Merge pull request #836 from govuk-one-login/BAU-fix-cookie-scoping

liegeandlief · web-flow · commit a8fea692fec6 · 2026-05-19T07:36:37.000Z
BAU: fix cookie domain scoping
diff --git a/.github/workflows/integration-test.yaml b/.github/workflows/integration-test.yaml
@@ -42,6 +42,7 @@ jobs:
           SESSIONS_SIGNER=localsessionsignerwhichmustbeatleast32chars  
           SESSIONS_TABLE_NAME=amc-SessionStore
           ROOT_DOMAIN=localhost
+          ROOT_DOMAIN_WITH_ENV=localhost
           AWS_REGION=eu-west-2
           LOCALSTACK_ENDPOINT=http://localhost:4566
           LOCAL_KMS_ENDPOINT=http://localhost:4567
@@ -88,8 +89,8 @@ jobs:
           LOCALSTACK_ENDPOINT=http://localhost:4566
           LOCAL_KMS_ENDPOINT=http://localhost:4567
           LOCALSTACK_ACCESS_KEY_ID=test
-          LOCALSTACK_ACCESS_KEY=test      
-          ROOT_DOMAIN=localhost          
+          LOCALSTACK_ACCESS_KEY=test   
+          ROOT_DOMAIN=localhost             
           EOF
 
       - name: Configure API environment
diff --git a/solutions/app-infra/template.yaml b/solutions/app-infra/template.yaml
@@ -88,7 +88,8 @@ Mappings:
       notificationsMaxReceiveCount: 5
       txmaAccountArn: ""
       stubsDomain: stubs.manage.dev.account.gov.uk
-      rootDomain: dev.account.gov.uk
+      rootDomain: account.gov.uk
+      rootDomainWithEnv: dev.account.gov.uk
     build:
       dynatraceSecretArn: arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceNonProductionVariables # pragma: allowlist-secret
       authorizeEndpointUrl: https://manage.build.account.gov.uk/authorize
@@ -122,7 +123,8 @@ Mappings:
       notificationsMaxReceiveCount: 5
       txmaAccountArn: ""
       stubsDomain: stubs.manage.build.account.gov.uk
-      rootDomain: build.account.gov.uk
+      rootDomain: account.gov.uk
+      rootDomainWithEnv: build.account.gov.uk
     staging:
       dynatraceSecretArn: arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceNonProductionVariables # pragma: allowlist-secret
       authorizeEndpointUrl: https://manage.staging.account.gov.uk/authorize
@@ -158,7 +160,8 @@ Mappings:
       notificationsMaxReceiveCount: 5
       txmaAccountArn: "arn:aws:iam::178023842775:root"
       stubsDomain: ""
-      rootDomain: staging.account.gov.uk
+      rootDomain: account.gov.uk
+      rootDomainWithEnv: staging.account.gov.uk
     integration:
       dynatraceSecretArn: arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceNonProductionVariables # pragma: allowlist-secret
       authorizeEndpointUrl: https://manage.integration.account.gov.uk/authorize
@@ -194,7 +197,8 @@ Mappings:
       notificationsMaxReceiveCount: 36
       txmaAccountArn: "arn:aws:iam::729485541398:root"
       stubsDomain: ""
-      rootDomain: integration.account.gov.uk
+      rootDomain: account.gov.uk
+      rootDomainWithEnv: integration.account.gov.uk
     production:
       dynatraceSecretArn: arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceProductionVariables # pragma: allowlist-secret
       authorizeEndpointUrl: https://manage.account.gov.uk/authorize
@@ -231,6 +235,7 @@ Mappings:
       txmaAccountArn: "arn:aws:iam::451773080033:root"
       stubsDomain: ""
       rootDomain: account.gov.uk
+      rootDomainWithEnv: account.gov.uk
 
 Conditions:
   UseCodeSigning:
@@ -2334,6 +2339,12 @@ Resources:
           SESSIONS_TABLE_NAME: !Sub ${AWS::StackName}-SessionStore
           ROOT_DOMAIN:
             !FindInMap [EnvironmentConfiguration, !Ref Environment, rootDomain]
+          ROOT_DOMAIN_WITH_ENV:
+            !FindInMap [
+              EnvironmentConfiguration,
+              !Ref Environment,
+              rootDomainWithEnv,
+            ]
           NOTIFICATIONS_QUEUE_URL: !GetAtt NotificationsQueue.QueueUrl
           AUTH_CODE_TABLE_NAME: !Ref AuthCodeTable
           JOURNEY_OUTCOME_TABLE_NAME: !Ref JourneyOutcomeTable
diff --git a/solutions/commons/utils/constants.ts b/solutions/commons/utils/constants.ts
@@ -27,3 +27,6 @@ export const passkeyDetailsSchema = v.object({
   isBackedUp: v.boolean(),
   isResidentKey: v.boolean(),
 });
+
+export const rootDomain = process.env["ROOT_DOMAIN"];
+export const rootDomainWithEnv = process.env["ROOT_DOMAIN_WITH_ENV"];
diff --git a/solutions/frontend/.env.integration-tests.sample b/solutions/frontend/.env.integration-tests.sample
@@ -4,6 +4,7 @@ USE_LOCALSTACK=1
 SESSIONS_SIGNER=localsessionsignerwhichmustbeatleast32chars
 SESSIONS_TABLE_NAME=amc-SessionStore
 ROOT_DOMAIN=localhost
+ROOT_DOMAIN_WITH_ENV=localhost
 AWS_REGION=eu-west-2
 LOCALSTACK_ENDPOINT=http://localhost:4566
 LOCAL_KMS_ENDPOINT=http://localhost:4567
diff --git a/solutions/frontend/.env.sample b/solutions/frontend/.env.sample
@@ -4,6 +4,7 @@ USE_LOCALSTACK=1
 SESSIONS_SIGNER=localsessionsignerwhichmustbeatleast32chars
 SESSIONS_TABLE_NAME=amc-SessionStore
 ROOT_DOMAIN=localhost
+ROOT_DOMAIN_WITH_ENV=localhost
 AWS_REGION=eu-west-2
 LOCALSTACK_ENDPOINT=http://localhost:4566
 LOCAL_KMS_ENDPOINT=http://localhost:4567
diff --git a/solutions/frontend/src/utils/configureI18n.test.ts b/solutions/frontend/src/utils/configureI18n.test.ts
@@ -8,8 +8,8 @@ vi.mock(import("../../../commons/utils/getEnvironment/index.js"), () => ({
   getEnvironment: vi.fn(),
 }));
 
-vi.mock(import("./constants.js"), () => ({
-  rootCookieDomain: "account.gov.uk",
+vi.mock(import("../../../commons/utils/constants.js"), () => ({
+  rootDomain: "account.gov.uk",
 }));
 
 // @ts-expect-error
diff --git a/solutions/frontend/src/utils/configureI18n.ts b/solutions/frontend/src/utils/configureI18n.ts
@@ -1,7 +1,7 @@
 import i18next from "i18next";
 import { LanguageDetector } from "i18next-http-middleware";
 import { getEnvironment } from "../../../commons/utils/getEnvironment/index.js";
-import { rootCookieDomain } from "./constants.js";
+import { rootDomain } from "../../../commons/utils/constants.js";
 
 export enum Lang {
   English = "en",
@@ -27,7 +27,7 @@ export const configureI18n = async (translations: Record<Lang, object>) => {
       ignoreCase: true,
       caches: ["cookie"],
       cookieSecure: getEnvironment() !== "local",
-      cookieDomain: rootCookieDomain,
+      cookieDomain: rootDomain,
       cookieSameSite: "none",
     },
   });
diff --git a/solutions/frontend/src/utils/constants.ts b/solutions/frontend/src/utils/constants.ts
@@ -1,7 +1,5 @@
 import type { FastifyReply } from "fastify";
 
-export const rootCookieDomain = process.env["ROOT_DOMAIN"];
-
 export const analyticsDefaults: FastifyReply["analytics"] = {
   taxonomyLevel1: "accounts",
 };
diff --git a/solutions/frontend/src/utils/session.test.ts b/solutions/frontend/src/utils/session.test.ts
@@ -8,8 +8,8 @@ vi.mock(import("../../../commons/utils/getEnvironment/index.js"), () => ({
   getEnvironment: mockGetEnvironment,
 }));
 
-vi.mock(import("./constants.js"), () => ({
-  rootCookieDomain: "test.com",
+vi.mock(import("../../../commons/utils/constants.js"), () => ({
+  rootDomainWithEnv: "test.com",
 }));
 
 vi.mock(import("./dynamoDbSessionStore.js"), () => ({
diff --git a/solutions/frontend/src/utils/session.ts b/solutions/frontend/src/utils/session.ts
@@ -3,7 +3,7 @@ import { getEnvironment } from "../../../commons/utils/getEnvironment/index.js";
 import assert from "node:assert";
 import type { FastifyRequest } from "fastify";
 import { DynamoDbSessionStore } from "./dynamoDbSessionStore.js";
-import { rootCookieDomain } from "./constants.js";
+import { rootDomainWithEnv } from "../../../commons/utils/constants.js";
 
 export const destroySession = async (request: FastifyRequest) => {
   await request.session.regenerate();
@@ -14,7 +14,7 @@ export const destroySession = async (request: FastifyRequest) => {
 export const getSessionOptions = async (): Promise<FastifySessionOptions> => {
   assert.ok(process.env["SESSIONS_SIGNER"]);
   assert.ok(process.env["SESSIONS_TABLE_NAME"]);
-  assert.ok(rootCookieDomain);
+  assert.ok(rootDomainWithEnv);
 
   return {
     secret: process.env["SESSIONS_SIGNER"],
@@ -23,8 +23,8 @@ export const getSessionOptions = async (): Promise<FastifySessionOptions> => {
       secure: getEnvironment() !== "local",
       sameSite: "strict",
       httpOnly: true,
-      // Scoped to the root cookie domain to allow it to be deleted on logout in the account management frontend
-      domain: rootCookieDomain,
+      // Scoped to the root (with env) cookie domain to allow it to be deleted on logout in the account management frontend
+      domain: rootDomainWithEnv,
     },
     cookieName: "amc_sess",
     rolling: false,
diff --git a/solutions/stubs/src/generateRequestObject/handlers/create.test.ts b/solutions/stubs/src/generateRequestObject/handlers/create.test.ts
@@ -20,6 +20,13 @@ vi.mock(import("../utils/getClientRegistryWithInvalidClient/index.js"), () => ({
   ]),
 }));
 
+// @ts-expect-error
+vi.mock(import("../../../../commons/utils/constants.js"), () => ({
+  rootDomain: "example.com",
+  mockEmailAddress: "testuser@test.null.local",
+  checkUserAgentCookieName: "amc",
+}));
+
 describe("createRequestObjectGet", () => {
   let mockRequest: Partial<FastifyRequest>;
   let mockReply: Partial<FastifyReply>;
@@ -114,7 +121,6 @@ describe("createRequestObjectPost", () => {
   it("should process request and render page with the correct data", async () => {
     const { createRequestObjectPost } = await import("./create.js");
     process.env["AUTHORIZE_URL"] = "http://localhost:6002/authorize";
-    process.env["ROOT_DOMAIN"] = "example.com";
     process.env["ENVIRONMENT"] = "production";
     const handler = createRequestObjectPost(mockFastify as FastifyInstance);
 
@@ -146,7 +152,6 @@ describe("createRequestObjectPost", () => {
   it("should set secure to false when environment is local", async () => {
     const { createRequestObjectPost } = await import("./create.js");
     process.env["AUTHORIZE_URL"] = "http://localhost:6002/authorize";
-    process.env["ROOT_DOMAIN"] = "example.com";
     process.env["ENVIRONMENT"] = "local";
     const handler = createRequestObjectPost(mockFastify as FastifyInstance);
 
diff --git a/solutions/stubs/src/generateRequestObject/handlers/create.ts b/solutions/stubs/src/generateRequestObject/handlers/create.ts
@@ -21,6 +21,7 @@ import { createHash } from "node:crypto";
 import {
   checkUserAgentCookieName,
   mockEmailAddress,
+  rootDomain,
 } from "../../../../commons/utils/constants.js";
 
 export const requestBodySchema = v.object({
@@ -119,15 +120,15 @@ export function createRequestObjectPost(fastify: FastifyInstance) {
       url.searchParams.append("state", result.jwtPayload["state"]);
     }
 
-    assert.ok(process.env["ROOT_DOMAIN"]);
+    assert.ok(rootDomain);
 
     reply.setCookie(
       checkUserAgentCookieName,
       createHash("sha256").update(result.token).digest("hex"),
       {
         secure: getEnvironment() !== "local",
         httpOnly: true,
-        domain: process.env["ROOT_DOMAIN"],
+        domain: rootDomain,
         sameSite: "strict",
       },
     );
