From 81c1253c4cbcb6f2b8fd6f0ccf4bdf5234fff68c Mon Sep 17 00:00:00 2001
From: Raphael Kabo <raphael.kabo@theguardian.com>
Date: Wed, 17 Jan 2024 16:38:08 +0000
Subject: [PATCH 1/3] fix: remove SC_GU_LA cookie check

---
 server/__tests__/middleware/identityMiddleware.test.ts | 2 --
 server/__tests__/oauth.test.ts                         | 3 ---
 server/oauth.ts                                        | 2 +-
 3 files changed, 1 insertion(+), 6 deletions(-)

diff --git a/server/__tests__/middleware/identityMiddleware.test.ts b/server/__tests__/middleware/identityMiddleware.test.ts
index fa8d27e41..b8ad88467 100644
--- a/server/__tests__/middleware/identityMiddleware.test.ts
+++ b/server/__tests__/middleware/identityMiddleware.test.ts
@@ -221,7 +221,6 @@ describe('authenticateWithOAuth middleware - route requires signin', () => {
 			cookies: {
 				GU_U: 'gu_u',
 				SC_GU_U: 'sc_gu_u',
-				SC_GU_LA: 'sc_gu_la',
 			},
 			originalUrl: '/profile',
 		} as Request;
@@ -375,7 +374,6 @@ describe('authenticateWithOAuth middleware - route does not require signin', ()
 			cookies: {
 				GU_U: 'gu_u',
 				SC_GU_U: 'sc_gu_u',
-				SC_GU_LA: 'sc_gu_la',
 			},
 			originalUrl: '/help-centre',
 		} as Request;
diff --git a/server/__tests__/oauth.test.ts b/server/__tests__/oauth.test.ts
index d8c6a861e..d4b499a64 100644
--- a/server/__tests__/oauth.test.ts
+++ b/server/__tests__/oauth.test.ts
@@ -154,7 +154,6 @@ describe('setLocalStateFromIdTokenOrUserCookie', () => {
 			cookies: {
 				GU_U: 'gu_u',
 				SC_GU_U: 'sc_gu_u',
-				SC_GU_LA: 'sc_gu_la',
 			},
 		} as Request;
 		const res = {} as Response;
@@ -197,7 +196,6 @@ describe('setLocalStateFromIdTokenOrUserCookie', () => {
 			cookies: {
 				GU_U: 'gu_u',
 				SC_GU_U: 'sc_gu_u',
-				SC_GU_LA: 'sc_gu_la',
 			},
 		} as Request;
 		const res = {} as Response;
@@ -216,7 +214,6 @@ describe('setLocalStateFromIdTokenOrUserCookie', () => {
 		const req = {
 			cookies: {
 				SC_GU_U: 'sc_gu_u',
-				SC_GU_LA: 'sc_gu_la',
 			},
 		} as Request;
 		const res = {} as Response;
diff --git a/server/oauth.ts b/server/oauth.ts
index 80d347c82..2d206f903 100644
--- a/server/oauth.ts
+++ b/server/oauth.ts
@@ -348,6 +348,6 @@ export const sanitizeReturnPath = (returnPath: string) => {
 };
 
 export const allIdapiCookiesSet = (req: Request) => {
-	const idapiCookies = ['GU_U', 'SC_GU_U', 'SC_GU_LA'];
+	const idapiCookies = ['GU_U', 'SC_GU_U'];
 	return idapiCookies.every((cookie) => req.cookies[cookie]);
 };

From 4c7ac713d8bb8542a63b5f562cedac1c737f6027 Mon Sep 17 00:00:00 2001
From: Raphael Kabo <raphael.kabo@theguardian.com>
Date: Thu, 18 Jan 2024 11:06:03 +0000
Subject: [PATCH 2/3] feat: add MDAPI scopes

---
 server/oauthConfig.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/server/oauthConfig.ts b/server/oauthConfig.ts
index 98dfcb77d..fb11711ce 100644
--- a/server/oauthConfig.ts
+++ b/server/oauthConfig.ts
@@ -38,5 +38,7 @@ export const scopes = [
 	'guardian.identity-api.user.username.create.self.secure',
 	'guardian.identity-api.consents.read.self',
 	'guardian.identity-api.consents.update.self',
+	'guardian.members-data-api.complete.read.self.secure',
+	'guardian.members-data-api.read.self',
 ] as const;
 export type Scopes = typeof scopes[number];

From c1e621394feaf50f51fa42e4629669e668642a30 Mon Sep 17 00:00:00 2001
From: Raphael Kabo <raphael.kabo@theguardian.com>
Date: Thu, 18 Jan 2024 11:07:40 +0000
Subject: [PATCH 3/3] feat: migrate MDAPI to use OAuth tokens

---
 server/apiProxy.ts | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/server/apiProxy.ts b/server/apiProxy.ts
index e2ba9a97d..41b531e88 100644
--- a/server/apiProxy.ts
+++ b/server/apiProxy.ts
@@ -9,6 +9,7 @@ import { conf } from './config';
 import { getCookiesOrEmptyString } from './idapiAuth';
 import { log, putMetric } from './log';
 import { augmentRedirectURL } from './middleware/requestMiddleware';
+import { OAuthAccessTokenCookieName } from './oauthConfig';
 
 type BodyHandler = (res: Response, body: Buffer) => void;
 type JsonString = Buffer | string | undefined;
@@ -86,12 +87,34 @@ export const proxyApiHandler =
 			outgoingURL,
 		};
 
+		const authorizationOrCookieHeader = ({
+			req,
+			host,
+		}: {
+			req: Request;
+			host: string;
+		}): Headers => {
+			switch (host) {
+				case 'members-data-api.' + conf.DOMAIN:
+					return {
+						Authorization: `Bearer ${req.signedCookies[OAuthAccessTokenCookieName]}`,
+					};
+				default:
+					// TODO: This is legacy code!
+					// We don't want to send literally all cookies to APIs so when
+					// we migrate to Okta tokens entirely we should remove this
+					return {
+						Cookie: getCookiesOrEmptyString(req),
+					};
+			}
+		};
+
 		fetch(outgoingURL, {
 			method: httpMethod,
 			body: requestBody,
 			headers: {
+				...authorizationOrCookieHeader({ req, host }),
 				'Content-Type': 'application/json', // TODO: set this from the client req headers (would need to check all client calls actually specify content-type)
-				Cookie: getCookiesOrEmptyString(req),
 				[X_GU_ID_FORWARDED_SCOPE]:
 					req.header(X_GU_ID_FORWARDED_SCOPE) || '',
 				...headers,