Merge pull request #1223 from guardian/rk/oauth-middleware

OAuth migration | Core OAuth authentication middleware

cypress/e2e/parallel-6/identitySettingsForm.cy.ts

@@ -1,10 +1,9 @@
 import { user as userResponse } from '../../../client/fixtures/user';
+import { signInAndAcceptCookies } from '../../lib/signInAndAcceptCookies';
 
 describe('Settings Form', () => {
 	beforeEach(() => {
-		cy.session('auth', () => {
-			cy.setCookie('gu-cmp-disabled', 'true');
-		});
+		signInAndAcceptCookies();
 
 		cy.intercept('GET', '/idapi/user', {
 			body: userResponse,

docs/06-identity-middleware.md

@@ -0,0 +1,39 @@
+# Identity Middleware
+
+The identity middleware is responsible for controlling access to MMA.
+
+Most routes on MMA are 'mandatory sign-in' routes, requiring the user to be
+signed in to access them. For these routes, the identity middleware is responsible
+for validating the user's OAuth tokens and performing an authorization code flow
+if necessary.
+
+Some routes, mostly connected to the Help Centre, are 'optional sign-in' routes.
+For these routes, the identity middleware will attempt to validate the user's
+OAuth tokens if they have an active Okta session, and will otherwise allow the user
+to access the route in a signed-out state.
+
+## Middleware flow
+
+```mermaid
+flowchart TD
+    Start(Start) --> publicRoute{Public route?}
+    publicRoute -- No --> signoutCookieSet{GU_SO cookie set?}
+    signoutCookieSet --Yes--> clearCookies[Clear OAuth cookies]
+    clearCookies --> performAuthMandatory(Perform authorization code flow -\n/mandatory endpoint)
+    signoutCookieSet -- No --> tokensValid{OAuth and IDAPI\ncookies locally valid?}
+    tokensValid -- Yes --> needServerSide{Need server-side validation?}
+    needServerSide -- Yes --> serverSideValid{Server-side validation valid?}
+    needServerSide -- No --> setLocalState(Set res.locals.identity)
+    serverSideValid -- Yes --> setLocalState
+    serverSideValid -- No --> performAuthMandatory
+    setLocalState --> next(Next)
+    tokensValid -- No --> performAuthMandatory
+    publicRoute -- Yes --> signoutCookieSet2{GU_SO cookie set?}
+    signoutCookieSet2 -- Yes --> clearCookies2[Clear OAuth cookies]
+    clearCookies2 --> next
+    signoutCookieSet2 -- No --> tokensValid2{OAuth and IDAPI\ncookies locally valid?}
+    tokensValid2 -- Yes --> setLocalState
+    tokensValid2 -- No --> guUSet{GU_GU cookie set?}
+    guUSet -- No --> next
+    guUSet -- Yes --> performAuthOptional(Perform authorization code flow -\n/optional endpoint)
+```

jest.config.js

@@ -27,6 +27,11 @@ module.exports = {
 				],
 			},
 		},
+		// Webpack's DefinePlugin bakes 'CYPRESS = "SKIP_IDAPI"' into the compiled code
+		// when building for Cypress. This is used to skip the auth middleware in Cypress.
+		// In Jest, we want to run the auth middleware, and in any case we need to set
+		// CYPRESS to something, otherwise Jest won't run.
+		CYPRESS: 'false',
 	},
 	preset: 'ts-jest',
 	testEnvironment: 'jsdom',
@@ -35,4 +40,7 @@ module.exports = {
 		'<rootDir>/cdk/',
 		'<rootDir>/node_modules/',
 	],
+	moduleNameMapper: {
+		'^@/(.*)$': '<rootDir>/$1',
+	},
 };

package.json

@@ -150,6 +150,7 @@
     "@guardian/source-foundations": "13.0.0",
     "@guardian/source-react-components": "16.0.1",
     "@guardian/source-react-components-development-kitchen": "14.0.2",
+    "@okta/jwt-verifier": "3.0.1",
     "@sentry/browser": "5.22.3",
     "@sentry/node": "5.22.3",
     "@stripe/react-stripe-js": "1.16.5",
@@ -167,8 +168,10 @@
     "jest-environment-jsdom": "29.7.0",
     "js-cookie": "2.2.1",
     "lodash": "4.17.21",
+    "ms": "2.1.3",
     "node-fetch": "2.6.7",
     "number-to-words": "1.2.4",
+    "openid-client": "5.6.1",
     "ophan-tracker-js": "1.3.16",
     "react": "18.2.0",
     "react-dom": "18.2.0",