hof 22.8.4 → 22.9.0-beta

package/package/wizard/middleware/check-progress.js

@@ -0,0 +1,139 @@
+'use strict';
+
+const _ = require('lodash');
+const debug = require('debug')('hof:progress-check');
+const helpers = require('../util/helpers');
+
+module.exports = (route, controller, steps, begin) => {
+  const start = begin || '/';
+  const previousSteps = helpers.getRouteSteps(route, steps);
+  const prereqs = (controller.options.prereqs || []).concat(previousSteps);
+
+  const invalidatingFields = _.pickBy(controller.options.fields, function (field) {
+    return field && field.invalidates && field.invalidates.length;
+  });
+
+  const getAllPossibleSteps = (stepName, scopedSteps, stps) => {
+    let allSteps = stps || [stepName];
+    let step = scopedSteps[stepName];
+    const forksReducer = (arr, fork) => getAllPossibleSteps(fork, scopedSteps, allSteps);
+    // don't loop over steps that have already been added
+    while (step && step.next && allSteps.indexOf(step.next) === -1) {
+      allSteps.push(step.next);
+      // ignore forks that have already been traversed.
+      const forks = _.difference(_.map(step.forks, 'target'), allSteps);
+      allSteps = allSteps.concat(forks.reduce(forksReducer, []));
+      step = scopedSteps[step.next];
+    }
+    return _.uniq(allSteps);
+  };
+
+  // Gets all the possible routes
+  const walkAllPossibleSteps = (stepName, allStepsInService, allVisitedSteps) => {
+    const stepIncludingFieldsAndForks = allStepsInService[stepName];
+    if (!stepIncludingFieldsAndForks) { return; }
+
+    const forkTargets = _.map(stepIncludingFieldsAndForks.forks, 'target') || [];
+    const nextStep = stepIncludingFieldsAndForks.next || '';
+
+    // If there is no next step or fork, then we have reached the end of the journey
+    if (!forkTargets.length && !nextStep) {
+      allVisitedSteps.push(stepName);
+      // eslint-disable-next-line consistent-return
+      return _.uniq(allVisitedSteps);
+    }
+
+    const nextStepsAndForks = _.uniq(forkTargets.concat(nextStep));
+
+    // We need to transverse through all 'Next' and 'Forks' for this route
+    nextStepsAndForks.map(each => {
+      if (!allVisitedSteps.includes(each)) {
+        allVisitedSteps.push(each);
+        walkAllPossibleSteps(each, allStepsInService, allVisitedSteps);
+      }
+    });
+  };
+
+  // Create a list of all visited steps
+  const createAllVisitedSteps = (stepName, allStepsInService) => {
+    const allVisitedSteps = [stepName];
+    if (allStepsInService[stepName]) {
+      walkAllPossibleSteps(stepName, allStepsInService, allVisitedSteps);
+    }
+    return _.uniq(allVisitedSteps);
+  };
+
+  const invalidateStep = (stepName, scopedSteps, sessionModel) => {
+    debug('Invalidating', stepName);
+    const step = scopedSteps[stepName] || {};
+    sessionModel.unset(step.fields || []);
+    sessionModel.set('steps', _.without(sessionModel.get('steps'), stepName));
+  };
+
+  // detect if a path will arrive back at the current step if followed
+  const isLoop = (target, current) => {
+    debug('target', target);
+    debug('current', current);
+    debug('paths', getAllPossibleSteps(target, steps));
+    return getAllPossibleSteps(target, steps).indexOf(current) > -1;
+  };
+
+  const invalidatePath = (req, res) => {
+    const nextStep = controller.getForkTarget(req, res);
+
+    const forks = controller.options.forks.map(fork => fork.target);
+
+    let potentialPaths = [controller.options.next].concat(forks);
+    debug('potential paths', potentialPaths);
+    // do not invalidate forks which loop back to the current step and are *not* being followed
+    potentialPaths = potentialPaths.filter(path => path === nextStep || !isLoop(path, route));
+    debug('next', nextStep);
+    debug('potential paths', potentialPaths);
+    // if we're following a loop then allow the loop to be invalidated
+    const whitelist = isLoop(nextStep, req.path) ? [route] : createAllVisitedSteps(nextStep, steps);
+    // aggregate all potential journeys from the invalidating step
+    const invalidateSteps = potentialPaths.reduce((arr, step) => arr.concat(getAllPossibleSteps(step, steps)), []);
+
+    _.difference(_.uniq(invalidateSteps), whitelist).forEach(step => {
+      invalidateStep(step, steps, req.sessionModel);
+    });
+  };
+
+  controller.on('complete', (req, res, p) => {
+    const sessionsteps = req.sessionModel.get('steps') || [];
+    const path = p || route;
+    debug('Marking path complete ', path);
+    const index = sessionsteps.indexOf(path);
+    if (index > -1) {
+      sessionsteps.splice(index, 1);
+    }
+    sessionsteps.push(path);
+    req.sessionModel.set('steps', sessionsteps);
+
+    if (req.method === 'POST' && controller.options.forks) {
+      invalidatePath(req, res);
+    }
+  });
+
+  return (req, res, next) => {
+    _.each(invalidatingFields, (field, key) => {
+      req.sessionModel.on('change:' + key, () => {
+        debug('Unsetting fields %s', field.invalidates.join(', '));
+        req.sessionModel.unset(field.invalidates);
+      });
+    });
+
+    const visited = _.intersection(req.sessionModel.get('steps'), prereqs);
+
+    debug('Steps ', req.sessionModel.get('steps'));
+    debug('Prereqs ' + prereqs);
+    debug('Visited ' + visited);
+    if (visited.length || !prereqs.length || route === start) {
+      next();
+    } else {
+      const err = new Error('Attempt to access page without prerequisite steps being completed');
+      err.code = 'MISSING_PREREQ';
+      next(err);
+    }
+  };
+};

package/package/wizard/middleware/check-session.js

@@ -0,0 +1,17 @@
+'use strict';
+
+const secureHttps = config => config.protocol === 'https' || config.env === 'production';
+
+module.exports = (route, controller, steps, first, settings) => (req, res, next) => {
+  if (controller.options.checkSession !== false && (req.method === 'POST' || req.path !== first)) {
+    if (req.cookies['hof-wizard-sc'] && req.session.exists !== true) {
+      const err = new Error('Session expired');
+      err.code = 'SESSION_TIMEOUT';
+      return next(err);
+    }
+  }
+  req.session.exists = true;
+  // Set samesite to lax to allow setting cookies on redirects from Gov.UK
+  res.cookie('hof-wizard-sc', 1, { sameSite: 'lax', secure: secureHttps(settings), httpOnly: true });
+  return next();
+};

package/package/wizard/middleware/csrf.js

@@ -0,0 +1,47 @@
+'use strict';
+
+const csrf = require('csrf')();
+
+module.exports = (route, controller) => {
+  if (controller.options.csrf !== false) {
+    return (req, res, next) => {
+      const verify = () => {
+        const secret = req.sessionModel.get('csrf-secret');
+        const safeMethods = ['GET', 'HEAD', 'OPTIONS'];
+
+        if (!secret) {
+          csrf.secret((err, sec) => {
+            if (err) {
+              next(err);
+            }
+            req.sessionModel.set('csrf-secret', sec);
+            verify();
+          });
+        } else if (safeMethods.indexOf(req.method) > -1) {
+          // The HTTP method is safe. No need to verify a
+          // token. Instead, provide a new one for future
+          // verification.
+          res.locals['csrf-token'] = csrf.create(secret);
+          next();
+        } else {
+          // The HTTP method is assumed to be unsafe so
+          // require verification.
+
+          // Token can be provided in either the request body
+          // or the headers. Preference is given to the body.
+          const token = req.body['x-csrf-token']
+          || req.headers['x-csrf-token'];
+
+          if (!csrf.verify(secret, token)) {
+            next({ code: 'CSRF_ERROR' });
+          } else {
+            next();
+          }
+        }
+      };
+
+      verify();
+    };
+  }
+  return (req, res, next) => next();
+};

package/package/wizard/middleware/session-model.js

@@ -0,0 +1,11 @@
+'use strict';
+
+const Model = require('../model');
+
+module.exports = options => (req, res, next) => {
+  req.sessionModel = new Model({}, {
+    session: req.session,
+    key: options.name
+  });
+  next();
+};

package/package/wizard/middleware/session.js

@@ -0,0 +1,9 @@
+'use strict';
+
+module.exports = (req, res, next) => {
+  if (typeof req.session === 'undefined') {
+    throw new Error('Session is undefined');
+  } else {
+    next();
+  }
+};

package/package/wizard/model.js

@@ -0,0 +1,29 @@
+'use strict';
+
+const Model = require('../model');
+
+module.exports = class SessionModel extends Model {
+  constructor(props, options) {
+    const session = options.session;
+    const key = options.key;
+
+    if (!key || typeof key !== 'string') {
+      throw new Error('session-model - key must be defined');
+    }
+
+    session[key] = session[key] || {};
+
+    // include session values on initialized attributes
+    const attrs = Object.assign({}, session[key], props);
+
+    super(attrs, options);
+
+    // write changes back to the session
+    this.on('change', changes => {
+      Object.assign(session[key], changes);
+    });
+    this.on('reset', () => {
+      session[key] = {};
+    });
+  }
+};

package/package/wizard/util/constants.js

@@ -0,0 +1,5 @@
+'use strict';
+
+module.exports = {
+  APPLICATION_COMPLETE: '__application_complete'
+};

package/package/wizard/util/helpers.js

@@ -0,0 +1,19 @@
+'use strict';
+
+const _ = require('lodash');
+
+module.exports = {
+  getRouteSteps(route, steps) {
+    return _.reduce(steps, (list, step, path) => {
+      const isNext = step.next === route;
+      const targets = _.map((step.forks || []), 'target');
+
+      const isFork = targets.some(fork => fork === route);
+
+      if (isNext || isFork) {
+        list.push(path);
+      }
+      return list;
+    }, []);
+  }
+};

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "hof",
   "description": "A bootstrap for HOF projects",
-  "version": "22.8.4",
+  "version": "22.9.0-beta",
   "license": "MIT",
   "main": "index.js",
   "author": "HomeOffice",
@@ -82,14 +82,14 @@
     "nodemailer": "^6.6.3",
     "nodemailer-ses-transport": "^1.5.1",
     "nodemailer-stub-transport": "^1.1.0",
-    "notifications-node-client": "^8.2.0",
+    "notifications-node-client": "^8.2.1",
     "redis": "^3.1.2",
     "reqres": "^3.0.1",
     "rimraf": "^3.0.2",
     "sass": "^1.56.2",
     "serve-static": "^1.14.1",
     "uglify-js": "^3.14.3",
-    "underscore": "^1.13.6",
+    "underscore": "^1.13.7",
     "urijs": "^1.19.11",
     "uuid": "^8.3.2",
     "winston": "^3.7.2"
@@ -104,8 +104,8 @@
     "chai-subset": "^1.6.0",
     "concat-stream": "^1.4.7",
     "csv": "^5.3.2",
-    "eslint": "^7.30.0",
-    "eslint-config-hof": "^1.1.0",
+    "eslint": "^8.57.0",
+    "eslint-config-hof": "^1.3.4",
     "funkie": "0.0.5",
     "funkie-phantom": "0.0.1",
     "istanbul": "^0.4.3",
@@ -141,7 +141,6 @@
     "exit": "true"
   },
   "resolutions": {
-    "underscore": "^1.12.1",
     "cached-path-relative": "^1.1.0",
     "shell-quote": "^1.7.3"
   }

package/.editorconfig

@@ -1,10 +0,0 @@
-# EditorConfig is awesome: http://EditorConfig.org
-root = true
-
-# Unix-style newlines with a newline ending every file
-[*]
-end_of_line = lf
-insert_final_newline = true
-charset = utf-8
-indent_style = space
-indent_size = 2

package/.github/workflows/automate-publish.yml

@@ -1,38 +0,0 @@
-# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
-# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
-name: Automate_Publish
-on:
-  workflow_run:
-    workflows: ["Automate_Tag"]
-    types:
-      - completed
-jobs:
-  auto-publish:
-    runs-on: ubuntu-22.04
-    if: startsWith(github.ref, 'refs/heads/master')
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          registry-url: https://registry.npmjs.org/
-      - name: 'Get Previous tag'
-        id: previoustag
-        uses: "WyriHaximus/github-action-get-previous-tag@v1"
-      - uses: borales/actions-yarn@v3.0.0
-        with:
-          cmd: install --frozen-lockfile
-      - run: |
-          npm_tag="v$(npm dist-tags | cut -d' ' -f 2)"
-          git_tag="$(git describe --tags | cut -d'-' -f 1)"
-          if [ "$npm_tag" != "$git_tag" ] ; then npm publish; fi
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.npm_bot_token }}
-      - name: 'Publish Release'
-        uses: Roang-zero1/github-create-release-action@master
-        with:
-          created_tag: ${{ steps.previoustag.outputs.tag }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

package/.github/workflows/automate-tag.yml

@@ -1,78 +0,0 @@
-# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
-# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
-name: Automate_Tag
-on: [push]
-jobs:
-  test:
-    runs-on: ubuntu-22.04
-    strategy:
-      matrix:
-        node-version: [20.x]
-        redis-version: [4, 5, 6]
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: ${{ matrix.node-version }}
-      - name: Start Redis
-        uses: supercharge/redis-github-action@1.2.0
-        with:
-          redis-version: ${{ matrix.redis-version }}
-      - uses: borales/actions-yarn@v3.0.0
-        with:
-          cmd: install --frozen-lockfile
-      - run: npm test
-
-  auto-tag-patch:
-    needs: test
-    runs-on: ubuntu-22.04
-    if: |
-      startsWith(github.ref, 'refs/heads/master') &&
-      !contains(github.event.head_commit.message, '[MAJOR]') &&
-      !contains(github.event.head_commit.message, '[MINOR]')
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          registry-url: https://registry.npmjs.org/
-      - run: |
-          git config --local user.email "$(git log --format='%ae' HEAD^!)"
-          git config --local user.name "$(git log --format='%an' HEAD^!)"
-          npm version patch
-
-  auto-tag-minor:
-    needs: test
-    runs-on: ubuntu-22.04
-    if: |
-      startsWith(github.ref, 'refs/heads/master') &&
-      !contains(github.event.head_commit.message, '[MAJOR]') &&
-      contains(github.event.head_commit.message, '[MINOR]')
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          registry-url: https://registry.npmjs.org/
-      - run: |
-          git config --local user.email "$(git log --format='%ae' HEAD^!)"
-          git config --local user.name "$(git log --format='%an' HEAD^!)"
-          npm version minor
-
-  auto-tag-major:
-    needs: test
-    runs-on: ubuntu-22.04
-    if: |
-      startsWith(github.ref, 'refs/heads/master') &&
-      contains(github.event.head_commit.message, '[MAJOR]') &&
-      !contains(github.event.head_commit.message, '[MINOR]')
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          registry-url: https://registry.npmjs.org/
-      - run: |
-          git config --local user.email "$(git log --format='%ae' HEAD^!)"
-          git config --local user.name "$(git log --format='%an' HEAD^!)"
-          npm version major

package/.istanbul.yml

@@ -1,20 +0,0 @@
-instrumentation:
-  root: .
-  extensions:
-    - .js
-  default-excludes: true
-  include-all-sources: true
-check:
-  global:
-    statements: 80
-    lines: 80
-    branches: 80
-    functions: 80
-reporting:
-  print: summary
-  reports:
-    - html
-  dir: ./coverage
-  report-config:
-    html:
-      dir: coverage

package/codeReviewChecklist.md

@@ -1,22 +0,0 @@
-# HOF code review checklist v1.0
-
-This is a general guide on what you should check for when reviewing another team member's code.
- 
-## Fundamental checks
-- [ ] Check for code format
-- [ ] Check for duplicate code
-- [ ] Check for if there are existing components in the framework already
-- [ ] Check for copy and paste
-- [ ] Check code readability (if the class, function and variable names are making sense, avoid using acronyms, check for simplicity, avoid complexity)
-- [ ] Check if user inputs are sanitized
-- [ ] Check if errors are handled
-- [ ] Check if null / undefined values are checked before actions are performed on a variable (May not always be necessary)
-- [ ] Check for performance (are there logic in loops that doesn't have to be executed each time? Could some tasks be added to a queue and performed later? etc)
-
-## Advanced (optional if the ticket is low / medium impact) checks
-- [ ] Check if the code is following SOLID principle, code maintainability 
-- [ ] Check if none functional requirements are needed (for example, should an audit log be stored for an action performed)
-- [ ] Check the performance and efficiency of the tests
-- [ ] Check to avoid the use of operations that only work in javascript (e.g. using && to return the object on the right if the statement on the left is true)
-
-

package/pull_request_template.md

@@ -1,16 +0,0 @@
-## What? 
-## Why? 
-## How? 
-## Testing?
-## Screenshots (optional)
-## Anything Else? (optional)
-## Check list
-
-- [ ] I have reviewed my own pull request for linting issues (e.g. adding new lines)
-- [ ] I have written tests (if relevant)
-- [ ] I have created a JIRA number for my branch
-- [ ] I have created a JIRA number for my commit
-- [ ] I have followed the chris beams method for my commit https://cbea.ms/git-commit/
-here is an [example commit](https://github.com/UKHomeOfficeForms/hof/commit/810959f391187c7c4af6db262bcd143b50093a6e)
-- [ ] Ensure workflow jobs are passing especially tests
-- [ ] I will squash the commits before merging