hof 22.11.0 → 22.12.0-beta.0

package/CHANGELOG.md

@@ -1,3 +1,23 @@
+## 2025-11-20, Version 22.12.1 (Stable), @dk4g @jamiecarterHO
+
+### Infrastructure  
+- Updated CI/CD pipeline to test against Node.js 20.x, 22.x, and 24.x
+- Updated Redis testing versions to 7 and 8
+- Added `NODE_VERSION` environment variable for consistent Node.js version across jobs
+- Updated release process to use Node.js 24 for tagging and publishing operations
+
+### Security
+  - Replaced deprecated `crypto.createCipher`/`crypto.createDecipher` with `crypto.createCipheriv`/`crypto.createDecipheriv`
+  - Added proper initialisation vector (IV) handling for enhanced security
+  - Enforced 32-byte session secret requirement for AES-256 encryption compatibility
+  - Removed insecure default session secret ('changethis') - now requires explicit configuration
+
+### Migration Notes
+- **Session Reset Required**: Due to enhanced encryption security, existing user sessions will be invalidated and users will need to re-authenticate after this update
+- **Session Secret**: You must now set a unique `SESSION_SECRET` environment variable of exactly 32 bytes for encryption compatibility. 
+For testing purposes, you can use the following command to generate a random value. For production environments, consult a security expert or refer to official cryptographic guidelines to generate a secure secret
+`node -e "console.log(require('crypto').randomBytes(16).toString('hex'))"`
+
 ## 2025-11-15, Version 22.11.0 (Stable), @Rhodine-orleans-lindsay
 
 ### Changed

package/config/hof-defaults.js

@@ -51,7 +51,7 @@ const defaults = {
   },
   session: {
     ttl: process.env.SESSION_TTL || 1800,
-    secret: process.env.SESSION_SECRET || 'changethis',
+    secret: process.env.SESSION_SECRET,
     name: process.env.SESSION_NAME || 'hod.sid',
     sanitiseInputs: false
   },

package/lib/encryption.js

@@ -1,23 +1,49 @@
-/* eslint-disable */ 
 'use strict';
 
-const crypto = require('crypto');
+const crypto = require('node:crypto');
 const algorithm = 'aes-256-cbc';
+const ivLength = 16;
 
-module.exports = password => ({
-
-  encrypt: text => {
-    const cipher = crypto.createCipher(algorithm, password);
-    let crypted = cipher.update(text, 'utf8', 'hex');
-    crypted += cipher.final('hex');
-    return crypted;
-  },
-
-  decrypt: text => {
-    const decipher = crypto.createDecipher(algorithm, password);
-    let dec = decipher.update(text, 'hex', 'utf8');
-    dec += decipher.final('utf8');
-    return dec;
+/**
+ * Creates an encryption utility with AES-256-CBC algorithm.
+ * Provides encrypt and decrypt methods that use a random IV for each encryption operation.
+ *
+ * @module encryption
+ * @param {string|Buffer} secret - Must be exactly 32 bytes
+ * @returns {Object} Encryption utility object
+ * @throws {Error} If secret is not exactly 32 bytes
+ */
+module.exports = secret => {
+  const encryptionKey = Buffer.from(secret, 'utf8');
+  if (encryptionKey.byteLength !== 32) {
+    throw new Error(`Encryption secret must be exactly 32 bytes. Provided: ${encryptionKey.byteLength} bytes.`);
   }
 
-});
+  return {
+    encrypt: text => {
+      try {
+        const iv = crypto.randomBytes(ivLength);
+        const cipher = crypto.createCipheriv(algorithm, encryptionKey, iv);
+        let encrypted = cipher.update(text, 'utf8');
+        encrypted = Buffer.concat([encrypted, cipher.final()]);
+        return iv.toString('hex') + ':' + encrypted.toString('hex');
+      } catch (error) {
+        throw new Error(`Encryption failed: ${error.message}`);
+      }
+    },
+
+    decrypt: text => {
+      try {
+        const textParts = text.split(':');
+        const iv = Buffer.from(textParts.shift(), 'hex');
+        const encryptedText = Buffer.from(textParts.join(':'), 'hex');
+        const decipher = crypto.createDecipheriv(algorithm, encryptionKey, iv);
+        let decrypted = decipher.update(encryptedText);
+        decrypted = Buffer.concat([decrypted, decipher.final()]);
+        return decrypted.toString('utf8');
+      } catch (error) {
+        throw new Error(`Decryption failed: ${error.message}`);
+      }
+    }
+  };
+};

package/lib/sessions.js

@@ -10,8 +10,11 @@ const secureHttps = config => config.protocol === 'https' || config.env === 'pro
 module.exports = (app, config) => {
   const logger = config.logger || console;
 
-  if (config.env === 'production' && config.session.secret === 'changethis') {
-    throw new Error('Session secret must be set to a unique random string for production environments');
+  const secretBuffer = Buffer.from(config.session.secret, 'utf8');
+  if (secretBuffer.byteLength !== 32) {
+    throw new Error(
+      `Session secret must be exactly 32 bytes. Current: ${secretBuffer.byteLength} bytes.`
+    );
   }
 
   app.use(cookieParser(config.session.secret, {

package/lib/settings.js

@@ -42,7 +42,7 @@ module.exports = async (app, config) => {
     viewsArray.slice().reverse().forEach(view => {
       const customViewPath = path.resolve(config.root, view);
       try {
-        fs.accessSync(customViewPath, fs.F_OK);
+        fs.accessSync(customViewPath, fs.constants.F_OK);
       } catch (err) {
         throw new Error(`Cannot find views at ${customViewPath}`);
       }

package/package.json

@@ -1,13 +1,12 @@
 {
   "name": "hof",
   "description": "A bootstrap for HOF projects",
-  "version": "22.11.0",
+  "version": "22.12.0-beta.0",
   "license": "MIT",
   "main": "index.js",
   "author": "HomeOffice",
   "engines": {
-    "node": ">=10.22.1",
-    "npm": ">=6.14.0"
+    "node": ">=14.0.0"
   },
   "bin": {
     "hof-build": "./bin/hof-build",

package/sandbox/apps/sandbox/translations/en/default.json

@@ -1,245 +0,0 @@
-{
-  "errors": {
-    "service-unavailable": {
-      "contact": "You can email for more information"
-    }
-  },
-  "exit": {
-    "header": "You have left this form",
-    "title": "You have left this form"
-  },
-  "fields": {
-    "landing-page-radio": {
-      "legend": "Which form would you like to explore?",
-      "hint": "Choose one of the options below and press continue.",
-      "options": {
-        "basic-form": {
-          "label": "Basic form"
-        },
-        "complex-form": {
-          "label": "Complex form"
-        },
-        "build-your-own-form": {
-          "label": "Build your own form"
-        }
-      }
-    },
-    "name": {
-      "label": "Full name"
-    },
-    "dateOfBirth": {
-      "legend": "What is your date of birth?",
-      "hint": "For example, 31 10 1990"
-    },
-    "building": {
-      "label": "Building and street"
-    },
-    "street": {
-      "label": "Address line 2"
-    },
-    "townOrCity": {
-      "label": "Town or city"
-    },
-    "postcode": {
-      "label": "Postcode"
-    },
-    "incomeTypes": {
-      "label": "Sources of income",
-      "legend": "Select the options where you receive income from",
-      "hint": "Select all options that apply to you.",
-      "options": {
-        "salary": {
-          "label": "Salary"
-        },
-        "universal_credit": {
-          "label": "Universal Credit"
-        },
-        "child_benefit": {
-          "label": "Child Benefit"
-        },
-        "housing_benefit": {
-          "label": "Housing Benefit"
-        },
-        "other": {
-          "label": "Other"
-        }
-      }
-    },
-    "countryOfHearing": {
-      "legend": "What country was the appeal lodged?",
-      "options": {
-        "englandAndWales": {
-          "label": "England and Wales"
-        },
-        "scotland": {
-          "label": "Scotland"
-        },
-        "northernIreland": {
-          "label": "Northern Ireland"
-        }
-      }
-    },
-    "email": {
-      "label": "Email address"
-    },
-    "phone": {
-      "label": "Phone number",
-      "hint": "International phone numbers require the international dialling code, for example +33235066182"
-    },
-    "int-phone-number": {
-      "legend": "International phone number"
-    },
-    "complaintDetails": {
-      "label": "Complaint details",
-      "hint": "Briefly summarise your complaint. Include anything that can help our investigation."
-    },
-    "whatHappened": {
-      "label": "What happened",
-      "hint": "Briefly summarise what happened."
-    },
-    "countrySelect": {
-      "label": "Which country are you based in?",
-      "hint": "Start to type the country name and options will appear"
-    },
-    "appealStages": {
-      "label": "Appeal stage",
-      "hint": "Choose an appeal stage from the drop down menu",
-      "options": {
-        "null": "Select..."
-      }
-    }
-  },
-  "journey": {
-    "header": "HOF Bootstrap Sandbox Form",
-    "serviceName": "HOF Bootstrap Sandbox Form",
-    "confirmation": {
-      "details": "Your reference number <br><strong>HDJ2123F</strong>"
-    }
-  },
-  "pages": {
-    "landing-page": {
-      "header": "Landing page"
-    },
-    "build-your-own-form": {
-      "title": "Build your own form",
-      "subheader": "Access the build your own form guidance link"
-    },
-    "address": {
-      "header": "What is your address in the UK?",
-      "intro": "If you have no fixed address, enter an address where we can contact you."
-    },
-    "name": {
-      "header": "What is your full name?"
-    },
-    "email": {
-      "header": "Enter your email address"
-    },
-    "phone-number": {
-      "header": "Enter your phone number"
-    },
-    "confirm": {
-      "header": "Check your answers before submitting your application.",
-      "sections": {
-        "applicantsDetails": {
-          "header": "Applicant's details"
-        },
-        "address": {
-          "header": "Address"
-        },
-        "income": {
-          "header": "Income"
-        },
-        "appealDetails": {
-          "header": "Appeal details"
-        },
-        "countrySelect": {
-          "header": "Country of residence"
-        },
-        "contactDetails": {
-          "header": "Contact details"
-        },
-        "complaintDetails": {
-          "header": "Complaint details"
-        },
-        "whatHappened": {
-          "header": "What happened"
-        }
-      }
-    },
-    "confirmation": {
-      "title": "Application sent",
-      "alert": "Application sent",
-      "subheader": "What happens next",
-      "content": "We’ll contact you with the decision of your application or if we need more information from you."
-    },
-    "exit": {
-      "message": "We have cleared your information to keep it secure. Your information has not been saved."
-    },
-    "session-timeout-warning": {
-      "dialog-title": "{{^showSaveAndExit}}Your application will close soon{{/showSaveAndExit}}{{#showSaveAndExit}}You will be signed out soon{{/showSaveAndExit}}",
-      "dialog-text": "{{^showSaveAndExit}}If that happens, your progress will not be saved.{{/showSaveAndExit}}{{#showSaveAndExit}}Any answers you have saved will not be affected, but your progress on this page will not be saved.{{/showSaveAndExit}}",
-      "timeout-continue-button": "{{^showSaveAndExit}}Stay on this page{{/showSaveAndExit}}{{#showSaveAndExit}}Stay signed in{{/showSaveAndExit}}",
-      "dialog-exit-link": "{{^showSaveAndExit}}Exit this form{{/showSaveAndExit}}{{#showSaveAndExit}}Sign out{{/showSaveAndExit}}"
-    },
-    "save-and-exit": {
-      "header": "You have been signed out",
-      "paragraph-1": "Your form doesn't appear to have been worked on for 30 minutes so we closed it for security.",
-      "paragraph-2": "Any answers you saved have not been affected.",
-      "paragraph-3": "You can sign back in to your application at any time by returning to the <a href='/' class='govuk-link'>start page</a>."
-    }
-  },
-  "validation": {
-    "landing-page-radio": {
-      "required": "Select an option below and press continue"
-    },
-    "name": {
-      "default": "Enter your full name"
-    },
-    "dateOfBirth": {
-      "default": "Enter your date of birth in the correct format; for example, 31 10 1990",
-      "after": "Enter a date after 1 1 1900",
-      "before": "Enter a date that is in the past"
-    },
-    "building": {
-      "default": "Enter details of your building and street"
-    },
-    "townOrCity": {
-      "default": "Enter a town or city",
-      "regex": "Enter a town or city without including digits"
-    },
-    "postcode": {
-      "default": "Enter your postcode"
-    },
-    "incomeTypes": {
-      "default": "Select all options that apply to you."
-    },
-    "countryOfHearing": {
-      "default": "Select where the appeal hearing is to be held"
-    },
-    "countrySelect": {
-      "default": "Enter a valid country of residence",
-      "required": "Enter your country of residence"
-    },
-    "email": {
-      "default": "Enter your email address in the correct format"
-    },
-    "phone": {
-      "default": "Enter your phone number"
-    },
-    "int-phone-number": {
-      "required": "Enter an international phone number",
-      "internationalPhoneNumber": "Enter a valid international phone number"
-    },
-    "complaintDetails": {
-      "default": "Enter details about why you are making a complaint",
-      "maxlength": "Keep to the {{maxlength}} character limit"
-    },
-    "whatHappened": {
-      "default": "Enter details about what happened",
-      "maxword": "Keep to the {{maxword}} word limit"
-    },
-    "appealStages": {
-      "required": "Select an appeal stage from the list"
-    }
-  }
-}