Merge branch 'main' into seeder-add-on-conflict-for-seeders

DEFRA · Aug 2, 2024 · a4763be · a4763be
2 parents f7064c3 + 3bf5ef7
commit a4763be
Show file tree

Hide file tree

Showing 57 changed files with 420 additions and 168 deletions.
diff --git a/app/lib/static-lookups.lib.js b/app/lib/static-lookups.lib.js
@@ -38,6 +38,7 @@ const returnRequirementReasons = {
   'change-to-special-agreement': 'Change to special agreement',
   'error-correction': 'Error correction',
   'extension-of-licence-validity': 'Limited extension of licence validity (LEV)',
+  'licence-conditions-do-not-require-returns': 'Licence conditions do not require returns',
   'major-change': 'Major change',
   'minor-change': 'Minor change',
   'name-or-address-change': 'Licence holder name or address change',
@@ -47,8 +48,8 @@ const returnRequirementReasons = {
   'returns-exception': 'Returns exception',
   'succession-or-transfer-of-licence': 'Succession or transfer of licence',
   'succession-to-remainder-licence-or-licence-apportionment': 'Succession to remainder licence or licence apportionment',
-  'transfer-and-now-chargeable': 'Licence transferred and now chargeable',
-  'licence-conditions-do-not-require-returns': 'Licence conditions do not require returns'
+  'temporary-trade': 'Temporary trade',
+  'transfer-and-now-chargeable': 'Licence transferred and now chargeable'
 }
 
 const sources = [

diff --git a/app/plugins/crumb.plugin.js b/app/plugins/crumb.plugin.js
@@ -0,0 +1,50 @@
+'use strict'
+
+/**
+ * Plugin to add CSRF token to all our forms
+ * @module CrumbPlugin
+ */
+
+const Crumb = require('@hapi/crumb')
+
+/**
+ * {@link https://hapi.dev/module/crumb/api/?v=9.0.1 | Crumb} is a Hapi plugin. Crumb is used to diminish CSRF attacks
+ * using a random unique token that is validated on the server side.
+ *
+ * Every view in the service that has a form that uses `method="POST"`, needs to have a hidden input field.
+ *
+ * ```html
+ * <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+ * ```
+ *
+ * When the page is requested the Crumb plugin will generate a token in the `onPreResponse` event that it will save to a
+ * cookie called 'wrlsCrumb'. It also makes it available in the view context hence our views can reference
+ * `{{wrlsCrumb}}`.
+ *
+ * When the user submits the form the Crumb plugin jumps in again, this time on the `onPostAuth` event. It compares both
+ * values and if they match it 'authorises' the request.
+ *
+ * If the the payload is missing `{{wrlsCrumb}}`, or the value doesn't match that saved in the cookie (which is secure
+ * so unreadable to the client) than it rejects the request. In our service the user will see a 404 as that is the
+ * default for an 'unauthorised' request.
+ *
+ * We have Crumb enabled by default for all endpoints to avoid us forgetting to protect a html form. However, this means
+ * it performs the check for _all_ POST requests. Our service exposes API-only POST endpoints which do not expect a
+ * payload. For this, the route config must include the following to disable Crumb.
+ *
+ * ```javascript
+ *   options: {
+ *     plugins: {
+ *       crumb: false
+ *     }
+ *   }
+ * ```
+ */
+const CrumbPlugin = {
+  plugin: Crumb,
+  options: {
+    key: 'wrlsCrumb'
+  }
+}
+
+module.exports = CrumbPlugin
diff --git a/app/routes/bill-runs.routes.js b/app/routes/bill-runs.routes.js
@@ -12,6 +12,9 @@ const routes = [
         access: {
           scope: ['billing']
         }
+      },
+      plugins: {
+        crumb: false
       }
     }
   },

diff --git a/app/routes/billing-accounts.routes.js b/app/routes/billing-accounts.routes.js
@@ -15,6 +15,9 @@ const routes = [
         access: {
           scope: ['manage_billing_accounts']
         }
+      },
+      plugins: {
+        crumb: false
       }
     }
   }

diff --git a/app/routes/data.routes.js b/app/routes/data.routes.js
@@ -36,7 +36,10 @@ const routes = [
         excludeFromProd: true,
         plainOutput: true
       },
-      auth: false
+      auth: false,
+      plugins: {
+        crumb: false
+      }
     }
   },
   {
@@ -48,7 +51,10 @@ const routes = [
         excludeFromProd: true,
         plainOutput: true
       },
-      auth: false
+      auth: false,
+      plugins: {
+        crumb: false
+      }
     }
   },
   {
@@ -60,7 +66,10 @@ const routes = [
         excludeFromProd: true,
         plainOutput: true
       },
-      auth: false
+      auth: false,
+      plugins: {
+        crumb: false
+      }
     }
   }
 ]

diff --git a/app/routes/import.routes.js b/app/routes/import.routes.js
@@ -11,7 +11,10 @@ const routes = [
       app: {
         plainOutput: true
       },
-      auth: false
+      auth: false,
+      plugins: {
+        crumb: false
+      }
     }
   }
 ]

diff --git a/app/routes/jobs.routes.js b/app/routes/jobs.routes.js
@@ -11,7 +11,10 @@ const routes = [
       app: {
         plainOutput: true
       },
-      auth: false
+      auth: false,
+      plugins: {
+        crumb: false
+      }
     }
   },
   {
@@ -22,7 +25,10 @@ const routes = [
       app: {
         plainOutput: true
       },
-      auth: false
+      auth: false,
+      plugins: {
+        crumb: false
+      }
     }
   },
   {
@@ -33,7 +39,10 @@ const routes = [
       app: {
         plainOutput: true
       },
-      auth: false
+      auth: false,
+      plugins: {
+        crumb: false
+      }
     }
   },
   {
@@ -44,7 +53,10 @@ const routes = [
       app: {
         plainOutput: true
       },
-      auth: false
+      auth: false,
+      plugins: {
+        crumb: false
+      }
     }
   }
 ]

diff --git a/app/server.js b/app/server.js
@@ -5,6 +5,7 @@ const Hapi = require('@hapi/hapi')
 const AirbrakePlugin = require('./plugins/airbrake.plugin.js')
 const AuthPlugin = require('./plugins/auth.plugin.js')
 const ChargingModuleTokenCachePlugin = require('./plugins/charging-module-token-cache.plugin.js')
+const CrumbPlugin = require('./plugins/crumb.plugin.js')
 const ErrorPagesPlugin = require('./plugins/error-pages.plugin.js')
 const GlobalHapiServerMethodsPlugin = require('./plugins/global-hapi-server-methods.plugin.js')
 const GlobalNotifierPlugin = require('./plugins/global-notifier.plugin.js')
@@ -31,6 +32,7 @@ const registerPlugins = async (server) => {
   await server.register(AirbrakePlugin)
   await server.register(GlobalNotifierPlugin)
   await server.register(ChargingModuleTokenCachePlugin)
+  await server.register(CrumbPlugin)
   await server.register(ErrorPagesPlugin)
   await server.register(RequestNotifierPlugin)
   await server.register(PayloadCleanerPlugin)

diff --git a/app/validators/return-requirements/no-returns-required.validator.js b/app/validators/return-requirements/no-returns-required.validator.js
@@ -9,8 +9,9 @@ const Joi = require('joi')
 
 const VALID_VALUES = [
   'abstraction-below-100-cubic-metres-per-day',
+  'licence-conditions-do-not-require-returns',
   'returns-exception',
-  'licence-conditions-do-not-require-returns'
+  'temporary-trade'
 ]
 
 /**

diff --git a/app/views/bill-licences/remove.njk b/app/views/bill-licences/remove.njk
@@ -99,6 +99,7 @@
       }}
 
       <form method="post">
+        <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
         {{ govukButton({ text: "Remove this licence", preventDoubleClick: true }) }}
       </form>
     </div>

diff --git a/app/views/bill-runs/amend-adjustment-factor.njk b/app/views/bill-runs/amend-adjustment-factor.njk
@@ -72,6 +72,8 @@
       {% endif %}
 
       <form method="post">
+        <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
         {{ govukInput({
           label: {
             text: "Aggregate factor",

diff --git a/app/views/bill-runs/amend-authorised-volume.njk b/app/views/bill-runs/amend-authorised-volume.njk
@@ -50,6 +50,8 @@
       }}
 
       <form method="post">
+        <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
         {{ govukInput({
           label: {
             text: "Authorised volume",

diff --git a/app/views/bill-runs/amend-billable-returns.njk b/app/views/bill-runs/amend-billable-returns.njk
@@ -69,6 +69,8 @@
 
   <div class="govuk-body">
     <form method="post">
+      <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
       {{ govukRadios({
           name: 'quantity-options',
           errorMessage: error.radioFormElement,

diff --git a/app/views/bill-runs/cancel.njk b/app/views/bill-runs/cancel.njk
@@ -70,6 +70,8 @@
       }}
 
       <form method="post">
+        <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
         {{ govukButton({ text: "Cancel bill run" }) }}
       </form>
     </div>

diff --git a/app/views/bill-runs/remove-licence.njk b/app/views/bill-runs/remove-licence.njk
@@ -75,6 +75,8 @@
       }}
 
       <form method="post">
+        <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
         {{ govukButton({ text: "Remove this licence", preventDoubleClick: true }) }}
       </form>
     </div>

diff --git a/app/views/bill-runs/review-licence.njk b/app/views/bill-runs/review-licence.njk
@@ -122,6 +122,8 @@
   {% endif %}
 
   <form method="post">
+    <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
     <div class="govuk-button-group">
     {{ govukButton({
       text: statusButtonText,

diff --git a/app/views/bill-runs/review.njk b/app/views/bill-runs/review.njk
@@ -131,6 +131,8 @@
     <h2 class="govuk-heading-m govuk-!-margin-bottom-3">Filter by</h2>
 
     <form  method="post" action="review">
+      <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
       {# Filter by licence holder or licence number #}
       {{ govukInput({
         label: {

diff --git a/app/views/bill-runs/send.njk b/app/views/bill-runs/send.njk
@@ -70,6 +70,8 @@
       }}
 
       <form method="post">
+        <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
         {{ govukButton({ text: "Send bill run" }) }}
       </form>
     </div>

diff --git a/app/views/bill-runs/setup/region.njk b/app/views/bill-runs/setup/region.njk
@@ -29,6 +29,8 @@
 
   <div class="govuk-body">
     <form method="post">
+      <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
       {% set regionItems = [] %}
       {% for region in regions %}
         {% set regionItem = { text: region.displayName, value: region.id, checked: region.id == selectedRegion } %}

diff --git a/app/views/bill-runs/setup/season.njk b/app/views/bill-runs/setup/season.njk
@@ -29,6 +29,8 @@
 
   <div class="govuk-body">
     <form method="post">
+      <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
       {{ govukRadios({
         attributes: {
           'data-test': 'bill-run-season'

diff --git a/app/views/bill-runs/setup/type.njk b/app/views/bill-runs/setup/type.njk
@@ -29,6 +29,8 @@
 
   <div class="govuk-body">
     <form method="post">
+      <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
       {{ govukRadios({
         attributes: {
           'data-test': 'bill-run-type'

diff --git a/app/views/bill-runs/setup/year.njk b/app/views/bill-runs/setup/year.njk
@@ -29,6 +29,8 @@
 
   <div class="govuk-body">
     <form method="post">
+      <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
       {{ govukRadios({
         attributes: {
           'data-test': 'bill-run-year'

diff --git a/app/views/bills/remove.njk b/app/views/bills/remove.njk
@@ -103,6 +103,8 @@
       }}
 
       <form method="post">
+        <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
         {{ govukButton({ text: "Remove this bill", preventDoubleClick: true }) }}
       </form>
     </div>

diff --git a/app/views/data/deduplicate.njk b/app/views/data/deduplicate.njk
@@ -18,6 +18,8 @@
 
   <div class="govuk-body">
     <form method="post">
+      <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
       {{ govukInput({
         classes: 'govuk-!-width-one-third',
         errorMessage: error,

diff --git a/app/views/licences/view.njk b/app/views/licences/view.njk
@@ -46,35 +46,35 @@
       Contents
     </h2>
     <ul class="govuk-tabs__list">
-      <li class="govuk-tabs__list-item {% if activeTab === 'summary' %} govuk-tabs__list-item--selected {% endif %}">
+      <li class="govuk-tabs__list-item {% if activeTab === 'summary' %} govuk-tabs__list-item--selected {% endif %}" data-test="#tab_summary">
         <a class="govuk-tabs__tab" href="summary">
           Summary
         </a>
       </li>
-      <li class="govuk-tabs__list-item {% if activeTab === 'contact-details' %} govuk-tabs__list-item--selected {% endif %}">
+      <li class="govuk-tabs__list-item {% if activeTab === 'contact-details' %} govuk-tabs__list-item--selected {% endif %}" data-test="#tab_contact">
         <a class="govuk-tabs__tab" href="contact-details">
           Contact details
         </a>
       </li>
-      <li class="govuk-tabs__list-item {% if activeTab === 'returns' %} govuk-tabs__list-item--selected {% endif %}">
+      <li class="govuk-tabs__list-item {% if activeTab === 'returns' %} govuk-tabs__list-item--selected {% endif %}" data-test="#tab_returns">
         <a class="govuk-tabs__tab" href="returns">
           Returns
         </a>
       </li>
-      <li class="govuk-tabs__list-item {% if activeTab === 'communications' %} govuk-tabs__list-item--selected {% endif %}">
+      <li class="govuk-tabs__list-item {% if activeTab === 'communications' %} govuk-tabs__list-item--selected {% endif %}" data-test="#tab_communications">
         <a class="govuk-tabs__tab" href="communications">
           Communications
         </a>
       </li>
       {% if roles and 'billing' in roles %}
-        <li class="govuk-tabs__list-item {% if activeTab === 'bills' %} govuk-tabs__list-item--selected {% endif %}">
+        <li class="govuk-tabs__list-item {% if activeTab === 'bills' %} govuk-tabs__list-item--selected {% endif %}" data-test="#tab_bills">
           <a class="govuk-tabs__tab" href="bills">
             Bills
           </a>
         </li>
       {% endif %}
       {% if roles and 'view_charge_versions' in roles %}
-        <li class="govuk-tabs__list-item {% if activeTab === 'set-up' %} govuk-tabs__list-item--selected {% endif %}">
+        <li class="govuk-tabs__list-item {% if activeTab === 'set-up' %} govuk-tabs__list-item--selected {% endif %}" data-test="#tab_licence_set_up">
           <a class="govuk-tabs__tab" href="set-up">
             Licence set up
           </a>

diff --git a/app/views/return-requirements/abstraction-period.njk b/app/views/return-requirements/abstraction-period.njk
@@ -57,6 +57,8 @@
   </div>
 
   <form method="post">
+    <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
+
     {# From #}
     {{ govukDateInput({
       id: "abstraction-period-start",
-Original file line number
+Diff line change
@@ Expand Up / @@ -99,6 +99,7 @@ @@
           }}
           <form method="post">
+            <input type="hidden" name="wrlsCrumb" value="{{wrlsCrumb}}"/>
             {{ govukButton({ text: "Remove this licence", preventDoubleClick: true }) }}
           </form>
         </div>
@@ Expand Down @@