New: [AEA-6292] - Authentication redirect & blocking render improvements

.github/workflows/run_regression_tests.yml

@@ -57,8 +57,8 @@ jobs:
           GITHUB-TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           if [[ "$TARGET_ENVIRONMENT" != "prod" && "$TARGET_ENVIRONMENT" != "ref" ]]; then
-            REGRESSION_TEST_REPO_TAG="v3.9.10" # This is the tag or branch of the regression test code to run, usually a version tag like v3.1.0 or a branch name
-            REGRESSION_TEST_WORKFLOW_TAG="v3.9.10" # This is the tag of the github workflow to run, usually the same as REGRESSION_TEST_REPO_TAG
+            REGRESSION_TEST_REPO_TAG="v3.10.9" # This is the tag or branch of the regression test code to run, usually a version tag like v3.1.0 or a branch name
+            REGRESSION_TEST_WORKFLOW_TAG="v3.10.9" # This is the tag of the github workflow to run, usually the same as REGRESSION_TEST_REPO_TAG
 
 
             if [[ -z "$REGRESSION_TEST_REPO_TAG" || -z "$REGRESSION_TEST_WORKFLOW_TAG" ]]; then

packages/cognito/src/token.ts

@@ -17,7 +17,7 @@ import {MiddyErrorHandler} from "@cpt-ui-common/middyErrorHandler"
 import {headers} from "@cpt-ui-common/lambdaUtils"
 
 import {rewriteRequestBody} from "./helpers"
-import {insertTokenMapping, tryGetTokenMapping} from "@cpt-ui-common/dynamoFunctions"
+import {insertTokenMapping, tryGetTokenMapping, TokenMappingItem} from "@cpt-ui-common/dynamoFunctions"
 
 /*
 This is the lambda code that is used to intercept calls to token endpoint as part of the cognito login flow
@@ -71,6 +71,18 @@ const errorResponseBody = {
 
 const middyErrorHandler = new MiddyErrorHandler(errorResponseBody)
 
+function checkIfValidTokenMapping(tokenMapping: TokenMappingItem | undefined): boolean {
+  const fifteenMinutes = 15 * 60 * 1000
+
+  return tokenMapping !== undefined &&
+    tokenMapping.sessionId !== undefined &&
+    tokenMapping.cis2AccessToken !== undefined &&
+    tokenMapping.cis2IdToken !== undefined &&
+    tokenMapping.cis2ExpiresIn !== undefined &&
+    tokenMapping.lastActivityTime !== undefined &&
+    tokenMapping.lastActivityTime > Date.now() - fifteenMinutes
+}
+
 const lambdaHandler = async (event: APIGatewayProxyEvent): Promise<APIGatewayProxyResult> => {
   logger.appendKeys({
     "apigw-request-id": event.requestContext?.requestId
@@ -131,13 +143,13 @@ const lambdaHandler = async (event: APIGatewayProxyEvent): Promise<APIGatewayPro
     throw new Error("Can not get expiry time from decoded token")
   }
 
-  const tokenMappingItem = {
+  const tokenMappingItem: TokenMappingItem = {
     username: username,
     sessionId: decodedIdToken.at_hash,
     cis2AccessToken: accessToken,
     cis2IdToken: idToken,
     cis2ExpiresIn: decodedIdToken.exp.toString(),
-    selectedRoleId: decodedIdToken.selected_roleid,
+    currentlySelectedRole: decodedIdToken.selected_roleid,
     lastActivityTime: Date.now()
   }
 
@@ -147,10 +159,9 @@ const lambdaHandler = async (event: APIGatewayProxyEvent): Promise<APIGatewayPro
     logger
   )
 
-  const fifteenMinutes = 15 * 60 * 1000
   const sessionManagementTableName = cis2OidcConfig.sessionManagementTableName
-
-  if (existingTokenMapping !== undefined && existingTokenMapping.lastActivityTime > Date.now() - fifteenMinutes) {
+  const validToken = checkIfValidTokenMapping(existingTokenMapping)
+  if (validToken) {
     logger.info("User already exists in token mapping table, creating draft session",
       {username}, {sessionManagementTableName})
     await insertTokenMapping(documentClient, sessionManagementTableName, tokenMappingItem, logger)

packages/cognito/src/tokenMock.ts

@@ -9,7 +9,7 @@ import inputOutputLogger from "@middy/input-output-logger"
 import {parse} from "querystring"
 import {PrivateKey} from "jsonwebtoken"
 import {exchangeTokenForApigeeAccessToken, fetchUserInfo, initializeOidcConfig} from "@cpt-ui-common/authFunctions"
-import {insertTokenMapping, tryGetTokenMapping} from "@cpt-ui-common/dynamoFunctions"
+import {insertTokenMapping, tryGetTokenMapping, TokenMappingItem} from "@cpt-ui-common/dynamoFunctions"
 import {MiddyErrorHandler} from "@cpt-ui-common/middyErrorHandler"
 import jwt from "jsonwebtoken"
 import axios from "axios"
@@ -72,6 +72,17 @@ async function createSignedJwt(claims: Record<string, unknown>) {
   })
 }
 
+function checkIfValidTokenMapping(tokenMapping: TokenMappingItem | undefined): boolean {
+  const fifteenMinutes = 15 * 60 * 1000
+
+  return tokenMapping !== undefined &&
+    tokenMapping.sessionId !== undefined &&
+    tokenMapping.apigeeAccessToken !== undefined &&
+    tokenMapping.apigeeExpiresIn !== undefined &&
+    tokenMapping.lastActivityTime !== undefined &&
+    tokenMapping.lastActivityTime > Date.now() - fifteenMinutes
+}
+
 const lambdaHandler = async (event: APIGatewayProxyEvent): Promise<APIGatewayProxyResult> => {
   const apigeeApiKey = await getSecret(apigeeApiKeyArn)
   const apigeeApiSecret = await getSecret(apigeeApiSecretArn)
@@ -154,7 +165,7 @@ const lambdaHandler = async (event: APIGatewayProxyEvent): Promise<APIGatewayPro
   )
   logger.info("Existing token mapping for user", {existingTokenMapping})
 
-  let tokenMappingItem = {
+  let tokenMappingItem: TokenMappingItem = {
     username: `Mock_${baseUsername}`,
     sessionId: sessionId,
     apigeeAccessToken: exchangeResult.accessToken,
@@ -167,11 +178,9 @@ const lambdaHandler = async (event: APIGatewayProxyEvent): Promise<APIGatewayPro
     lastActivityTime: Date.now()
   }
 
-  const fifteenMinutes = 15 * 60 * 1000
-
   const sessionManagementTableName = mockOidcConfig.sessionManagementTableName
-
-  if (existingTokenMapping !== undefined && existingTokenMapping.lastActivityTime > Date.now() - fifteenMinutes) {
+  const validToken = checkIfValidTokenMapping(existingTokenMapping)
+  if (validToken) {
     const username = tokenMappingItem.username
     logger.info("User already exists in token mapping table, creating draft session",
       {username}, {sessionManagementTableName})

packages/cognito/tests/test_token.cis2.test.ts

@@ -206,7 +206,11 @@ describe("cis2 token handler", () => {
     mockTryGetTokenMapping.mockImplementationOnce(() => {
       return Promise.resolve({
         username: `${CIS2_USER_POOL_IDP}_foo`,
-        lastActivityTime: Date.now() - (10 * 60 * 1000) // 10 minutes ago (less than 15)
+        lastActivityTime: Date.now() - (10 * 60 * 1000), // 10 minutes ago (less than 15)
+        sessionId: "session-id",
+        cis2AccessToken: "foo",
+        cis2IdToken: "bar",
+        cis2ExpiresIn: Date.now() - - (10 * 60 * 1000)
       })
     })
 
@@ -353,14 +357,18 @@ describe("cis2 token handler", () => {
 
   it("creates concurrent session when user exists and last activity exactly at 15 minute boundary", async () => {
     // Mock Date.now() to ensure consistent timing for boundary test
-    const fixedTime = 1000000000000 // Fixed timestamp
+    const fixedTime = 1000000 // Fixed timestamp
     const dateNowSpy = vi.spyOn(Date, "now").mockReturnValue(fixedTime)
 
     const fifteenMinutes = 15 * 60 * 1000
     mockTryGetTokenMapping.mockImplementationOnce(() => {
       return Promise.resolve({
         username: `${CIS2_USER_POOL_IDP}_foo`,
-        lastActivityTime: fixedTime - fifteenMinutes + 1 // Just barely within 15 minute window
+        lastActivityTime: fixedTime - fifteenMinutes + 1, // Just barely within 15 minute window
+        sessionId: "session-id",
+        cis2AccessToken: "foo",
+        cis2IdToken: "bar",
+        cis2ExpiresIn: fixedTime - fifteenMinutes + 1
       })
     })
 

packages/cognito/tests/test_token.mock.test.ts

@@ -224,7 +224,10 @@ describe("token mock handler", () => {
     mockTryGetTokenMapping.mockImplementation(() => {
       return Promise.resolve({
         username: "Mock_user_details_sub",
-        lastActivityTime: Date.now()
+        lastActivityTime: Date.now(),
+        sessionId: "session-id",
+        apigeeAccessToken: "foo",
+        apigeeExpiresIn: "3600"
       })
     })
 
@@ -259,10 +262,11 @@ describe("token mock handler", () => {
     }, dummyContext)
 
     // check call
+    expect(mockInsertTokenMapping).toHaveBeenCalledOnce()
     expect(mockInsertTokenMapping).toHaveBeenCalledWith(
       expect.anything(), // documentClient
       "test-session-management-table", // tableName
-      {
+      ({
         username: "Mock_user_details_sub",
         apigeeAccessToken: "new-access-token",
         apigeeRefreshToken: "new-refresh-token",
@@ -279,7 +283,7 @@ describe("token mock handler", () => {
         },
         lastActivityTime: expect.any(Number),
         sessionId: expect.any(String)
-      }, // item
+      }), // item
       expect.anything() // logger
     )
     // Check response structure
@@ -342,7 +346,7 @@ describe("token mock handler", () => {
     expect(mockInsertTokenMapping).toHaveBeenCalledWith(
       expect.anything(), // documentClient
       "dummyTable", // tableName
-      {
+      ({
         username: "Mock_user_details_sub",
         apigeeAccessToken: "new-access-token",
         apigeeRefreshToken: "new-refresh-token",
@@ -359,7 +363,7 @@ describe("token mock handler", () => {
         },
         lastActivityTime: expect.any(Number),
         sessionId: expect.any(String)
-      }, // item
+      }), // item
       expect.anything() // logger
     )
     // Check response structure