PI-2883 Restrict contact search to trial users (#293)

Author: marcus-bcl

server/middleware/authorisationMiddleware.test.ts

@@ -3,8 +3,9 @@ import type { Request, Response } from 'express'
 
 import authorisationMiddleware from './authorisationMiddleware'
 
-function createToken(authorities: string[]) {
+function createToken(authorities: string[], sub: string = 'USER1') {
   const payload = {
+    sub,
     user_name: 'USER1',
     scope: ['read', 'write'],
     auth_source: 'nomis',
@@ -17,14 +18,16 @@ function createToken(authorities: string[]) {
 }
 
 describe('authorisationMiddleware', () => {
-  let req: Request
+  let req: Request = {
+    path: '/index',
+  } as unknown as jest.Mocked<Request>
   const next = jest.fn()
 
-  function createResWithToken({ authorities }: { authorities: string[] }): Response {
+  function createResWithToken({ authorities, sub = 'USER1' }: { authorities: string[]; sub?: string }): Response {
     return {
       locals: {
         user: {
-          token: createToken(authorities),
+          token: createToken(authorities, sub),
         },
       },
       redirect: jest.fn(),
@@ -61,4 +64,28 @@ describe('authorisationMiddleware', () => {
     expect(next).toHaveBeenCalled()
     expect(res.redirect).not.toHaveBeenCalled()
   })
+
+  it('should redirect when trying to access contact search', async () => {
+    const res = createResWithToken({ authorities: ['SOME_REQUIRED_ROLE'], sub: 'OTHER_USER' })
+    req = {
+      path: '/contacts/something',
+    } as unknown as jest.Mocked<Request>
+
+    await authorisationMiddleware(['SOME_REQUIRED_ROLE'])(req, res, next)
+
+    expect(next).not.toHaveBeenCalled()
+    expect(res.redirect).toHaveBeenCalled()
+  })
+
+  it('should return next when trying to access contact search as authorised username', async () => {
+    const res = createResWithToken({ authorities: ['SOME_REQUIRED_ROLE'], sub: 'MARCUSASPIN' })
+    req = {
+      path: '/contacts/something',
+    } as unknown as jest.Mocked<Request>
+
+    await authorisationMiddleware(['SOME_REQUIRED_ROLE'])(req, res, next)
+
+    expect(next).toHaveBeenCalled()
+    expect(res.redirect).not.toHaveBeenCalled()
+  })
 })

server/middleware/authorisationMiddleware.ts

@@ -4,16 +4,26 @@ import type { RequestHandler } from 'express'
 import logger from '../../logger'
 import asyncMiddleware from './asyncMiddleware'
 
+const authorisedContactSearchUsers = ['ZOEWALKERNPS', 'JOEPRINOLD1HMPPS', 'MARCUSASPIN', 'AOJ19Y', 'ANDREWLOGANMOJ']
+
 export default function authorisationMiddleware(authorisedRoles: string[] = []): RequestHandler {
   return asyncMiddleware((req, res, next) => {
     if (res.locals?.user?.token) {
-      const { authorities: roles = [] } = jwtDecode(res.locals.user.token) as { authorities?: string[] }
+      const { authorities: roles = [], sub } = jwtDecode(res.locals.user.token) as {
+        authorities?: string[]
+        sub?: string
+      }
 
       if (authorisedRoles.length && !roles.some(role => authorisedRoles.includes(role))) {
         logger.error('User is not authorised to access this')
         return res.redirect('/authError')
       }
 
+      if (req.path.includes('/contacts/') && sub && !authorisedContactSearchUsers.includes(sub.toUpperCase())) {
+        logger.error(`User '${sub}' is not authorised to access contact search`)
+        return res.redirect('/authError')
+      }
+
       return next()
     }