hof 22.8.4 → 22.9.0-beta.v1

package/package/lib/logger.js

@@ -0,0 +1,65 @@
+'use strict';
+
+const winston = require('winston');
+const { createLogger, format, transports } = winston;
+const { combine, timestamp, colorize, simple, json } = format;
+const util = require('util');
+
+module.exports = config => {
+  const loggingTransports = [];
+  const exceptionTransports = [];
+  const notProd = config.env !== 'production';
+  const isLocal = notProd && config.env !== 'development';
+
+  loggingTransports.push(
+    new transports.Console({
+      format: isLocal ? combine(
+        colorize(),
+        simple()
+      ) : json(),
+      silent: config.loglevel === 'silent' || config.env === 'test',
+      level: config.loglevel || 'info'
+    })
+  );
+
+  exceptionTransports.push(
+    new transports.Console({
+      format: isLocal ? combine(
+        colorize(),
+        simple()
+      ) : json()
+    })
+  );
+
+  const loggerConfig = {
+    format: combine(
+      timestamp()
+    ),
+    exitOnError: false,
+    transports: loggingTransports,
+    exceptionHandlers: exceptionTransports
+  };
+
+  if (notProd) {
+    delete loggerConfig.exceptionHandlers;
+  }
+
+  const logger = createLogger(loggerConfig);
+
+  logger.stream = {
+    write: message => {
+      if (config.loglevel === 'debug') {
+        logger.debug(message);
+      } else {
+        logger.info(message);
+      }
+    }
+  };
+
+  logger.logSession = id => (level, ...args) => {
+    const msg = util.format(...args);
+    return logger.log(level, `sessionId=${id} ${msg}`);
+  };
+
+  return logger;
+};

package/package/lib/markdown.js

@@ -0,0 +1,46 @@
+'use strict';
+
+const MarkdownIt = require('markdown-it');
+const converter = new MarkdownIt({html: true});
+
+const path = require('path');
+const fs = require('fs');
+const _ = require('lodash');
+
+const cache = {};
+
+module.exports = conf => {
+  const config = conf || {};
+  config.dir = config.dir || 'content';
+  config.method = config.method || 'markdown';
+  config.fallbackLang = config.fallbackLang || ['en', ''];
+  config.ext = config.ext || 'md';
+  return (req, res, next) => {
+    const View = req.app.get('view');
+    res.locals[config.method] = () => file => {
+      if (!file) {
+        throw new Error('markdown: filename must be specified');
+      }
+      const views = req.app.get('views');
+      const languages = _.uniq([].concat(req.lang).concat(config.fallbackLang)).filter(a => typeof a === 'string');
+      const paths = views.map(dir => languages.map(lang => path.resolve(dir, config.dir, lang.toLowerCase())));
+
+      // use express' `View` class to shortcut looking up files
+      const view = new View(file, {
+        defaultEngine: config.ext,
+        root: _.flatten(paths),
+        engines: { [`.${config.ext}`]: {} }
+      });
+
+      if (!view.path) {
+        throw new Error(`Could not find content: ${file}`);
+      }
+
+      const md = cache[view.path] || fs.readFileSync(view.path).toString('utf8');
+      cache[view.path] = md;
+
+      return converter.render(md);
+    };
+    next();
+  };
+};

package/package/lib/router.js

@@ -0,0 +1,111 @@
+'use strict';
+
+const _ = require('lodash');
+const express = require('express');
+const wizard = require('../wizard');
+const translate = require('i18n-future').middleware;
+const deepTranslate = require('../middleware').deepTranslate;
+const expressPartialTemplates = require('express-partial-templates');
+const helpers = require('./helpers');
+const deprecate = require('deprecate');
+
+function applyBehaviours(steps, behaviours) {
+  _.each(steps, step => {
+    step.behaviours = [].concat(behaviours).concat(step.behaviours).filter(a => a);
+  });
+}
+
+function getWizardConfig(config) {
+  const wizardConfig = {
+    name: config.route.name || (config.route.baseUrl || '').replace('/', ''),
+    protocol: config.protocol,
+    env: config.env,
+    sanitiseInputs: config.sanitiseInputs
+  };
+
+  if (config.appConfig) {
+    wizardConfig.appConfig = config.appConfig;
+  }
+
+  // whitelist properties from the route's config that should be passed into the form wizard
+  const props = [
+    'confirmStep',
+    'exitStep',
+    'saveAndExitStep',
+    'params'
+  ];
+  Object.assign(wizardConfig, _.pick(config.route, props));
+
+  return wizardConfig;
+}
+
+const returnBaseUrl = (url = '') => {
+  const splitUrl = url.split('/');
+
+  return splitUrl.length > 2 ? `/${splitUrl[1]}` : '/';
+};
+
+module.exports = config => {
+  const app = express();
+  const paths = helpers.getPaths(config);
+  const fields = helpers.getFields(paths.fields);
+  const routeViews = helpers.getViews(paths.views, config.route.views);
+  const sharedViews = config.sharedViews;
+
+  const views = routeViews ? [routeViews].concat(sharedViews) : sharedViews;
+
+  app.set('x-powered-by', false);
+  app.set('view engine', config.viewEngine);
+  app.set('views', views);
+
+  app.use(expressPartialTemplates(app));
+
+  app.use(translate({
+    resources: config.theme.translations,
+    path: paths.translations + '/__lng__/__ns__.json'
+  }));
+  app.use(deepTranslate());
+
+  const wizardConfig = getWizardConfig(config);
+
+  if (config.baseController) {
+    deprecate(
+      '`baseController` option is deprecated and may be removed in future versions.',
+      'Use `behaviours` option to define global behaviours.'
+    );
+    wizardConfig.controller = config.baseController;
+  }
+
+  if (config.route.behaviours) {
+    applyBehaviours(config.route.steps, config.route.behaviours);
+  }
+
+  if (config.behaviours) {
+    applyBehaviours(config.route.steps, config.behaviours);
+  }
+
+  Object.keys(config.route.pages || {}).forEach(path => {
+    app.get(path, (req, res) => {
+      let objPath = config.route.pages[path];
+
+      if (typeof objPath === 'string') {
+        objPath = {
+          template: objPath,
+          title: objPath
+        };
+      }
+      res.locals = Object.assign(res.locals, {
+        baseUrl: returnBaseUrl(req.originalUrl),
+        refererUrl: req.headers.referer,
+        title: objPath.title
+      });
+      return res.render(objPath.template);
+    });
+  });
+
+  if (config.route.steps) {
+    app.use(wizard(config.route.steps, fields, wizardConfig));
+  }
+
+  return app;
+};

package/package/lib/serve-static.js

@@ -0,0 +1,12 @@
+'use strict';
+
+const express = require('express');
+const path = require('path');
+
+module.exports = (app, config) => {
+  if (config.serveStatic !== false) {
+    app.use('/public', express.static(path.resolve(config.root, 'public')));
+  }
+
+  return app;
+};

package/package/lib/sessions.js

@@ -0,0 +1,82 @@
+'use strict';
+
+const redis = require('redis');
+const session = require('express-session');
+const connectRedis = require('connect-redis');
+const cookieParser = require('cookie-parser');
+
+const secureHttps = config => config.protocol === 'https' || config.env === 'production';
+
+module.exports = (app, config) => {
+  const logger = config.logger || console;
+
+  if (config.env === 'production' && config.session.secret === 'changethis') {
+    throw new Error('Session secret must be set to a unique random string for production environments');
+  }
+
+  app.use(cookieParser(config.session.secret, {
+    path: '/',
+    httpOnly: true,
+    secure: secureHttps(config)
+  }));
+
+  if (config.sessionStore) {
+    return app.use(session({
+      store: config.sessionStore,
+      genid: () => 'fakeId',
+      saveUninitialized: true,
+      resave: false
+    }));
+  }
+
+  const encryption = require('./encryption')(config.session.secret);
+  const RedisStore = connectRedis(session);
+  const client = redis.createClient(config.redis);
+
+  if (config.env !== 'test') {
+    client.on('connecting', () => {
+      logger.info('Connecting to redis');
+    });
+
+    client.on('connect', () => {
+      logger.info('Connected to redis');
+    });
+
+    client.on('reconnecting', () => {
+      logger.info('Reconnecting to redis');
+    });
+
+    client.on('error', e => {
+      logger.error(e);
+    });
+  }
+
+  const store = new RedisStore({
+    client: client,
+    ttl: config.session.ttl,
+    secret: config.session.secret,
+    serializer: {
+      parse: data => JSON.parse(encryption.decrypt(data)),
+      stringify: data => encryption.encrypt(JSON.stringify(data))
+    }
+  });
+
+  app.set('trust proxy', true);
+
+  const sessionOpts = Object.assign({
+    store,
+    name: config.session.name,
+    cookie: {
+      secure: secureHttps(config),
+      sameSite: config.cookie?.sameSite === 'lax' ? config.cookie?.sameSite : 'strict',
+      httpOnly: true
+    },
+    secret: config.session.secret,
+    saveUninitialized: true,
+    resave: true
+  }, config.session);
+
+  app.use(session(sessionOpts));
+
+  return client;
+};

package/package/lib/settings.js

@@ -0,0 +1,74 @@
+'use strict';
+
+const _ = require('lodash');
+const fs = require('fs');
+const path = require('path');
+const hoganExpressStrict = require('hogan-express-strict');
+const expressPartialTemplates = require('express-partial-templates');
+const bodyParser = require('body-parser');
+
+const dirExists = dir => {
+  try {
+    if (fs.existsSync(dir)) {
+      return true;
+    }
+    return false;
+  } catch(err) {
+    throw new Error(`${err}: Cannot check if the directory path exists`);
+  }
+};
+
+const filterEmptyViews = views => {
+  return views.filter(view => dirExists(view));
+};
+
+module.exports = async (app, config) => {
+  const viewEngine = config.viewEngine || 'html';
+
+  app.use((req, res, next) => {
+    res.locals.assetPath = '/public';
+    next();
+  });
+
+  app.use(config.theme());
+
+  const filteredViews = filterEmptyViews(config.theme.views);
+  const viewPaths = [].concat(filteredViews);
+  app.set('view engine', viewEngine);
+  app.enable('view cache');
+
+  if (config.views) {
+    const viewsArray = _.castArray(config.views);
+    viewsArray.slice().reverse().forEach(view => {
+      const customViewPath = path.resolve(config.root, view);
+      try {
+        fs.accessSync(customViewPath, fs.F_OK);
+      } catch (err) {
+        throw new Error(`Cannot find views at ${customViewPath}`);
+      }
+      viewPaths.unshift(customViewPath);
+    });
+  }
+
+  app.set('views', viewPaths);
+  app.use(expressPartialTemplates(app));
+
+  app.engine(viewEngine, hoganExpressStrict);
+
+  app.use(bodyParser.urlencoded({
+    extended: true
+  }));
+
+  app.use(bodyParser.json());
+
+  app.use((req, res, next) => {
+    res.locals.baseUrl = req.baseUrl;
+    res.locals.showCookiesBanner = config.showCookiesBanner;
+    next();
+  });
+
+  // Trust proxy for secure cookies
+  app.set('trust proxy', 1);
+
+  return app;
+};

package/package/lib/which.js

@@ -0,0 +1,28 @@
+'use strict';
+
+const path = require('path');
+const stack = require('callsite');
+const findup = require('findup');
+
+function which(name, scpt) {
+  if (!name) { throw new Error('package name must be provided'); }
+  const script = scpt || name;
+
+  const pkgPath = `node_modules/${name}/package.json`;
+  const callsite = stack()[1].getFileName();
+  const dir = findup.sync(callsite, pkgPath);
+
+  const pkgLocation = path.join(dir, pkgPath);
+  const pkg = require(pkgLocation);
+  let bin = pkg.bin[script];
+
+  if (!bin && typeof pkg.bin === 'string') {
+    bin = pkg.bin;
+  }
+
+  if (!bin) { throw new Error(`binary path for ${script} not found`); }
+
+  return path.resolve(path.dirname(pkgLocation), bin);
+}
+
+module.exports = which;

package/package/middleware/cookies.js

@@ -0,0 +1,43 @@
+'use strict';
+
+const URI = require('urijs');
+
+const isHealthcheckUrl = (path, healthcheckUrls) => healthcheckUrls.some(url => path.includes(url));
+const secureHttps = config => config.protocol === 'https' || config.env === 'production';
+
+module.exports = options => {
+  const checkName = 'hof-cookie-check';
+  const cookieName = (options || {})['cookie-name'] || checkName;
+  const paramName = (options || {})['param-name'] || checkName;
+  let healthcheckUrls;
+
+  if (options && options.healthcheckUrls) {
+    healthcheckUrls = options.healthcheckUrls;
+  } else {
+    healthcheckUrls = ['/healthz', '/livez', '/readyz'];
+  }
+
+  return (req, res, next) => {
+    const reqIncludesCookies = req.cookies && Object.keys(req.cookies).length;
+    const reqIsCookieCheckRedirect = req.query[paramName] !== undefined;
+
+    if (reqIncludesCookies || isHealthcheckUrl(req.path, healthcheckUrls)) {
+      const prefs = 'cookie_preferences' in req.cookies ? JSON.parse(req.cookies.cookie_preferences) : {};
+      res.locals.cookiesAccepted = Boolean(prefs.usage);
+      next();
+    } else if (req.cookies === undefined || (!Object.keys(req.cookies).length && reqIsCookieCheckRedirect)) {
+      const err = new Error('Cookies required');
+      err.code = 'NO_COOKIES';
+      next(err, req, res, next);
+    } else {
+      // Set samesite to lax to allow setting cookies on redirects from Gov.UK
+      res.cookie(cookieName, 1, { sameSite: 'lax', secure: secureHttps(options), httpOnly: true });
+
+      const uriClean = req.originalUrl && req.originalUrl.match(/^\/[^\/\\]/);
+      const uriToRedirect = uriClean ? req.originalUrl : '/';
+      const redirectURL = new URI(uriToRedirect).addQuery(encodeURIComponent(paramName));
+
+      res.redirect(redirectURL.toString());
+    }
+  };
+};

package/package/middleware/deep-translate.js

@@ -0,0 +1,32 @@
+'use strict';
+
+const _ = require('lodash');
+
+const Translator = (translate, req) => function deepTranslate(key) {
+  let translated = translate(key);
+  if (_.isPlainObject(translated)) {
+    translated = _.reduceRight(translated, (prev, item, tKey) => {
+      let translationPath = key + '.' + tKey;
+      if (_.isPlainObject(item) && req.sessionModel) {
+        let value = req.sessionModel.get(tKey);
+        if (value) {
+          value = value.toString();
+        }
+        translationPath += '.' + value;
+      }
+      const result = deepTranslate(translationPath);
+      return result !== translationPath ? result : prev;
+    }, '');
+  }
+  return translated;
+};
+
+module.exports = opts => {
+  const options = opts || {};
+  return (req, res, next) => {
+    const translate = options.translate || req.translate || (a => a);
+    req.translate = Translator(translate, req);
+    req.rawTranslate = translate;
+    next();
+  };
+};

package/package/middleware/errors.js

@@ -0,0 +1,119 @@
+/* eslint-disable no-unused-vars */
+'use strict';
+
+const rateLimitsConfig = require('../config/rate-limits');
+
+const errorTitle = code => `${code}_ERROR`;
+const errorMsg = code => `There is a ${code}_ERROR`;
+
+// eslint-disable-next-line complexity
+const getContent = (err, translate) => {
+  const content = {};
+
+  // Helper to safely call translate if it's a function
+  const t = key => (typeof translate === 'function' ? translate(key) : undefined);
+
+  if (err.code === 'SESSION_TIMEOUT') {
+    err.status = 401;
+    err.template = 'session-timeout';
+    err.serviceName = t('journey.serviceName') || t('journey.header');
+    err.title = t('errors.session.title');
+    err.message = t('errors.session.message');
+    content.serviceName = t('journey.serviceName') || t('journey.header');
+    content.title = t('errors.session.title');
+    content.message = t('errors.session.message');
+  }
+
+  if (err.code === 'NO_COOKIES') {
+    err.status = 403;
+    err.template = 'cookie-error';
+    content.serviceName = t('journey.serviceName') || t('journey.header');
+    content.title = t('errors.cookies-required.title');
+    content.message = t('errors.cookies-required.message');
+  }
+
+  if (err.code === 'DDOS_RATE_LIMIT') {
+    err.status = 429;
+    err.template = 'rate-limit-error';
+    err.serviceName = t('journey.serviceName') || t('journey.header');
+    err.title = t('errors.ddos-rate-limit.title');
+    err.message = t('errors.ddos-rate-limit.message');
+    err.preTimeToWait = t('errors.ddos-rate-limit.pre-time-to-wait');
+    err.timeToWait = rateLimitsConfig.rateLimits.requests.windowSizeInMinutes;
+    err.postTimeToWait = t('errors.ddos-rate-limit.post-time-to-wait');
+    content.title = t('errors.ddos-rate-limit.title');
+    content.serviceName = t('journey.serviceName') || t('journey.header');
+    content.message = t('errors.ddos-rate-limit.message');
+    content.preTimeToWait = t('errors.ddos-rate-limit.pre-time-to-wait');
+    content.timeToWait = rateLimitsConfig.rateLimits.requests.windowSizeInMinutes;
+    content.postTimeToWait = t('errors.ddos-rate-limit.post-time-to-wait');
+  }
+
+  if (err.code === 'SUBMISSION_RATE_LIMIT') {
+    err.status = 429;
+    err.template = 'rate-limit-error';
+    err.serviceName = t('journey.serviceName') || t('journey.header');
+    err.title = t('errors.submission-rate-limit.title');
+    err.message = t('errors.submission-rate-limit.message');
+    err.preTimeToWait = t('errors.submission-rate-limit.pre-time-to-wait');
+    err.timeToWait = rateLimitsConfig.rateLimits.submissions.windowSizeInMinutes;
+    err.postTimeToWait = t('errors.submission-rate-limit.post-time-to-wait');
+    content.serviceName = t('journey.serviceName') || t('journey.header');
+    content.title = t('errors.submission-rate-limit.title');
+    content.message = t('errors.submission-rate-limit.message');
+    content.preTimeToWait = t('errors.submission-rate-limit.pre-time-to-wait');
+    content.timeToWait = rateLimitsConfig.rateLimits.submissions.windowSizeInMinutes;
+    content.postTimeToWait = t('errors.submission-rate-limit.post-time-to-wait');
+  }
+
+  err.code = err.code || 'UNKNOWN';
+  err.status = err.status || 500;
+
+  if (!content.title) {
+    content.title = t('errors.default.title') || errorTitle(err.code);
+  }
+  if (!content.message) {
+    content.message = t('errors.default.message') || errorMsg(err.code);
+  }
+  return content;
+};
+
+const returnBaseUrl = url => {
+  const splitUrl = url.split('/');
+  if (splitUrl.length > 2) {
+    return `/${splitUrl[1]}`;
+  }
+  return '/';
+};
+
+module.exports = options => {
+  const opts = options || {};
+  const logger = opts.logger;
+  const debug = opts.debug;
+
+  return (err, req, res, next) => {
+    const translate = opts.translate || req.translate;
+    const content = getContent(err, translate);
+    const locals = {
+      error: err,
+      serviceName: content.serviceName,
+      content: debug === true ? err : content,
+      showStack: debug === true,
+      startLink: returnBaseUrl(req.path),
+      baseUrl: returnBaseUrl(req.path)
+    };
+
+    if (logger && logger.error) {
+      logger.error(err.message || err.error, err);
+    }
+
+    res.status(err.status);
+    res.render(err.template || 'error', locals, (e, html) => {
+      if (e) {
+        res.render('error', locals);
+      } else {
+        res.send(html);
+      }
+    });
+  };
+};

package/package/middleware/index.js

@@ -0,0 +1,10 @@
+'use strict';
+
+module.exports = {
+  cookies: require('./cookies'),
+  errors: require('./errors'),
+  notFound: require('./not-found'),
+  deepTranslate: require('./deep-translate'),
+  rateLimiter: require('./rate-limiter'),
+  serviceUnavailable: require('./service-unavailable')
+};

package/package/middleware/not-found.js

@@ -0,0 +1,38 @@
+'use strict';
+
+const getTranslations = translate => {
+  const translations = {
+    title: 'Not found',
+    description: 'There is nothing here'
+  };
+
+  if (translate) {
+    translations.title = translate('errors.404.title');
+    translations.description = translate('errors.404.description');
+  }
+
+  return translations;
+};
+
+module.exports = options => {
+  const opts = options || {};
+  const logger = opts.logger;
+
+  return (req, res) => {
+    const translate = opts.translate || req.translate;
+    const translations = getTranslations(translate);
+
+    if (logger && logger.warn) {
+      logger.warn(`Cannot find: ${req.url}`);
+    }
+
+    res.status(404).render('404', {
+      title: translations.title,
+      description: translations.description,
+      // Finds the first word in the path of the
+      // url and removes the leading slash.
+      // Where url is `/foo/bar`, this returns `foo`.
+      startLink: req.url.replace(/^\/([^\/]*).*$/, '$1')
+    });
+  };
+};