ensure to have only one body parser middeware, added more logs for investigation (#19)

Author: cptiv2020

CoreDeployable/package-lock.json

@@ -52,6 +52,8 @@
     "@azure/storage-blob": "^12.28.0",
     "@codegenie/serverless-express": "^4.16.0",
     "@node-saml/passport-saml": "^5.1.0",
+    "body-parser": "^2.2.0",
+    "cookie-parser": "^1.4.7",
     "core-fcads": "file:core-fcads-1.0.0.tgz",
     "core-gcds": "file:core-gcds-1.0.0.tgz",
     "core-govuk": "file:core-govuk-1.0.0.tgz",
@@ -102,6 +104,8 @@
     "@azure/storage-blob",
     "@codegenie/serverless-express",
     "@node-saml/passport-saml",
+    "body-parser",
+    "cookie-parser",
     "crypto-js",
     "core-fcads",
     "dompurify",

CoreDeployable/package.json

@@ -1,4 +1,5 @@
 import bodyParser from 'body-parser';
+import cookieParser from 'cookie-parser';
 import envConfig from './envConfig.js';
 import express from 'express';
 import { getCloudServices } from '../container/CloudServicesRegistry.js';
@@ -48,6 +49,10 @@ export const expressConfiguration = (app: express.Express) => {
   app.use(permissionsPolicy());
   app.use(nocache());
 
+  app.use(bodyParser.json({ type: 'application/json' }));
+  app.use(cookieParser());
+  app.use(bodyParser.urlencoded({ extended: true }));
+  
   app.use(
     session({
       secret: envConfig.sessionSecret,
@@ -65,14 +70,25 @@ export const expressConfiguration = (app: express.Express) => {
 
   app.post(
     '/login/callback',
-    bodyParser.urlencoded({ extended: false }),
     passport.authenticate('saml', {
       failureRedirect: '/',
       failureFlash: true,
     }),
     function (req, res) {
-      const redirectUrl = decodeURIComponent(req.body.RelayState);
-      logger.debug(`Redirect to: ${redirectUrl}`);
+      // Handle RelayState from either body or query parameters, with fallback to session
+      const relayState = req.body?.RelayState || req.query?.RelayState || req.session?.returnTo;
+      const redirectUrl = relayState ? decodeURIComponent(relayState) : '/';
+      
+      logger.debug(`SAML callback - RelayState: ${relayState}, Redirect to: ${redirectUrl}`);
+      logger.debug(`Request body:`, req.body);
+      logger.debug(`Request query:`, req.query);
+      logger.debug(`Session returnTo:`, req.session?.returnTo);
+      
+      // Clear the returnTo from session after using it
+      if (req.session?.returnTo) {
+        delete req.session.returnTo;
+      }
+      
       res.redirect(redirectUrl);
     },
   );