OLH-3862 add route

Author: saralk

deploy/template.yaml

@@ -916,6 +916,8 @@ Resources:
             - Name: "AMC_JWKS_URL"
               Value:
                 !FindInMap [EnvironmentVariables, !Ref Environment, AMCJWKSURL]
+            - Name: "JWKS_BUCKET_NAME"
+              Value: !Ref JwksBucket
       Cpu: !FindInMap [Container, !Ref Environment, CPU]
       Memory: !FindInMap [Container, !Ref Environment, Memory]
       ExecutionRoleArn: !GetAtt TaskExecutionRole.Arn
@@ -1077,6 +1079,11 @@ Resources:
                   - "kms:DescribeKey"
                 Resource:
                   - !GetAtt SigningKmsKey.Arn
+              - Effect: Allow
+                Action:
+                  - "s3:GetObject"
+                Resource:
+                  - !Sub "${JwksBucket.Arn}/jwks.json"
               - Effect: Allow
                 Action:
                   - "kms:GenerateDataKey*"

src/app.constants.ts

@@ -179,6 +179,9 @@ export const PATH_DATA: Record<
   THANKS_TXT: {
     url: "/.well-known/thanks.txt",
   },
+  JWKS_JSON: {
+    url: "/.well-known/jwks.json",
+  },
   TRACK_AND_REDIRECT: {
     url: "/track-and-redirect",
   },

src/app.ts

@@ -74,6 +74,7 @@ import { switchBackupMethodRouter } from "./components/switch-backup-method/swit
 import { changeDefaultMethodRouter } from "./components/change-default-method/change-default-method-routes";
 import { logoutRedirectRouter } from "./components/logout-redirect/logout-redirect-routes";
 import { isUserLoggedInMiddleware } from "./middleware/is-user-logged-in-middleware";
+import { jwksRouter } from "./components/jwks/jwks-routes";
 import { applyOverloadProtection } from "./middleware/overload-protection-middleware";
 import { frontendVitalSignsInit } from "@govuk-one-login/frontend-vital-signs";
 import { Server } from "node:http";
@@ -242,6 +243,7 @@ async function createApp(): Promise<express.Application> {
   app.use(authMiddleware(getOIDCConfig()));
 
   app.use(backchannelLogoutRouter);
+  app.use(jwksRouter);
   // Must be added to the app after the session is set up and before the routers
   app.use(csrfSynchronisedProtection);
 

src/components/jwks/jwks-controller.ts

@@ -0,0 +1,22 @@
+import { Request, Response } from "express";
+import { s3Client } from "../../config/aws";
+import { GetObjectCommand } from "@aws-sdk/client-s3";
+import { HTTP_STATUS_CODES } from "../../app.constants";
+
+export async function jwksGet(req: Request, res: Response): Promise<void> {
+  try {
+    const response = await s3Client.getClient().send(
+      new GetObjectCommand({
+        Bucket: process.env.JWKS_BUCKET_NAME,
+        Key: "jwks.json",
+      })
+    );
+
+    const jwks = await response.Body?.transformToString();
+    res.setHeader("Content-Type", "application/json");
+    res.status(HTTP_STATUS_CODES.OK).send(jwks);
+  } catch (error) {
+    req.log.error(`Failed to fetch JWKS: ${error}`);
+    res.status(HTTP_STATUS_CODES.INTERNAL_SERVER_ERROR).send("Internal Server Error");
+  }
+}

src/components/jwks/jwks-routes.ts

@@ -0,0 +1,9 @@
+import { PATH_DATA } from "../../app.constants";
+import * as express from "express";
+import { jwksGet } from "./jwks-controller";
+
+const router = express.Router();
+
+router.get(PATH_DATA.JWKS_JSON.url, jwksGet);
+
+export { router as jwksRouter };