@dwp/govuk-casa 9.0.0 → 9.1.0

package/src/middleware/pre.js

@@ -1,15 +1,15 @@
-import { randomBytes } from 'crypto';
-import helmet from 'helmet';
+import { randomBytes } from "crypto";
+import helmet from "helmet";
 
 /**
+ * @typedef {import("../casa").HelmetConfigurator} HelmetConfigurator
  * @access private
- * @typedef {import('../casa').HelmetConfigurator} HelmetConfigurator
  */
 
-const GA_DOMAIN = '*.google-analytics.com';
-const GA_ANALYTICS_DOMAIN = '*.analytics.google.com';
-const GTM_DOMAIN = '*.googletagmanager.com';
-const GTM_PREVIEW_DOMAIN = 'https://tagmanager.google.com';
+const GA_DOMAIN = "*.google-analytics.com";
+const GA_ANALYTICS_DOMAIN = "*.analytics.google.com";
+const GTM_DOMAIN = "*.googletagmanager.com";
+const GTM_PREVIEW_DOMAIN = "https://tagmanager.google.com";
 
 /**
  * Extracts the CSP nonce used in every template, and makes it available as a
@@ -19,9 +19,9 @@ const GTM_PREVIEW_DOMAIN = 'https://tagmanager.google.com';
  * to identify this function specifically, most likely to remove it from CSP
  * headers for custom purposes.
  *
- * @param {import('express').Request} req Request
- * @param {import('express').Response} res Response
- * @returns {string} nonce value suitable for use in CSP header
+ * @param {import("express").Request} req Request
+ * @param {import("express").Response} res Response
+ * @returns {string} Nonce value suitable for use in CSP header
  */
 function casaCspNonce(req, res) {
   return `'nonce-${res.locals.cspNonce}'`;
@@ -31,17 +31,18 @@ function casaCspNonce(req, res) {
  * Pre middleware.
  *
  * @param {object} opts Options
- * @param {HelmetConfigurator} opts.helmetConfigurator Function to customise Helmet configuration
+ * @param {HelmetConfigurator} opts.helmetConfigurator Function to customise
+ *   Helmet configuration
  * @returns {Function[]} List of middleware
  */
-export default ({
-  helmetConfigurator = (config) => (config),
-} = {}) => [
+export default ({ helmetConfigurator = (config) => config } = {}) => [
   // Only allow certain request methods
   (req, res, next) => {
-    if (req.method !== 'GET' && req.method !== 'POST') {
-      const err = new Error(`Unaccepted request method, "${String(req.method).substr(0, 7)}"`);
-      err.code = 'unaccepted_request_method';
+    if (req.method !== "GET" && req.method !== "POST") {
+      const err = new Error(
+        `Unaccepted request method, "${String(req.method).substr(0, 7)}"`,
+      );
+      err.code = "unaccepted_request_method";
       next(err);
     } else {
       next();
@@ -53,40 +54,60 @@ export default ({
   // The `no-store` setting is to specifically disable the bfcache and prevent
   // possible leakage of information.
   (req, res, next) => {
-    res.set('cache-control', 'no-cache, no-store, must-revalidate, private');
-    res.set('pragma', 'no-cache');
-    res.set('expires', 0);
-    res.set('x-robots-tag', 'noindex, nofollow');
+    res.set("cache-control", "no-cache, no-store, must-revalidate, private");
+    res.set("pragma", "no-cache");
+    res.set("expires", 0);
+    res.set("x-robots-tag", "noindex, nofollow");
     next();
   },
 
   // Generate nonces ready for use in Content-Security-Policy header and
   // govuk-frontend template. This same none can be used wherever required.
   (req, res, next) => {
-    res.locals.cspNonce = randomBytes(16).toString('hex');
+    res.locals.cspNonce = randomBytes(16).toString("hex");
     next();
   },
 
   // Helmet suite of headers
-  helmet(helmetConfigurator({
-    // Allows GA which is typically used, and a known inline script nonce
-    contentSecurityPolicy: {
-      useDefaults: true,
-      directives: {
-        'default-src': ["'none'"],
-        'script-src': ["'self'", GA_DOMAIN, GTM_DOMAIN, GTM_PREVIEW_DOMAIN, casaCspNonce],
-        'img-src': ["'self'", GA_DOMAIN, GA_ANALYTICS_DOMAIN, GTM_DOMAIN, 'https://ssl.gstatic.com', 'https://www.gstatic.com'],
-        'connect-src': ["'self'", GA_DOMAIN, GA_ANALYTICS_DOMAIN, GTM_DOMAIN],
-        'frame-src': ["'self'", GTM_DOMAIN],
-        'frame-ancestors': ["'self'"],
-        'form-action': ["'self'"],
-        'style-src': ["'self'", 'https://fonts.googleapis.com', GTM_PREVIEW_DOMAIN, casaCspNonce],
-        'font-src': ["'self'", 'data:', 'https://fonts.gstatic.com'],
-        'manifest-src': ["'self'"],
+  helmet(
+    helmetConfigurator({
+      // Allows GA which is typically used, and a known inline script nonce
+      contentSecurityPolicy: {
+        useDefaults: true,
+        directives: {
+          "default-src": ["'none'"],
+          "script-src": [
+            "'self'",
+            GA_DOMAIN,
+            GTM_DOMAIN,
+            GTM_PREVIEW_DOMAIN,
+            casaCspNonce,
+          ],
+          "img-src": [
+            "'self'",
+            GA_DOMAIN,
+            GA_ANALYTICS_DOMAIN,
+            GTM_DOMAIN,
+            "https://ssl.gstatic.com",
+            "https://www.gstatic.com",
+          ],
+          "connect-src": ["'self'", GA_DOMAIN, GA_ANALYTICS_DOMAIN, GTM_DOMAIN],
+          "frame-src": ["'self'", GTM_DOMAIN],
+          "frame-ancestors": ["'self'"],
+          "form-action": ["'self'"],
+          "style-src": [
+            "'self'",
+            "https://fonts.googleapis.com",
+            GTM_PREVIEW_DOMAIN,
+            casaCspNonce,
+          ],
+          "font-src": ["'self'", "data:", "https://fonts.gstatic.com"],
+          "manifest-src": ["'self'"],
+        },
       },
-    },
 
-    // // Require referrer to aid navigation
-    // referrerPolicy: 'no-referrer, same-origin',
-  })),
+      // // Require referrer to aid navigation
+      // referrerPolicy: 'no-referrer, same-origin',
+    }),
+  ),
 ];

package/src/middleware/progress-journey.js

@@ -2,13 +2,13 @@
 // We assume that the waypoint has been validated prior to reaching this
 // middleware.
 
-import Plan from '../lib/Plan.js';
-import JourneyContext from '../lib/JourneyContext.js';
-import waypointUrl from '../lib/waypoint-url.js';
-import logger from '../lib/logger.js';
-import { REQUEST_PHASE_REDIRECT } from '../lib/constants.js';
+import Plan from "../lib/Plan.js";
+import JourneyContext from "../lib/JourneyContext.js";
+import waypointUrl from "../lib/waypoint-url.js";
+import logger from "../lib/logger.js";
+import { REQUEST_PHASE_REDIRECT } from "../lib/constants.js";
 
-const log = logger('middleware:progress-journey');
+const log = logger("middleware:progress-journey");
 
 const saveAndRedirect = (session, journeyContext, url, res, next) => {
   JourneyContext.putContext(session, journeyContext, {
@@ -25,10 +25,7 @@ const saveAndRedirect = (session, journeyContext, url, res, next) => {
   });
 };
 
-export default ({
-  waypoint,
-  plan,
-}) => [
+export default ({ waypoint, plan }) => [
   (req, res, next) => {
     // Determine the next available waypoint after the current one
     const traversed = plan.traverse(req.casa.journeyContext);
@@ -38,7 +35,9 @@ export default ({
       Math.min(currentIndex + 1, traversed.length - 1),
     );
     const nextWaypoint = traversed[parseInt(nextIndex, 10)];
-    log.trace(`currentIndex = ${currentIndex}, nextIndex = ${nextIndex}, currentWaypoint = ${waypoint}, nextWaypoint = ${nextWaypoint}`);
+    log.trace(
+      `currentIndex = ${currentIndex}, nextIndex = ${nextIndex}, currentWaypoint = ${waypoint}, nextWaypoint = ${nextWaypoint}`,
+    );
 
     // Edit mode
     // Attempt to take the user back to their original URL. We rely on the
@@ -55,14 +54,21 @@ export default ({
     // they want to force the user to re-visit particular waypoints during this
     // "jumping" phase.
     if (req.casa.editMode && req.casa.editOrigin) {
-      const url = new URL(req.casa.editOrigin, 'https://placeholder.test/');
-      url.searchParams.append('edit', 'true');
-      url.searchParams.append('editorigin', req.casa.editOrigin);
-      const redirectUrl = waypointUrl({ waypoint: url.pathname }) + url.search.toString();
+      const url = new URL(req.casa.editOrigin, "https://placeholder.test/");
+      url.searchParams.append("edit", "true");
+      url.searchParams.append("editorigin", req.casa.editOrigin);
+      const redirectUrl =
+        waypointUrl({ waypoint: url.pathname }) + url.search.toString();
 
       log.debug(`Edit mode detected; redirecting to ${redirectUrl}`);
 
-      return saveAndRedirect(req.session, req.casa.journeyContext, redirectUrl, res, next);
+      return saveAndRedirect(
+        req.session,
+        req.casa.journeyContext,
+        redirectUrl,
+        res,
+        next,
+      );
     }
 
     // If the next URL is an "exit node", we need to flag that node as
@@ -76,7 +82,9 @@ export default ({
     //   setRoute('b', 'url:///otherapp/')
     //   setRoute('url:////otherapp/', 'c', (r, c) => checkIfOtherAppIsFinished())
     if (Plan.isExitNode(nextWaypoint)) {
-      log.trace(`Next waypoint is an exit node; clearing validation state on ${nextWaypoint}`);
+      log.trace(
+        `Next waypoint is an exit node; clearing validation state on ${nextWaypoint}`,
+      );
       req.casa.journeyContext.clearValidationErrorsForPage(nextWaypoint);
     }
 
@@ -91,6 +99,12 @@ export default ({
 
     // Save and move on
     log.trace(`Redirecting to ${nextUrl}`);
-    return saveAndRedirect(req.session, req.casa.journeyContext, nextUrl, res, next);
+    return saveAndRedirect(
+      req.session,
+      req.casa.journeyContext,
+      nextUrl,
+      res,
+      next,
+    );
   },
 ];

package/src/middleware/sanitise-fields.js

@@ -2,19 +2,32 @@
 // - Coerce each field to its correct type
 // - Remove an extraneous fields that are not know to the application
 
-import _ from 'lodash';
-import fieldFactory from '../lib/field.js';
-import JourneyContext from '../lib/JourneyContext.js';
+import _ from "lodash";
+import fieldFactory from "../lib/field.js";
+import JourneyContext from "../lib/JourneyContext.js";
 
-export default ({
-  waypoint,
-  fields = [],
-}) => {
+export default ({ waypoint, fields = [] }) => {
   // Add some common, transient fields to ensure they survive beyond this sanitisation process
-  fields.push(fieldFactory('_csrf', { persist: false }).processor((value) => String(value)));
-  fields.push(fieldFactory('contextid', { persist: false }).processor((value) => String(value)));
-  fields.push(fieldFactory('edit', { persist: false }).processor((value) => String(value)));
-  fields.push(fieldFactory('editorigin', { persist: false }).processor((value) => String(value)));
+  fields.push(
+    fieldFactory("_csrf", { persist: false }).processor((value) =>
+      String(value),
+    ),
+  );
+  fields.push(
+    fieldFactory("contextid", { persist: false }).processor((value) =>
+      String(value),
+    ),
+  );
+  fields.push(
+    fieldFactory("edit", { persist: false }).processor((value) =>
+      String(value),
+    ),
+  );
+  fields.push(
+    fieldFactory("editorigin", { persist: false }).processor((value) =>
+      String(value),
+    ),
+  );
 
   // Middleware
   return [
@@ -25,27 +38,37 @@ export default ({
       /* eslint-disable security/detect-object-injection */
       const prunedBody = Object.create(null);
       for (let i = 0, l = fields.length; i < l; i++) {
-        if (_.has(req.body, fields[i].name) && req.body[fields[i].name] !== undefined) {
+        if (
+          _.has(req.body, fields[i].name) &&
+          req.body[fields[i].name] !== undefined
+        ) {
           prunedBody[fields[i].name] = req.body[fields[i].name];
         }
       }
       /* eslint-enable security/detect-object-injection */
 
-      const journeyContext = JourneyContext.fromContext(req.casa.journeyContext, req);
+      const journeyContext = JourneyContext.fromContext(
+        req.casa.journeyContext,
+        req,
+      );
       journeyContext.setDataForPage(waypoint, prunedBody);
 
       // Second, prune any fields that do not pass the validation conditional,
       // and process those that do.
       const sanitisedBody = Object.create(null);
       for (let i = 0, l = fields.length; i < l; i++) {
-        const field = fields[i]; /* eslint-disable-line security/detect-object-injection */
+        const field =
+          fields[i]; /* eslint-disable-line security/detect-object-injection */
         const fieldValue = field.getValue(prunedBody);
 
-        if (fieldValue !== undefined && field.testConditions({
-          fieldValue,
-          waypoint,
-          journeyContext,
-        })) {
+        if (
+          fieldValue !== undefined &&
+          field.testConditions({
+            fieldValue,
+            waypoint,
+            journeyContext,
+          })
+        ) {
           field.putValue(sanitisedBody, field.applyProcessors(fieldValue));
         }
       }
@@ -55,4 +78,4 @@ export default ({
       next();
     },
   ];
-}
+};

package/src/middleware/serve-first-waypoint.js

@@ -1,13 +1,13 @@
-import { validateUrlPath } from '../lib/utils.js';
+import { validateUrlPath } from "../lib/utils.js";
 
 /**
+ * @typedef {import("express").RequestHandler} ExpressRequestHandler
  * @access private
- * @typedef {import('express').RequestHandler} ExpressRequestHandler
  */
 
 /**
+ * @typedef {import("../casa").Plan} Plan
  * @access private
- * @typedef {import('../casa').Plan} Plan
  */
 
 /**
@@ -17,12 +17,14 @@ import { validateUrlPath } from '../lib/utils.js';
  * @param {Plan} plan CASA Plan
  * @returns {ExpressRequestHandler[]} Array of middleware
  */
-export default ({
-  plan,
-}) => [(req, res) => {
-  const reqUrl = new URL(req.url, 'https://placeholder.test/');
-  const reqPath = validateUrlPath(`${req.baseUrl}${reqUrl.pathname}${plan.getWaypoints()[0]}`);
-  let reqParams = reqUrl.searchParams.toString();
-  reqParams = reqParams ? `?${reqParams}` : '';
-  res.redirect(302, `${reqPath}${reqParams}`);
-}];
+export default ({ plan }) => [
+  (req, res) => {
+    const reqUrl = new URL(req.url, "https://placeholder.test/");
+    const reqPath = validateUrlPath(
+      `${req.baseUrl}${reqUrl.pathname}${plan.getWaypoints()[0]}`,
+    );
+    let reqParams = reqUrl.searchParams.toString();
+    reqParams = reqParams ? `?${reqParams}` : "";
+    res.redirect(302, `${reqPath}${reqParams}`);
+  },
+];

package/src/middleware/session.js

@@ -1,64 +1,70 @@
 // A last-modified cookie is used to control whether the end user sees a
 // session-timeout page, or they are simply given a new session without
 // interrupting their journey.
-import expressSession, { MemoryStore } from 'express-session';
-import logger from '../lib/logger.js';
-import { validateUrlPath } from '../lib/utils.js';
+import expressSession, { MemoryStore } from "express-session";
+import logger from "../lib/logger.js";
+import { validateUrlPath } from "../lib/utils.js";
 
-const log = logger('middleware:session');
+const log = logger("middleware:session");
 
-const sessionExpiryMiddleware = (
-  ttl,
-  getCookie,
-  touchCookie,
-  removeCookie,
-) => (req, res, next) => {
-  const lastModified = getCookie(req);
-  const age = Math.floor(Date.now() * 0.001) - lastModified;
+const sessionExpiryMiddleware =
+  (ttl, getCookie, touchCookie, removeCookie) => (req, res, next) => {
+    const lastModified = getCookie(req);
+    const age = Math.floor(Date.now() * 0.001) - lastModified;
 
-  if (lastModified === 0) {
-    // New session, or grace period cookie no longer available after
-    // expiring; generate a new session, and create grace-period cookie.
-    // This will invalidate any CSRF tokens, so by letting the request POST
-    // requests through the user may see a 500 error response.
-    log.info('Session is new, or grace period has expired. Regenerating session.');
-    req.session.regenerate((err) => {
-      if (err) {
-        next(err);
-      } else {
-        touchCookie(res);
-        if (req.method === 'POST') {
-          log.info('The CSRF token for this POST request will now be invalid for this regenerated session. Redirecting to app mount point.');
-          res.redirect(302, validateUrlPath(`${req.baseUrl}/`));
+    if (lastModified === 0) {
+      // New session, or grace period cookie no longer available after
+      // expiring; generate a new session, and create grace-period cookie.
+      // This will invalidate any CSRF tokens, so by letting the request POST
+      // requests through the user may see a 500 error response.
+      log.info(
+        "Session is new, or grace period has expired. Regenerating session.",
+      );
+      req.session.regenerate((err) => {
+        if (err) {
+          next(err);
         } else {
-          next();
+          touchCookie(res);
+          if (req.method === "POST") {
+            log.info(
+              "The CSRF token for this POST request will now be invalid for this regenerated session. Redirecting to app mount point.",
+            );
+            res.redirect(302, validateUrlPath(`${req.baseUrl}/`));
+          } else {
+            next();
+          }
         }
-      }
-    });
-  } else if (age > ttl) {
-    // Cookie has become stale and server session will have been removed;
-    // redirect to session-timeout
-    log.info('Session has timed out within grace period. Destroying session and redirecting to timeout page.');
-    const language = req.session.language ?? 'en';
-    req.session.destroy((err) => {
-      if (err) {
-        next(err);
-      } else {
-        removeCookie(res);
-        const params = new URLSearchParams({
-          referrer: req.originalUrl,
-          lang: language,
-        });
-        /* eslint-disable-next-line prefer-template */
-        res.redirect(302, validateUrlPath(`${req.baseUrl}/session-timeout`) + `?${params.toString()}`);
-      }
-    });
-  } else {
-    // Touch cookie and continue
-    touchCookie(res);
-    next();
-  }
-};
+      });
+    } else if (age > ttl) {
+      // Cookie has become stale and server session will have been removed;
+      // redirect to session-timeout
+      log.info(
+        "Session has timed out within grace period. Destroying session and redirecting to timeout page.",
+      );
+      const language = req.session.language ?? "en";
+      req.session.destroy((err) => {
+        if (err) {
+          next(err);
+        } else {
+          removeCookie(res);
+          const params = new URLSearchParams({
+            referrer: req.originalUrl,
+            lang: language,
+          });
+          /* eslint-disable-next-line prefer-template */
+          res.redirect(
+            302,
+            validateUrlPath(`${req.baseUrl}/session-timeout`) +
+              `?${params.toString()}`,
+          );
+        }
+      });
+    } else {
+      // Touch cookie and continue
+      touchCookie(res);
+      next();
+    }
+  };
 
 // 3 middleware:
 // - set the session cookie
@@ -71,7 +77,7 @@ export default function sessionMiddleware({
   secure,
   ttl,
   cookieSameSite = true,
-  cookiePath = '/',
+  cookiePath = "/",
   store = new MemoryStore(),
 }) {
   const commonCookieOptions = {
@@ -81,7 +87,8 @@ export default function sessionMiddleware({
   };
 
   if (cookieSameSite !== false) {
-    commonCookieOptions.sameSite = cookieSameSite === true ? 'Strict' : cookieSameSite;
+    commonCookieOptions.sameSite =
+      cookieSameSite === true ? "Strict" : cookieSameSite;
   }
 
   const ttlGrace = 1800; // user will see session-timeout if session expires within 30mins
@@ -94,22 +101,28 @@ export default function sessionMiddleware({
 
   const getCookie = (req) => {
     // Disabled eslint as `touchCookieName` is a constant, known value
-    /* eslint-disable-next-line security/detect-object-injection */
-    const lastModified = Date.parse(String(req.signedCookies[touchCookieName] ?? '1970-01-01T00:00:00+0000'));
+    const lastModified = Date.parse(
+      /* eslint-disable-next-line security/detect-object-injection */
+      String(req.signedCookies[touchCookieName] ?? "1970-01-01T00:00:00+0000"),
+    );
     return Number.isNaN(lastModified) ? 0 : Math.floor(lastModified * 0.001);
-  }
+  };
 
   const touchCookie = (res) => {
     // Touch cookie expiry is a short period after the session ttl. This gives
     // a small period of time where a user will see the session-timeout message,
     // which is important to avoid the confusion of simply being redirected back
     // to the start of their journey.
-    res.cookie(touchCookieName, (new Date(Date.now())).toUTCString(), touchCookieOptions);
-  }
+    res.cookie(
+      touchCookieName,
+      new Date(Date.now()).toUTCString(),
+      touchCookieOptions,
+    );
+  };
 
   const removeCookie = (res) => {
     res.clearCookie(touchCookieName, touchCookieOptions);
-  }
+  };
 
   return [
     expressSession({

package/src/middleware/skip-waypoint.js

@@ -1,19 +1,17 @@
 // Mark a waypoint as skipped
 
-import lodash from 'lodash';
-import JourneyContext from '../lib/JourneyContext.js';
-import waypointUrl from '../lib/waypoint-url.js';
-import logger from '../lib/logger.js';
+import lodash from "lodash";
+import JourneyContext from "../lib/JourneyContext.js";
+import waypointUrl from "../lib/waypoint-url.js";
+import logger from "../lib/logger.js";
 
 const { has } = lodash;
 
-const log = logger('middleware:skip-waypoint');
+const log = logger("middleware:skip-waypoint");
 
-export default ({
-  waypoint,
-}) => [
+export default ({ waypoint }) => [
   (req, res, next) => {
-    if (!has(req.query, 'skipto')) {
+    if (!has(req.query, "skipto")) {
       return next();
     }
     const skipTo = String(req.query.skipto);