From fa4fe20ba37c1939c2d9de3e211147740cfdc6f2 Mon Sep 17 00:00:00 2001 From: BeckaL Date: Tue, 3 Sep 2024 15:08:05 +0100 Subject: [PATCH] AUT-3613: Log a reauth user out if they are blocked for reauth This ensures that a user who has exceeded the max tries for credential entry on reauth cannot start a new reauth journey - if the start response indicates that a user has any blocks, they will be logged out rather than allowed to proceed with a reauth journey --- .../authorize/authorize-controller.ts | 13 +++++++++ .../tests/authorize-controller.test.ts | 27 +++++++++++++++++++ src/components/authorize/types.ts | 1 + 3 files changed, 41 insertions(+) diff --git a/src/components/authorize/authorize-controller.ts b/src/components/authorize/authorize-controller.ts index dd5248d14..d1917a0d8 100644 --- a/src/components/authorize/authorize-controller.ts +++ b/src/components/authorize/authorize-controller.ts @@ -84,6 +84,19 @@ export function authorizeGet( setSessionDataFromClaims(req, claims); setSessionDataFromAuthResponse(req, startAuthResponse); + if ( + supportReauthentication() && + req.session.user.reauthenticate && + startAuthResponse.data.user.isBlockedForReauth + ) { + logger.info( + `Start response indicates user with session ${res.locals.sessionId} is blocked for reauth, redirecting back to orchestration` + ); + return res.redirect( + req.session.client.redirectUri.concat("?error=login_required") + ); + } + req.session.user.isAccountCreationJourney = undefined; logger.info(`Reauth claim length ${claims.reauthenticate?.length}`); diff --git a/src/components/authorize/tests/authorize-controller.test.ts b/src/components/authorize/tests/authorize-controller.test.ts index 4f5ce93e9..07db22533 100644 --- a/src/components/authorize/tests/authorize-controller.test.ts +++ b/src/components/authorize/tests/authorize-controller.test.ts @@ -226,6 +226,7 @@ describe("authorize controller", () => { identityRequired: false, upliftRequired: false, authenticated: false, + isBlockedForReauth: false, }; fakeAuthorizeService = mockAuthService(authServiceResponseData); @@ -239,6 +240,32 @@ describe("authorize controller", () => { expect(res.redirect).to.have.calledWith(PATH_NAMES.ENTER_EMAIL_SIGN_IN); }); + it("should log user out when reauthentication is requested and support reauthenticate feature flag is on but user is blocked from reauthenticating", async () => { + const redirectUri = "https://example.com/redirect"; + mockClaims.redirect_uri = redirectUri; + + process.env.SUPPORT_REAUTHENTICATION = "1"; + mockClaims.reauthenticate = "123456"; + authServiceResponseData.data.user = { + identityRequired: false, + upliftRequired: false, + authenticated: false, + isBlockedForReauth: true, + }; + fakeAuthorizeService = mockAuthService(authServiceResponseData); + + await authorizeGet( + fakeAuthorizeService, + fakeCookieConsentService, + fakeKmsDecryptionService, + fakeJwtService + )(req as Request, res as Response); + + expect(res.redirect).to.have.been.calledWith( + redirectUri + "?error=login_required" + ); + }); + //note that this is currently the same behaviour with the feature flag on or off. This will change if we decide on a different initial page for the reauth journey it("should redirect to sign in when reauthentication is requested and user has an existing session but support reauthenticate feature flag is off", async () => { process.env.SUPPORT_REAUTHENTICATION = "0"; diff --git a/src/components/authorize/types.ts b/src/components/authorize/types.ts index 815a759e8..424ce064b 100644 --- a/src/components/authorize/types.ts +++ b/src/components/authorize/types.ts @@ -15,6 +15,7 @@ export interface UserSessionInfo { gaCrossDomainTrackingId?: string; docCheckingAppUser: boolean; mfaMethodType?: string; + isBlockedForReauth: boolean; } export interface AuthorizeServiceInterface {