npm - @gov-cy/govcy-express-services - Versions diffs - 1.9.4 → 1.10.0 - Mend

@gov-cy/govcy-express-services 1.9.4 → 1.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md +37 -24
package/package.json +1 -1
package/src/auth/cyLoginAuth.mjs +32 -4
package/src/middleware/cyLoginAuth.mjs +48 -20
package/src/utils/govcyExpressions.mjs +27 -23

package/README.md CHANGED Viewed

@@ -156,16 +156,17 @@ The CY Login settings are configured in the `secrets/.env` file.
 Each service can specify which types of authenticated CY Login profiles are allowed to access it using the `site.cyLoginPolicies` property in its site configuration.
-```json
-"cyLoginPolicies": ["naturalPerson", "legalPerson"]
-```
+```json
+"cyLoginPolicies": ["naturalPerson", "legalPerson", "eidasNaturalPerson"]
+```
 ##### Supported Policies
-| Policy name     | Description                                                  | Typical use                                          |
-| --------------- | ------------------------------------------------------------ | ---------------------------------------------------- |
-| `naturalPerson` | Allows individual users (Cypriot citizens or foreign residents) who have a verified profile in the Civil Registry. Identified by `profile_type: "Individual"` and a 10-digit identifier starting with `00` (citizen) or `05` (foreigner). | Citizen-facing services, personal applications, etc. |
-| `legalPerson`   | Allows legal entities (companies, partnerships, organisations) with verified profiles in the Registrar of Companies. Identified by `profile_type: "Organisation"` and a `legal_unique_identifier`. | Business-facing services, company submissions, etc.  |
+| Policy name     | Description                                                  | Typical use                                          |
+| --------------- | ------------------------------------------------------------ | ---------------------------------------------------- |
+| `naturalPerson` | Allows individual users (Cypriot citizens or foreign residents) who have a verified profile in the Civil Registry. Identified by `profile_type: "Individual"` and a 10-digit identifier starting with `00` (citizen) or `05` (foreigner). | Citizen-facing services, personal applications, etc. |
+| `legalPerson`   | Allows legal entities (companies, partnerships, organisations) with verified profiles in the Registrar of Companies. Identified by `profile_type: "Organisation"` and a `legal_unique_identifier`. | Business-facing services, company submissions, etc.  |
+| `eidasNaturalPerson` | Allows eIDAS natural persons identified by `profile_type: "Individual"` and `unique_identifier` in the `CC/CC/<identifier>` format. | Cross-border eIDAS individual services. |
 ##### How it works
@@ -184,13 +185,21 @@ This maintains backward compatibility with existing services that only supported
 ##### Example
-Allow both natural and legal persons:
-```json
-"site": {
-  "cyLoginPolicies": ["naturalPerson", "legalPerson"]
-}
-```
+Allow both natural and legal persons:
+```json
+"site": {
+  "cyLoginPolicies": ["naturalPerson", "legalPerson"]
+}
+```
+Allow Cypriot and eIDAS natural persons:
+```json
+"site": {
+  "cyLoginPolicies": ["naturalPerson", "eidasNaturalPerson"]
+}
+```
 Restrict access to natural persons only:
@@ -2055,14 +2064,16 @@ To use data layer values, use the special `dataLayer[]` array. For example `data
       - `formData` is a reserved word for the form data (already inputed data by the user) for that page
         - `showExtra`refers to a input component with that name
-The `dataLayer` typically contains keys such as:
-- `inputData`: **All data submitted by the user through forms**
-- `eligibilityResults`: **Cached results from service eligibility API checks**
+The `dataLayer` typically contains keys such as:
+- `inputData`: **All data submitted by the user through forms**
+- `eligibilityResults`: **Cached results from service eligibility API checks**
+- `user.profile_type`: **Authenticated user profile type from CY Login context**
+- `user.policy`: **The matched CY Login policy name for the current session**
 Example structure for a service with ID `my-service`:
-```js
-dataLayer = {
+```js
+dataLayer = {
   'my-service.inputData.index.formData.fullName': 'John Smith',
   'my-service.inputData.index.formData.age': '34',
   'my-service.inputData.contact-details.formData.telephone': '+35712345678',
@@ -2072,11 +2083,13 @@ dataLayer = {
     "permanent_residence"
   ],
   'my-service.inputData.want-to-apply.formData.option-radio': 'yes',
-  'my-service.eligibilityResults.check1.succeeded': true,
-  'my-service.eligibilityResults.check2.ErrorCode': 0
-}
-```
+  'my-service.eligibilityResults.check1.succeeded': true,
+  'my-service.eligibilityResults.check2.ErrorCode': 0,
+  'user.profile_type': 'Individual',
+  'user.policy': 'naturalPerson'
+}
+```
 If any part of the key path is missing (e.g., the page hasn’t been visited yet or a form field was left empty), the expression will safely return `undefined` and **will not throw an error**. This behavior is by design, so that conditional logic expressions can fail silently and fallback gracefully.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@gov-cy/govcy-express-services",
-  "version": "1.9.4",
+  "version": "1.10.0",
   "description": "An Express-based system that dynamically renders services using @gov-cy/govcy-frontend-renderer and posts data to a submission API.",
   "author": "DMRID - DSF Team",
   "license": "MIT",

package/src/auth/cyLoginAuth.mjs CHANGED Viewed

@@ -9,6 +9,7 @@ const clientId = getEnvVariable('CYLOGIN_CLIENT_ID');
 const clientSecret = getEnvVariable('CYLOGIN_CLIENT_SECRET');
 const scope = getEnvVariable('CYLOGIN_SCOPE');
 const redirect_uri = getEnvVariable('CYLOGIN_REDIRECT_URI');
+const policyClaims = ['unique_identifier', 'profile_type', 'legal_unique_identifier'];
 // Discover OpenID settings with error handling and retry mechanism
 let config = null; // Changed: Initialize config as null
@@ -99,9 +100,11 @@ export async function handleCallback(req) {
         let claims = tokens.claims();
         logger.debug('ID Token Claims', claims);
-        let { sub } = claims;
-        let userInfo = await client.fetchUserInfo(config, access_token, sub);
-        logger.debug('UserInfo Response', userInfo);
+        let { sub } = claims;
+        const fetchedUserInfo = await client.fetchUserInfo(config, access_token, sub);
+        let userInfo = (fetchedUserInfo && typeof fetchedUserInfo === 'object') ? fetchedUserInfo : {};
+        backfillPolicyClaimsFromIdToken(userInfo, claims);
+        logger.debug('UserInfo Response', userInfo);
         return { tokens, claims, userInfo };
     } catch (error) {
@@ -111,6 +114,31 @@ export async function handleCallback(req) {
     }
 }
+/**
+ * Checks if a value is missing (null, undefined, or empty string)
+ * @param {*} value The value to check
+ * @returns {boolean} True if the value is missing, false otherwise
+ */
+function isMissingValue(value) {
+    return value == null || (typeof value === 'string' && value.trim() === '');
+}
+/**
+ * Backfill missing policy claims from ID token claims to userInfo
+ * @param {object} userInfo The userInfo object to backfill
+ * @param {object} claims The ID token claims to check for missing values
+ * @returns {object} The updated userInfo object with backfilled claims
+ */
+export function backfillPolicyClaimsFromIdToken(userInfo = {}, claims = {}) {
+    for (const key of policyClaims) {
+        if (isMissingValue(userInfo[key]) && !isMissingValue(claims[key])) {
+            userInfo[key] = claims[key];
+        }
+    }
+    return userInfo;
+}
 /**
  * Logout and build end session URL
@@ -131,4 +159,4 @@ export function getLogoutUrl(id_token_hint = '') {
 // Export config if needed elsewhere
 export { config };
-/* c8 ignore end */
+/* c8 ignore end */

package/src/middleware/cyLoginAuth.mjs CHANGED Viewed

@@ -140,7 +140,7 @@ export function naturalPersonPolicy(req) {
  *
  * @param {object} req The request object
  */
-export function legalPersonPolicy(req) {
+export function legalPersonPolicy(req) {
     // https://dev.azure.com/cyprus-gov-cds/Documentation/_wiki/wikis/Documentation/42/For-Cyprus-Natural-or-Legal-person
     const { profile_type, legal_unique_identifier } = req.session.user || {};
     // Allow only legal persons with approved profiles
@@ -149,21 +149,46 @@ export function legalPersonPolicy(req) {
     }
     // Deny access if validation fails
-    return false;
-}
-const policyRegistry = {
-    naturalPerson: naturalPersonPolicy,
-    legalPerson: legalPersonPolicy,
-};
-export function cyLoginPolicy(req, res, next) {
-    // Check what is allowed in the service configuration
-    const allowed = req?.serviceData?.site?.cyLoginPolicies || ["naturalPerson"];
-    // Check each policy in the allowed list
-    for (const name of allowed) {
-        const policy = policyRegistry[name];
+    return false;
+}
+/**
+ * Middleware to enforce eIDAS natural person policy. If the user is not a verified eIDAS natural person, return false.
+ *
+ * @param {object} req The request object
+ */
+export function eidasNaturalPersonPolicy(req) {
+    // https://dev.azure.com/cyprus-gov-cds/Documentation/_wiki/wikis/Documentation/43/For-eIDAS-Natural-or-Legal-person
+    const { profile_type, unique_identifier } = req.session.user || {};
+    // Allow only natural persons with eIDAS unique identifier format: CC/CC/<identifier>
+    if (profile_type === 'Individual' && typeof unique_identifier === 'string') {
+        const eidasIdentifierPattern = /^[A-Z]{2}\/[A-Z]{2}\/.+$/;
+        if (eidasIdentifierPattern.test(unique_identifier)) {
+            return true;
+        }
+    }
+    // Deny access if validation fails
+    return false;
+}
+const policyRegistry = {
+    naturalPerson: naturalPersonPolicy,
+    legalPerson: legalPersonPolicy,
+    eidasNaturalPerson: eidasNaturalPersonPolicy,
+};
+export function cyLoginPolicy(req, res, next) {
+    // Check what is allowed in the service configuration
+    const allowed = req?.serviceData?.site?.cyLoginPolicies || ["naturalPerson"];
+    // Clear stale policy value before policy evaluation
+    if (req?.session?.user) {
+        delete req.session.user.policy;
+    }
+    // Check each policy in the allowed list
+    for (const name of allowed) {
+        const policy = policyRegistry[name];
         // Skip if the policy is not registered
         if (!policy) {
             console.warn(`🚨 Unknown policy: ${name}`);
@@ -171,9 +196,12 @@ export function cyLoginPolicy(req, res, next) {
         };
         // 🚨 Strict mode: let errors throw naturally if data is malformed
-        const passed = policy(req);
-        if (passed) return next();
-    }
+        const passed = policy(req);
+        if (passed) {
+            req.session.user.policy = name;
+            return next();
+        }
+    }
     return handleMiddlewareError(
         "🚨 Access Denied: none of the allowed CY Login policies matched.",
@@ -193,4 +221,4 @@ export function getUniqueIdentifier(req) {
         "";
     return String(id);
-}
+}

package/src/utils/govcyExpressions.mjs CHANGED Viewed

@@ -94,27 +94,31 @@ export function evaluateExpression(expression, dataLayer = {}) {
 }
-/**
- * Evaluates expression **with automatic flattening**.
- * This is a convenience wrapper for most use cases.
- *
- * @param {string} expression - JS expression using dataLayer["..."]
- * @param {object} object - Unflattened data object (e.g., session.siteData[siteKey])
- * @param {string} prefix - Prefix to add to all keys (usually the siteKey)
- * @param {object} [req=null] - Express request, used to inject user.profile_type into the context
- * @returns {*} - The evaluated result
- */
-export function evaluateExpressionWithFlattening(expression, object, prefix = '', req = null) {
-  const baseObject = (object && typeof object === 'object') ? object : {};
-  const dataLayer = flattenContext(baseObject, prefix);
+/**
+ * Evaluates expression **with automatic flattening**.
+ * This is a convenience wrapper for most use cases.
+ *
+ * @param {string} expression - JS expression using dataLayer["..."]
+ * @param {object} object - Unflattened data object (e.g., session.siteData[siteKey])
+ * @param {string} prefix - Prefix to add to all keys (usually the siteKey)
+ * @param {object} [req=null] - Express request, used to inject user profile context into the dataLayer
+ * @returns {*} - The evaluated result
+ */
+export function evaluateExpressionWithFlattening(expression, object, prefix = '', req = null) {
+  const baseObject = (object && typeof object === 'object') ? object : {};
+  const dataLayer = flattenContext(baseObject, prefix);
   if (req) {
+    // Inject user profile context into the dataLayer for expression use,
+    // if available in either req.user or req.session.user
     const profileType = req?.user?.profile_type ?? req?.session?.user?.profile_type ?? null;
+    const policy = req?.user?.policy ?? req?.session?.user?.policy ?? null;
     dataLayer['user.profile_type'] = profileType;
+    dataLayer['user.policy'] = policy;
   }
-  return evaluateExpression(expression, dataLayer);
-}
+  return evaluateExpression(expression, dataLayer);
+}
 /**
@@ -174,12 +178,12 @@ export function evaluatePageConditions(page, store, siteKey, req = {}) {
     try {
       // Evaluate the expression using flattened site data
-      const result = evaluateExpressionWithFlattening(
-        condition.expression,
-        siteData,
-        siteKey,
-        req
-      );
+      const result = evaluateExpressionWithFlattening(
+        condition.expression,
+        siteData,
+        siteKey,
+        req
+      );
       if (typeof result !== 'boolean') {
         logger.debug(`Condition expression on page '${page.pageData?.url || page.id}' returned non-boolean:`, result);