@dwp/govuk-casa 9.3.5 → 9.4.1

package/src/lib/nunjucks-filters.js

@@ -12,9 +12,10 @@ const combineMerge = (target, source, options) => {
   const destination = target.slice();
 
   for (let index = 0; index < source.length; index++) {
-    const item = source[index];
     // ESLint disabled as `index` is only an integer
     /* eslint-disable security/detect-object-injection */
+    const item = source[index];
+
     if (typeof destination[index] === "undefined") {
       destination[index] = options.cloneUnlessOtherwiseSpecified(item, options);
     } else if (options.isMergeableObject(item)) {
@@ -30,10 +31,18 @@ const combineMerge = (target, source, options) => {
 // Allows objects to be deepmerged and retain their type, without becoming [object Object]
 // ref: https://github.com/jonschlinkert/is-plain-object/blob/master/is-plain-object.js
 
+/**
+ * @param {any} o Value to test
+ * @returns {boolean} True if an object
+ */
 function isObject(o) {
   return Object.prototype.toString.call(o) === "[object Object]";
 }
 
+/**
+ * @param {any} o Value to test
+ * @returns {boolean} True if a plain object or array
+ */
 function isPlainObjectOrArray(o) {
   if (Array.isArray(o)) {
     return true;
@@ -52,12 +61,17 @@ function isPlainObjectOrArray(o) {
   return Object.hasOwn(prot, "isPrototypeOf");
 }
 
+/**
+ * @param {...any} objects Objects to merge
+ * @returns {object} Merged object
+ */
 function mergeObjects(...objects) {
   return deepmergeAll([Object.create(null), ...objects], {
     arrayMerge: combineMerge,
     isMergeableObject: isPlainObjectOrArray,
   });
 }
+
 /**
  * Determine whether a value exists in a list.
  *

package/src/lib/utils.js

@@ -48,7 +48,6 @@ export function isStringable(value) {
  * @access private
  */
 export function resolveMiddlewareHooks(hookName, path, hooks = []) {
-  /* eslint-disable-next-line max-len */
   const pathMatch = (h) =>
     h.path === undefined ||
     (h.path instanceof RegExp && h.path.test(path)) ||
@@ -119,10 +118,15 @@ export function stripWhitespace(value, options) {
     throw new TypeError("nested must be a string");
   }
 
-  return value
-    .replace(/^\s+/, opts.leading)
-    .replace(/\s+$/, opts.trailing)
-    .replace(/\s+/g, opts.nested);
+  // This approach avoids using `/s+$/` regex, which triggers the
+  // `sonarjs/slow-regex` eslint rule
+  let newValue = value.replace(/^\s+/, opts.leading);
+  if (newValue.match(/\s$/)) {
+    newValue = `${newValue.trimEnd()}${opts.trailing}`;
+  }
+  newValue = newValue.replace(/\s+/g, opts.nested);
+
+  return newValue;
 }
 
 /* ------------------------------------------------ validation / sanitisation */

package/src/lib/validators/dateObject.js

@@ -1,4 +1,3 @@
-/* eslint-disable class-methods-use-this */
 import { DateTime } from "luxon";
 import lodash from "lodash";
 import ValidationError from "../ValidationError.js";
@@ -102,7 +101,7 @@ export default class DateObject extends ValidatorFactory {
       if (test.flags.every((v) => v === true)) {
         formats = [...formats, ...test.formats];
       }
-    };
+    }
 
     if (typeof value === "object") {
       formats.find((format) => {

package/src/lib/validators/email.js

@@ -1,4 +1,3 @@
-/* eslint-disable class-methods-use-this */
 import validatorPkg from "validator";
 import ValidationError from "../ValidationError.js";
 import ValidatorFactory from "../ValidatorFactory.js";
@@ -34,7 +33,7 @@ export default class Email extends ValidatorFactory {
     let isValid;
     try {
       isValid = isEmail(value);
-    } catch (e) {
+    } catch {
       isValid = false;
     }
 

package/src/lib/validators/inArray.js

@@ -1,4 +1,3 @@
-/* eslint-disable class-methods-use-this */
 /**
  * Test if a value is present in an array.
  *

package/src/lib/validators/nino.js

@@ -1,4 +1,3 @@
-/* eslint-disable class-methods-use-this */
 import ValidationError from "../ValidationError.js";
 import ValidatorFactory from "../ValidatorFactory.js";
 import { stringifyInput } from "../utils.js";

package/src/lib/validators/postalAddressObject.js

@@ -1,4 +1,3 @@
-/* eslint-disable class-methods-use-this */
 import lodash from "lodash";
 import ValidationError from "../ValidationError.js";
 import ValidatorFactory from "../ValidatorFactory.js";
@@ -83,7 +82,6 @@ export default class PostalAddressObject extends ValidatorFactory {
       ...this.config,
     };
 
-    /* eslint-disable-next-line require-jsdoc */
     const objectifyError = (err) =>
       typeof err === "string"
         ? {
@@ -105,12 +103,14 @@ export default class PostalAddressObject extends ValidatorFactory {
     const errorMsgs = [];
 
     if (typeof value === "object") {
-      const reAddr = /^[^\s]+[a-z0-9\-,.&#()/\\:;'" ]+$/i;
-      const reAddrLine1 = /^\d+|[^\s]+[a-z0-9\-,.&#()/\\:;'" ]+$/i;
+      const reAddr = /^[a-z0-9\-,.&#()/\\:;'" ]{2,}$/i;
+      const reAddrLine1 = /^(\d+|[a-z0-9\-,.&#()/\\:;'" ]{2,})$/i;
       // UK Postcode regex taken from the dwp java pc checker
       // https://github.com/dwp/postcode-format-validation
+      /* eslint-disable sonarjs/regex-complexity */
       const rePostcode =
-        /^(?![QVX])[A-Z]((?![IJZ])[A-Z][0-9](([0-9]?)|([ABEHMNPRVWXY]?))|([0-9]([0-9]?|[ABCDEFGHJKPSTUW]?))) ?[0-9]((?![CIKMOV])[A-Z]){2}$|^(BFPO)[ ]?[0-9]{1,4}$/i;
+        /^(?![QVX])[A-Z]((?![IJZ])[A-Z]\d((\d?)|([ABEHMNPRVWXY]?))|(\d(\d?|[ABCDEFGHJKPSTUW]?))) ?\d((?![CIKMOV])[A-Z]){2}$|^(BFPO) ?\d{1,4}$/i;
+      /* eslint-enable sonarjs/regex-complexity */
 
       // [required, regex, strlenmax, error message]
       const attributes = {

package/src/lib/validators/range.js

@@ -1,5 +1,3 @@
-/* eslint-disable class-methods-use-this */
-
 import ValidatorFactory from "../ValidatorFactory.js";
 import ValidationError from "../ValidationError.js";
 import { coerceInputToInteger } from "../utils.js";

package/src/lib/validators/regex.js

@@ -1,4 +1,3 @@
-/* eslint-disable class-methods-use-this */
 import ValidatorFactory from "../ValidatorFactory.js";
 import ValidationError from "../ValidationError.js";
 import { stringifyInput } from "../utils.js";

package/src/lib/validators/required.js

@@ -1,4 +1,3 @@
-/* eslint-disable class-methods-use-this */
 import lodash from "lodash";
 import { isEmpty, isStringable, stringifyInput } from "../utils.js";
 import ValidatorFactory from "../ValidatorFactory.js";

package/src/lib/validators/strlen.js

@@ -1,4 +1,3 @@
-/* eslint-disable class-methods-use-this */
 import ValidatorFactory from "../ValidatorFactory.js";
 import ValidationError from "../ValidationError.js";
 import { stringifyInput } from "../utils.js";

package/src/lib/validators/wordCount.js

@@ -1,4 +1,3 @@
-/* eslint-disable class-methods-use-this */
 import ValidatorFactory from "../ValidatorFactory.js";
 import ValidationError from "../ValidationError.js";
 import { stringifyInput } from "../utils.js";

package/src/lib/waypoint-url.js

@@ -61,14 +61,13 @@ const sanitiseWaypointWithAllowedParams = (w) => {
  *   });
  *
  * @param {object} obj Options
- * @param {string} [obj.waypoint=""] Waypoint. Default is `""`
- * @param {string} [obj.mountUrl="/"] Mount URL. Default is `"/"`
+ * @param {string} [obj.waypoint] Waypoint. Default is `""`
+ * @param {string} [obj.mountUrl] Mount URL. Default is `"/"`
  * @param {JourneyContext} [obj.journeyContext] JourneyContext
- * @param {boolean} [obj.edit=false] Turn edit mode on or off. Default is
- *   `false`
+ * @param {boolean} [obj.edit] Turn edit mode on or off. Default is `false`
  * @param {string} [obj.editOrigin] Edit mode original URL
  * @param {boolean} [obj.skipTo] Skip to this waypoint from the current one
- * @param {string} [obj.routeName=next] Plan route name; next | prev. Default is
+ * @param {string} [obj.routeName] Plan route name; next | prev. Default is
  *   `next`
  * @returns {string} URL
  */

package/src/middleware/body-parser.js

@@ -1,9 +1,34 @@
 import { urlencoded as expressBodyParser } from "express";
 
+/**
+ * @typedef {import("express").RequestHandler} RequestHandler
+ * @access private
+ */
+
+/**
+ * @typedef {import("express").Request} Request
+ * @access private
+ */
+
+/**
+ * @typedef {import("express").Response} Response
+ * @access private
+ */
+
 const rProto = /__proto__/i;
 const rPrototype = /prototype[='"[\]]/i;
 const rConstructor = /constructor[='"[\]]/i;
 
+/**
+ * Verify request body.
+ *
+ * @param {Request} req HTTP request
+ * @param {Response} res HTTP response
+ * @param {Buffer} buf Buffer
+ * @param {string} encoding Character encoding
+ * @returns {void}
+ * @throws {Error} For invalid bodies
+ */
 export function verifyBody(req, res, buf, encoding) {
   const body = decodeURI(buf.toString(encoding)).replace(
     /[\s\u200B-\u200D\uFEFF]/g,
@@ -20,6 +45,15 @@ export function verifyBody(req, res, buf, encoding) {
   }
 }
 
+/**
+ * Body parsing middleware.
+ *
+ * @param {object} opts Options
+ * @param {number} opts.formMaxParams Max number of parameters that should be
+ *   parsed
+ * @param {number} opts.formMaxBytes Max bytes that should be read
+ * @returns {RequestHandler[]} Middleware functions
+ */
 export default function bodyParserMiddleware({ formMaxParams, formMaxBytes }) {
   return [
     expressBodyParser({

package/src/middleware/csrf.js

@@ -1,9 +1,19 @@
 import { csrfSync } from "csrf-sync";
 
-// 2 middleware: one to generate the csrf token and check its validity (POST
-// only), and one to provide that token to templates via the `casa.csrfToken`
-// variable.
+/**
+ * @typedef {import("express").RequestHandler} RequestHandler
+ * @access private
+ */
 
+/**
+ * Data middleware.
+ *
+ * 2 middleware: one to generate the csrf token and check its validity (POST
+ * only), and one to provide that token to templates via the `casa.csrfToken`
+ * variable.
+ *
+ * @returns {RequestHandler[]} Middleware functions
+ */
 export default function csrfMiddleware() {
   const { csrfSynchronisedProtection } = csrfSync({
     getTokenFromRequest: (req) => req.body._csrf,

package/src/middleware/data.js

@@ -1,10 +1,27 @@
-// Decorates the request with some contextual data about the user's journey
-// through the application. This is used by downstream middleware and templates.
-
 import JourneyContext from "../lib/JourneyContext.js";
 import { validateUrlPath } from "../lib/utils.js";
 import waypointUrl from "../lib/waypoint-url.js";
 
+/**
+ * @typedef {import("express").RequestHandler} RequestHandler
+ * @access private
+ */
+
+/**
+ * @typedef {import("../casa.js").Plan} Plan
+ * @access private
+ */
+
+/**
+ * @typedef {import("../casa.js").ContextEventHandler} ContextEventHandler
+ * @access private
+ */
+
+/**
+ * @typedef {import("../casa.js").ContextIdGenerator} ContextIdGenerator
+ * @access private
+ */
+
 const editOrigin = (req) => {
   if (Object.hasOwn(req.query, "editorigin")) {
     return waypointUrl({ waypoint: req.query.editorigin });
@@ -15,6 +32,19 @@ const editOrigin = (req) => {
   return "";
 };
 
+/**
+ * Data middleware.
+ *
+ * Decorates the request with some contextual data about the user's journey
+ * through the application. This is used by downstream middleware and
+ * templates.
+ *
+ * @param {object} opts Options
+ * @param {Plan} opts.plan CASA Plan
+ * @param {ContextEventHandler[]} opts.events Event handlers
+ * @param {ContextIdGenerator} opts.contextIdGenerator Content ID generator
+ * @returns {RequestHandler[]} Middleware functions
+ */
 export default function dataMiddleware({ plan, events, contextIdGenerator }) {
   return [
     (req, res, next) => {
@@ -36,8 +66,10 @@ export default function dataMiddleware({ plan, events, contextIdGenerator }) {
 
         // Edit mode
         editMode:
-          (Object.hasOwn(req.query, "edit") && Object.hasOwn(req.query, "editorigin")) ||
-          (Object.hasOwn(req.body, "edit") && Object.hasOwn(req.body, "editorigin")),
+          (Object.hasOwn(req.query, "edit") &&
+            Object.hasOwn(req.query, "editorigin")) ||
+          (Object.hasOwn(req.body, "edit") &&
+            Object.hasOwn(req.body, "editorigin")),
         editOrigin: editOrigin(req),
       };
 

package/src/middleware/gather-fields.js

@@ -20,7 +20,7 @@ import { REQUEST_PHASE_GATHER } from "../lib/constants.js";
  *
  * @param {object} obj Options
  * @param {string} obj.waypoint Waypoint
- * @param {PageField[]} [obj.fields=[]] Fields. Default is `[]`
+ * @param {PageField[]} [obj.fields] Fields. Default is `[]`
  * @returns {Array} Array of middleware
  */
 export default ({ waypoint, fields = [] }) => [

package/src/middleware/i18n.js

@@ -3,9 +3,14 @@ import { LanguageDetector, handle } from "i18next-http-middleware";
 import { resolve, basename } from "node:path";
 import { existsSync, readFileSync, readdirSync } from "node:fs";
 import deepmerge from "deepmerge";
-import yaml from "js-yaml";
+import { load as jsYamlLoad } from "js-yaml";
 import logger from "../lib/logger.js";
 
+/**
+ * @typedef {import("express").RequestHandler} RequestHandler
+ * @access private
+ */
+
 const log = logger("middleware:i18n");
 
 const loadJson = (file) => {
@@ -17,7 +22,7 @@ const loadJson = (file) => {
 };
 
 /* eslint-disable-next-line security/detect-non-literal-fs-filename */
-const loadYaml = (file) => yaml.load(readFileSync(file, "utf8"));
+const loadYaml = (file) => jsYamlLoad(readFileSync(file, "utf8"));
 
 const extract = (file) => {
   const ext = /.yaml$/i.test(file) ? ".yaml" : ".json";
@@ -63,6 +68,14 @@ const loadResources = (languages, directories) => {
   return store;
 };
 
+/**
+ * Internationalisation middleware.
+ *
+ * @param {object} opts Options
+ * @param {string[]} [opts.languages] Language codes
+ * @param {string[]} [opts.directories] Source translations directories
+ * @returns {RequestHandler[]} Middleware functions
+ */
 export default function i18nMiddleware({
   languages = ["en", "cy"],
   directories = [],
@@ -95,7 +108,6 @@ export default function i18nMiddleware({
   return [
     (req, res, next) => {
       if (!req.session.language) {
-        /* eslint-disable-next-line prefer-destructuring */
         req.session.language = languages[0];
       }
       if (req?.query.lang && languages.includes(req.query.lang)) {

package/src/middleware/post.js

@@ -1,8 +1,14 @@
 // 2 middleware: one as a fallback 404 handler, one to handle thrown errors
 import logger from "../lib/logger.js";
 
+/**
+ * @typedef {import("express").RequestHandler} RequestHandler
+ * @access private
+ */
+
 const log = logger("middleware:post");
 
+/** @returns {RequestHandler[]} Middleware functions */
 export default function postMiddleware() {
   return [
     (req, res) => {

package/src/middleware/session.js

@@ -5,6 +5,11 @@ import expressSession, { MemoryStore } from "express-session";
 import logger from "../lib/logger.js";
 import { validateUrlPath } from "../lib/utils.js";
 
+/**
+ * @typedef {import("express").RequestHandler} RequestHandler
+ * @access private
+ */
+
 const log = logger("middleware:session");
 
 const sessionExpiryMiddleware =
@@ -51,7 +56,7 @@ const sessionExpiryMiddleware =
             referrer: req.originalUrl,
             lang: language,
           });
-          /* eslint-disable-next-line prefer-template */
+
           res.redirect(
             302,
             validateUrlPath(`${req.baseUrl}/session-timeout`) +
@@ -66,10 +71,24 @@ const sessionExpiryMiddleware =
     }
   };
 
-// 3 middleware:
-// - set the session cookie
-// - parse request cookies
-// - handle expiry of server-side session
+/**
+ * Produces three middleware functions:
+ *
+ * - Set the session cookie
+ * - Parse request cookies
+ * - Handle expiry of server-side session
+ *
+ * @param {object} opts Options
+ * @param {RequestHandler} opts.cookieParserMiddleware Cookie parsing middleware
+ * @param {string} opts.secret Session encryption secret
+ * @param {string} opts.name Session cookie name
+ * @param {boolean} opts.secure Secure cookies only
+ * @param {number} opts.ttl Session data time-to-live
+ * @param {boolean | string} [opts.cookieSameSite] Cooke SameSite setting
+ * @param {string} [opts.cookiePath] Cookie path
+ * @param {object} [opts.store] Storage instance
+ * @returns {RequestHandler[]} Middleware functions
+ */
 export default function sessionMiddleware({
   cookieParserMiddleware,
   secret,

package/src/routes/journey.js

@@ -1,4 +1,3 @@
-/* eslint-disable object-curly-newline,max-len */
 import MutableRouter from "../lib/MutableRouter.js";
 import skipWaypointMiddlewareFactory from "../middleware/skip-waypoint.js";
 import steerJourneyMiddlewareFactory from "../middleware/steer-journey.js";
@@ -44,7 +43,10 @@ const renderMiddlewareFactory = (view, contextFactory) => [
         // Common template variables for both GET and POST requests
         inEditMode: req.casa.editMode,
         editOriginUrl: req.casa.editOrigin,
-        editCancelUrl: generateEditCancelUrl(req.casa.editOrigin, req.casa.waypoint),
+        editCancelUrl: generateEditCancelUrl(
+          req.casa.editOrigin,
+          req.casa.waypoint,
+        ),
         activeContextId: req.casa.journeyContext.identity.id,
         ...contextFactory(req),
       },
@@ -73,8 +75,8 @@ const generateGovukErrors = (errors, req) =>
   }));
 
 const generateEditCancelUrl = (editOrigin, waypoint) => {
-  const url = new URL(editOrigin, 'https://placeholder.test/');
-  url.searchParams.set('editcancel', waypoint);
+  const url = new URL(editOrigin, "https://placeholder.test/");
+  url.searchParams.set("editcancel", waypoint);
   return `${url.pathname}${url.search}`;
 };