KFP-664 Replace session with JWT token authentication (#44)

* KFP-664 added redis store for auth sessions

* KFP-664 fix after review

* KFP-664 added more logs

* KFP-664 changed approach and replaced redis with jwt token

* KFP-664 fix after review

* KFP-664 code cleanup

* KFP-664 fix interface

* KFP-664 fix after review

* KFP-664 fix issue and refactoring

Author: cptiv2020

CoreDeployable/README.md

@@ -18,8 +18,7 @@ Set up the environment by adding a `.env` file to the root folder (CoreDeployabl
 
 | Variable | Description |
 |----------|-------------|
-| `COOKIE_SECRET` | Secret key for encrypting session data |
-| `SESSION_SECRET` | Secret key for encrypting auth session data |
+| `SESSION_SECRET` | Secret used for JWT token signing |
 | `AUTH_CONFIG_FILE_NAME` | Name for auth configuration file for each form |
 | `ALLOWED_ORIGIN` | Used for API endpoint CORS configuration |
 | `CLOUD_PROVIDER` | Cloud provider to use (must be 'aws' or 'azure') |
@@ -53,6 +52,7 @@ Set up the environment by adding a `.env` file to the root folder (CoreDeployabl
 | `LOG_LEVEL` | Log verbosity | info |
 | `MAX_ALLOWED_FILE_SIZE_TO_UPLOAD` | Maximum file upload size in MB | 100 |
 | `USE_LOCAL_DYNAMODB` | Use local DynamoDB instance | false |
+| `SKIP_AUTH_ISSUER_CHECK` | Skip issuer validation for authentication sessions. Can be enabled when using a single SAML configuration | false |
 
 ##### Available Log Levels
 - trace
@@ -66,7 +66,6 @@ Set up the environment by adding a `.env` file to the root folder (CoreDeployabl
 
 ##### AWS Configuration Example
 ```
-COOKIE_SECRET='your-secure-cookie-secret'
 SESSION_SECRET='your-secure-session-secret'
 CLOUD_PROVIDER='aws'
 BUCKET_NAME='your-kfd-files-bucket'
@@ -84,7 +83,6 @@ FORM_SESSION_TABLE_NAME='Core_FormSessions_dev'
 
 ##### Azure Configuration Example
 ```
-COOKIE_SECRET='your-secure-cookie-secret'
 SESSION_SECRET='your-secure-session-secret'
 CLOUD_PROVIDER='azure'
 AZURE_STORAGE_ACCOUNT='your-storage-account'

CoreDeployable/package-lock.json

@@ -64,9 +64,9 @@
     "crypto-js": "^4.2.0",
     "dompurify": "^3.2.7",
     "dotenv": "^17.2.2",
-    "express-session": "^1.18.2",
     "helmet": "^8.1.0",
     "jsdom": "^27.0.0",
+    "jsonwebtoken": "^9.0.2",
     "nocache": "^4.0.0",
     "winston": "^3.13.1"
   },
@@ -77,7 +77,7 @@
     "@types/crypto-js": "^4.2.2",
     "@types/cucumber": "^6.0.1",
     "@types/express-serve-static-core": "^5.0.7",
-    "@types/express-session": "^1.18.2",
+    "@types/jsonwebtoken": "^9.0.10",
     "@types/lodash": "^4.17.20",
     "@types/passport": "^1.0.16",
     "@types/selenium-webdriver": "^4.1.24",
@@ -110,7 +110,6 @@
     "core-fcads",
     "dompurify",
     "dotenv",
-    "express-session",
     "core-gcds",
     "core-govuk",
     "core-nhsuk",
@@ -119,6 +118,7 @@
     "core-wds",
     "helmet",
     "jsdom",
+    "jsonwebtoken",
     "nocache",
     "winston"
   ]

CoreDeployable/package.json

@@ -83,6 +83,9 @@ const envConfig = {
     }
     return provider;
   },
+  get skipAuthIssuerCheck(): boolean {
+    return process.env.SKIP_AUTH_ISSUER_CHECK === 'true';
+  },
 };
 
 export default envConfig;

CoreDeployable/src/config/envConfig.ts

@@ -1,22 +1,21 @@
+import { AuthenticateOptions } from 'passport';
+import { JwtService } from '../services/JwtService.js';
+import { Profile } from '@node-saml/passport-saml';
 import bodyParser from 'body-parser';
 import cookieParser from 'cookie-parser';
-import envConfig from './envConfig.js';
 import express from 'express';
 import { getCloudServices } from '../container/CloudServicesRegistry.js';
 import helmet from 'helmet';
 import { logger } from 'core-runtime';
 import nocache from 'nocache';
 import passport from '../middlewares/ssoHandler.js';
 import { permissionsPolicy } from '../middlewares/permissionsPolicy.js';
-import session from 'express-session';
 
-declare module 'express-session' {
-  interface SessionData {
-    returnTo: string;
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    passport: any;
-  }
-}
+const authenticateOptions: AuthenticateOptions = {
+  session: false,
+  failureRedirect: '/',
+  failureFlash: true,
+};
 
 export const expressConfiguration = (app: express.Express) => {
   const storageUrl = getCloudServices().fileService.getStorageUrl();
@@ -52,43 +51,64 @@ export const expressConfiguration = (app: express.Express) => {
   app.use(bodyParser.json({ type: 'application/json' }));
   app.use(cookieParser());
   app.use(bodyParser.urlencoded({ extended: true }));
-  
-  app.use(
-    session({
-      secret: envConfig.sessionSecret,
-      resave: false,
-      saveUninitialized: false,
-    }),
-  );
-
-  app.use(passport.initialize());
-  app.use(passport.session());
 
-  app.get('/login', passport.authenticate('saml', { failureRedirect: '/', failureFlash: true }), function (_req, res) {
-    res.redirect('/');
-  });
+  app.get(
+    '/login',
+    (req, _res, next) => {
+      logger.debug(`SAML Login - Starting authentication flow`);
+      logger.debug(`SAML Login - RelayState: ${req.query?.RelayState || 'none'}`);
+      next();
+    },
+    passport.authenticate('saml', authenticateOptions),
+    function (_req, res) {
+      res.redirect('/');
+    },
+  );
 
   app.post(
     '/login/callback',
-    passport.authenticate('saml', {
-      failureRedirect: '/',
-      failureFlash: true,
-    }),
+    (req, _res, next) => {
+      logger.debug(`SAML Callback - Starting processing`);
+      logger.debug(`SAML Callback - RelayState: ${req.body?.RelayState || 'none'}`);
+      next();
+    },
+    passport.authenticate('saml', authenticateOptions),
     function (req, res) {
-      // Handle RelayState from either body or query parameters, with fallback to session
-      const relayState = req.body?.RelayState || req.query?.RelayState || req.session?.returnTo;
-      const redirectUrl = relayState ? decodeURIComponent(relayState) : '/';
-      
-      logger.debug(`SAML callback - RelayState: ${relayState}, Redirect to: ${redirectUrl}`);
-      logger.debug(`Request body:`, req.body);
-      logger.debug(`Request query:`, req.query);
-      logger.debug(`Session returnTo:`, req.session?.returnTo);
-      
-      // Clear the returnTo from session after using it
-      if (req.session?.returnTo) {
-        delete req.session.returnTo;
+      logger.info(`SAML Auth Success - Processing user data`);
+      logger.debug(`SAML Auth Success - User object:`, {
+        hasUser: !!req.user,
+        userType: typeof req.user,
+        userKeys: req.user ? Object.keys(req.user) : [],
+      });
+
+      if (req.user) {
+        const user = req.user as Profile;
+
+        try {
+          logger.info(`SAML Callback - Creating JWT for user`);
+
+          const token = JwtService.createToken(user);
+          JwtService.setTokenCookie(res, token);
+          logger.info(`SAML Callback - JWT token created and cookie set successfully`);
+        } catch (error) {
+          logger.error(`SAML Callback - JWT creation failed:`, {
+            error: error instanceof Error ? error.message : error,
+            stack: error instanceof Error ? error.stack : undefined,
+            user: user?.nameID || user?.email || 'unknown',
+          });
+          throw new Error(
+            `SAML authentication failed: JWT token creation failed - ${error instanceof Error ? error.message : 'Unknown error'}`,
+          );
+        }
+      } else {
+        logger.error(`SAML Callback - No user object received from SAML authentication`);
+        throw new Error('SAML authentication failed: No user object received from SAML provider');
       }
-      
+
+      const relayState = req.body?.RelayState;
+      const redirectUrl = relayState ? decodeURIComponent(relayState) : '/';
+
+      logger.info(`SAML Callback - Final redirect: ${redirectUrl}`);
       res.redirect(redirectUrl);
     },
   );

CoreDeployable/src/config/expressConfiguration.ts

@@ -0,0 +1,4 @@
+export const SAML_CLAIM_TYPES = {
+  NAME: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',
+  EMAIL_ADDRESS: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
+} as const;