADCSRFTOKEN]');
+        return res.status(403).render(TEMPLATE, { errorCode: 'bad_csrf_token', error: err });
+      }
+
+      // Body parsing verification check failed
+      if (err?.type === 'entity.verify.failed') {
+        log.info('Body parser verification has failed. This has been caused by the user submitting a payload containing invalid data [entity.verify.failed]');
+        return res.status(403).render(TEMPLATE, { errorCode: 'invalid_payload', error: err });
+      }
+
+      // Too many parameters submitted
+      if (err?.type === 'parameters.too.many') {
+        log.info('The request contains more parameters than is currently allowed [parameters.too.many]');
+        return res.status(413).render(TEMPLATE, { errorCode: 'parameter_limit_exceeded', error: err });
+      }
+
+      // Overall payload too large
+      if (err?.type === 'entity.too.large') {
+        log.info(`The request payload is too large. Received ${err.length}b with a maximum of ${err.limit}b [parameters.too.many]`);
+        return res.status(413).render(TEMPLATE, { errorCode: 'payload_size_exceeded', error: err });
+      }
+
+      // Unaccept request method
+      if (err?.code === 'unaccepted_request_method') {
+        log.info(err.message);
+        return res.status(400).render(TEMPLATE, { errorCode: 'unaccepted_request_method', error: err });
+      }
+
+      // Unknown error
+      log.error(`Unknown error: ${err.message}; stacktrace: ${err.stack}`);
+      return res.status(200).render(TEMPLATE, { error: err });
+    },
+  ]
+}

package/src/middleware/pre.js

@@ -0,0 +1,91 @@
+import { randomBytes } from 'crypto';
+import helmet from 'helmet';
+
+/**
+ * @access private
+ * @typedef {import('../casa').HelmetConfigurator} HelmetConfigurator
+ */
+
+const GA_DOMAIN = '*.google-analytics.com';
+const GA_ANALYTICS_DOMAIN = '*.analytics.google.com';
+const GTM_DOMAIN = '*.googletagmanager.com';
+const GTM_PREVIEW_DOMAIN = 'https://tagmanager.google.com';
+
+/**
+ * Extracts the CSP nonce used in every template, and makes it available as a
+ * nonce value in the CSP header.
+ *
+ * IMPORTANT: Do not rename this function as it _might_ be used in consumer code
+ * to identify this function specifically, most likely to remove it from CSP
+ * headers for custom purposes.
+ *
+ * @param {import('express').Request} req Request
+ * @param {import('express').Response} res Response
+ * @returns {string} nonce value suitable for use in CSP header
+ */
+function casaCspNonce(req, res) {
+  return `'nonce-${res.locals.cspNonce}'`;
+}
+
+/**
+ * Pre middleware.
+ *
+ * @param {object} opts Options
+ * @param {HelmetConfigurator} opts.helmetConfigurator Function to customise Helmet configuration
+ * @returns {Function[]} List of middleware
+ */
+export default ({
+  helmetConfigurator = (config) => (config),
+} = {}) => [
+  // Only allow certain request methods
+  (req, res, next) => {
+    if (req.method !== 'GET' && req.method !== 'POST') {
+      const err = new Error(`Unaccepted request method, "${String(req.method).substr(0, 7)}"`);
+      err.code = 'unaccepted_request_method';
+      next(err);
+    } else {
+      next();
+    }
+  },
+
+  // Prevent caching response in any intermediaries by default, in case it
+  // contains sensitive data.
+  // The `no-store` setting is to specifically disable the bfcache and prevent
+  // possible leakage of information.
+  (req, res, next) => {
+    res.set('cache-control', 'no-cache, no-store, must-revalidate, private');
+    res.set('pragma', 'no-cache');
+    res.set('expires', 0);
+    res.set('x-robots-tag', 'noindex, nofollow');
+    next();
+  },
+
+  // Generate nonces ready for use in Content-Security-Policy header and
+  // govuk-frontend template. This same none can be used wherever required.
+  (req, res, next) => {
+    res.locals.cspNonce = randomBytes(16).toString('hex');
+    next();
+  },
+
+  // Helmet suite of headers
+  helmet(helmetConfigurator({
+    // Allows GA which is typically used, and a known inline script nonce
+    contentSecurityPolicy: {
+      useDefaults: true,
+      directives: {
+        'default-src': ["'none'"],
+        'script-src': ["'self'", GA_DOMAIN, GTM_DOMAIN, GTM_PREVIEW_DOMAIN, casaCspNonce],
+        'img-src': ["'self'", GA_DOMAIN, GA_ANALYTICS_DOMAIN, GTM_DOMAIN, 'https://ssl.gstatic.com', 'https://www.gstatic.com'],
+        'connect-src': ["'self'", GA_DOMAIN, GA_ANALYTICS_DOMAIN, GTM_DOMAIN],
+        'frame-src': ["'self'", GTM_DOMAIN],
+        'frame-ancestors': ["'self'"],
+        'form-action': ["'self'"],
+        'style-src': ["'self'", 'https://fonts.googleapis.com', GTM_PREVIEW_DOMAIN, casaCspNonce],
+        'font-src': ["'self'", 'data:', 'https://fonts.gstatic.com'],
+      },
+    },
+
+    // // Require referrer to aid navigation
+    // referrerPolicy: 'no-referrer, same-origin',
+  })),
+];

package/src/middleware/progress-journey.js

@@ -0,0 +1,92 @@
+// Determine where to take the user next
+// We assume that the waypoint has been validated prior to reaching this
+// middleware.
+
+import Plan from '../lib/Plan.js';
+import JourneyContext from '../lib/JourneyContext.js';
+import waypointUrl from '../lib/waypoint-url.js';
+import logger from '../lib/logger.js';
+
+const log = logger('middleware:progress-journey');
+
+const saveAndRedirect = (session, journeyContext, url, res, next) => {
+  JourneyContext.putContext(session, journeyContext);
+
+  session.save((err) => {
+    if (err) {
+      next(err);
+    }
+    res.redirect(302, url);
+  });
+};
+
+export default ({
+  waypoint,
+  plan,
+}) => [
+  (req, res, next) => {
+    // Determine the next available waypoint after the current one
+    const traversed = plan.traverse(req.casa.journeyContext);
+    const currentIndex = traversed.indexOf(waypoint);
+    const nextIndex = Math.max(
+      currentIndex < 0 ? traversed.length - 1 : 0,
+      Math.min(currentIndex + 1, traversed.length - 1),
+    );
+    const nextWaypoint = traversed[parseInt(nextIndex, 10)];
+    log.trace(`currentIndex = ${currentIndex}, nextIndex = ${nextIndex}, currentWaypoint = ${waypoint}, nextWaypoint = ${nextWaypoint}`);
+
+    // Edit mode
+    // Attempt to take the user back to their original URL. We rely on the
+    // `steer-journey` middleware to prevent the user going too far ahead in
+    // their permitted journey. Bear in mind that the `editOrigin` may not be
+    // a waypoint at all, but a route path for a custom endpoint, so we can't
+    // safely do a traversal check here.
+    //
+    // The edit mode URL params will be kept on this redirect. This means the
+    // user can keep "jumping" to the next _changed_ waypoint, until they get
+    // back to the original URL.
+    //
+    // Devs should use the `events` mechanism to mark waypoints as invalid if
+    // they want to force the user to re-visit particular waypoints during this
+    // "jumping" phase.
+    if (req.casa.editMode && req.casa.editOrigin) {
+      const url = new URL(req.casa.editOrigin, 'https://placeholder.test/');
+      url.searchParams.append('edit', 'true');
+      url.searchParams.append('editorigin', req.casa.editOrigin);
+      const redirectUrl = waypointUrl({ waypoint: url.pathname }) + url.search.toString();
+
+      log.debug(`Edit mode detected; redirecting to ${redirectUrl}`);
+
+      return saveAndRedirect(req.session, req.casa.journeyContext, redirectUrl, res, next);
+    }
+
+    // If the next URL is an "exit node", we need to flag that node as
+    // being validated so that subsequent traversals of this journey continue
+    // correctly to any waypoints leading on from this one.
+    // This effectively says that the other Plan linked to by the exit node is
+    // complete, but of course that may not be the case.
+    // It would be prudent for developers to add a conditions to the route to
+    // check is this is the case, eg
+    //   setRoute('a', 'b');
+    //   setRoute('b', 'url:///otherapp/')
+    //   setRoute('url:////otherapp/', 'c', (r, c) => checkIfOtherAppIsFinished())
+    if (Plan.isExitNode(nextWaypoint)) {
+      log.trace(`Next waypoint is an exit node; clearing validation state on ${nextWaypoint}`);
+      req.casa.journeyContext.clearValidationErrorsForPage(nextWaypoint);
+      JourneyContext.putContext(req.session, req.casa.journeyContext);
+    }
+
+    // Construct the next url
+    const nextUrl = waypointUrl({
+      waypoint: nextWaypoint,
+      mountUrl: `${req.baseUrl}/`,
+      journeyContext: req.casa.journeyContext,
+      edit: req.casa.editMode,
+      editOrigin: req.casa.editOrigin,
+    });
+
+    // Save and move on
+    log.trace(`Redirecting to ${nextUrl}`);
+    return saveAndRedirect(req.session, req.casa.journeyContext, nextUrl, res, next);
+  },
+];

package/src/middleware/sanitise-fields.js

@@ -0,0 +1,58 @@
+// Sanitise the fields submitted from a form
+// - Coerce each field to its correct type
+// - Remove an extraneous fields that are not know to the application
+
+import _ from 'lodash';
+import fieldFactory from '../lib/field.js';
+import JourneyContext from '../lib/JourneyContext.js';
+
+export default ({
+  waypoint,
+  fields = [],
+}) => {
+  // Add some common, transient fields to ensure they survive beyond this sanitisation process
+  fields.push(fieldFactory('_csrf', { persist: false }).processor((value) => String(value)));
+  fields.push(fieldFactory('contextid', { persist: false }).processor((value) => String(value)));
+  fields.push(fieldFactory('edit', { persist: false }).processor((value) => String(value)));
+  fields.push(fieldFactory('editorigin', { persist: false }).processor((value) => String(value)));
+
+  // Middleware
+  return [
+    (req, res, next) => {
+      // First, prune all undefined, or unknown fields from `req.body` (i.e.
+      // those that do not have an entry in `fields`)
+      // EsLint disabled as `fields`, `i` & `name` are only controlled by dev
+      /* eslint-disable security/detect-object-injection */
+      const prunedBody = Object.create(null);
+      for (let i = 0, l = fields.length; i < l; i++) {
+        if (_.has(req.body, fields[i].name) && req.body[fields[i].name] !== undefined) {
+          prunedBody[fields[i].name] = req.body[fields[i].name];
+        }
+      }
+      /* eslint-enable security/detect-object-injection */
+
+      const journeyContext = JourneyContext.fromContext(req.casa.journeyContext);
+      journeyContext.setDataForPage(waypoint, prunedBody);
+
+      // Second, prune any fields that do not pass the validation conditional,
+      // and process those that do.
+      const sanitisedBody = Object.create(null);
+      for (let i = 0, l = fields.length; i < l; i++) {
+        const field = fields[i]; /* eslint-disable-line security/detect-object-injection */
+        const fieldValue = field.getValue(prunedBody);
+
+        if (fieldValue !== undefined && field.testConditions({
+          fieldValue,
+          waypoint,
+          journeyContext,
+        })) {
+          field.putValue(sanitisedBody, field.applyProcessors(fieldValue));
+        }
+      }
+
+      // Finally, write the sanitised body back to the request object
+      req.body = sanitisedBody;
+      next();
+    },
+  ];
+}

package/src/middleware/serve-first-waypoint.js

@@ -0,0 +1,28 @@
+import { validateUrlPath } from '../lib/utils.js';
+
+/**
+ * @access private
+ * @typedef {import('express').RequestHandler} ExpressRequestHandler
+ */
+
+/**
+ * @access private
+ * @typedef {import('../casa').Plan} Plan
+ */
+
+/**
+ * Redirect the user to the first Plan waypoint when they request the root /
+ * path.
+ *
+ * @param {Plan} plan CASA Plan
+ * @returns {ExpressRequestHandler[]} Array of middleware
+ */
+export default ({
+  plan,
+}) => [(req, res) => {
+  const reqUrl = new URL(req.url, 'https://placeholder.test/');
+  const reqPath = validateUrlPath(`${req.baseUrl}${reqUrl.pathname}${plan.getWaypoints()[0]}`);
+  let reqParams = reqUrl.searchParams.toString();
+  reqParams = reqParams ? `?${reqParams}` : '';
+  res.redirect(302, `${reqPath}${reqParams}`);
+}];