Merge pull request #2070 from govuk-one-login/AUT-3725/return-error-f…

…or-no-session-response-on-password-entry AUT-3725: Redirect to error page if enter password response returns m…
govuk-one-login · Sep 18, 2024 · 2a08920 · 2a08920
2 parents 6a53505 + 23d94f5
commit 2a08920
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/src/components/enter-password/enter-password-controller.ts b/src/components/enter-password/enter-password-controller.ts
@@ -15,7 +15,7 @@ import {
 } from "../common/constants";
 import { BadRequestError, ReauthJourneyError } from "../../utils/error";
 import { USER_JOURNEY_EVENTS } from "../common/state-machine/state-machine";
-import { JOURNEY_TYPE, MFA_METHOD_TYPE } from "../../app.constants";
+import { JOURNEY_TYPE, MFA_METHOD_TYPE, PATH_NAMES } from "../../app.constants";
 import xss from "xss";
 import { EnterEmailServiceInterface } from "../enter-email/types";
 import { enterEmailService } from "../enter-email/enter-email-service";
@@ -132,6 +132,13 @@ export function enterPasswordPost(
         return handleMaxCredentialsReached(errorCode, journeyType, res, req);
       }
 
+      if (errorCode === ERROR_CODES.SESSION_ID_MISSING_OR_INVALID) {
+        req.log.warn(
+          `Backend session is missing or invalid - user cannot enter password. Session id ${sessionId}`
+        );
+        return res.redirect(PATH_NAMES.ERROR_PAGE);
+      }
+
       let validationKey;
       if (support2hrLockout()) {
         validationKey = fromAccountExists

diff --git a/src/components/enter-password/tests/enter-password-controller.test.ts b/src/components/enter-password/tests/enter-password-controller.test.ts
@@ -135,6 +135,31 @@ describe("enter password controller", () => {
           JOURNEY_TYPE.REAUTHENTICATION
         );
       });
+
+      it("should redirect to error page when backend responds indicating session missing or invalid", async () => {
+        const fakePasswordService: EnterPasswordServiceInterface = {
+          loginUser: sinon.fake.returns({
+            success: false,
+            data: {
+              code: ERROR_CODES.SESSION_ID_MISSING_OR_INVALID,
+            },
+          }),
+        } as unknown as EnterPasswordServiceInterface;
+
+        const fakeMfaService: MfaServiceInterface = {
+          sendMfaCode: sinon.fake.returns({
+            success: true,
+          }),
+        } as unknown as MfaServiceInterface;
+
+        await enterPasswordPost(
+          false,
+          fakePasswordService,
+          fakeMfaService
+        )(req as Request, res as Response);
+
+        expect(res.redirect).to.have.calledWith(PATH_NAMES.ERROR_PAGE);
+      });
     });
 
     it("can send the journeyType when sending the password", async () => {