Merge branch 'v2' into kls-magic-link

Author: SullyK

model/src/data-model/types.ts

@@ -188,6 +188,13 @@ export type ExitOptions = {
   format?: "STATE" | "WEBHOOK";
 };
 
+export type Analytics = {
+  gtmId1: string;
+  gtmId2: string;
+  matomoId: string;
+  matomoUrl: string;
+};
+
 /**
  * `FormDefinition` is a typescript representation of `Schema`
  */
@@ -215,4 +222,10 @@ export type FormDefinition = {
   toggle?: boolean | string | undefined;
   retryTimeoutSeconds?: number | undefined;
   magicLinkConfig?: string | undefined;
+  allowedDomains?: string[] | undefined;
+  invalidDomainRedirect?: string | undefined;
+  analytics?: Analytics;
+  webhookHmacSharedKey?: string | undefined;
+  fullStartPage?: string | undefined;
+  serviceName?: string | undefined;
 };

model/src/schema/schema.ts

@@ -209,6 +209,13 @@ const feeSchema = joi.object().keys({
   prefix: joi.string().optional(),
 });
 
+const analyticsSchema = joi.object().keys({
+  gtmId1: joi.string().allow("").optional(),
+  gtmId2: joi.string().allow("").optional(),
+  matomoId: joi.string().allow("").optional(),
+  matomoUrl: joi.string().uri().allow("").optional(),
+});
+
 const multiApiKeySchema = joi.object({
   test: joi.string().optional(),
   smoke: joi.string().optional(),
@@ -347,6 +354,12 @@ export const Schema = joi
     toggleRedirect: joi.string().optional(),
     retryTimeoutSeconds: joi.number().optional(),
     magicLinkConfig: joi.string().optional(),
+    allowedDomains: joi.array().items(joi.string()).optional(),
+    invalidDomainRedirect: joi.string().optional(),
+    analytics: analyticsSchema.optional(),
+    webhookHmacSharedKey: joi.string().optional(),
+    fullStartPage: joi.string().optional(),
+    serviceName: joi.string().optional(),
   });
 
 /**

runner/src/server/forms/ReportAnOutbreak.json

@@ -2,6 +2,9 @@
   "metadata": {},
   "authentication": true,
   "toggle": "${magicLinkToggle}",
+  "analytics": {
+    "gtmId1": "GTM-MM6VPCXX"
+  },
   "startPage": "/start",
   "pages": [
     {

runner/src/server/plugins/engine/pageControllers/MagicLinkSubmissionPageController.ts

@@ -3,6 +3,7 @@ import { PageController } from "./PageController";
 import { redirectTo } from "../helpers";
 import { HapiRequest, HapiResponseToolkit } from "server/types";
 import { createHmac } from "src/server/utils/hmac";
+import { isAllowedDomain } from "src/server/utils/domain";
 
 // Shared options for cookie settings
 const getCookieOptions = (timeRemaining) => ({
@@ -132,6 +133,18 @@ export class MagicLinkSubmissionPageController extends PageController {
         return redirectTo(request, h, `/${model.basePath}/start`);
       }
 
+      const allowedEmailDomains = this.model.def.allowedDomains ?? [];
+      //hardcoded start page as a fallback if InvalidDomainRedirectPage not added to config
+      const InvalidDomainRedirectPage =
+        model.def.invalidDomainRedirect || "/start";
+      if (!isAllowedDomain(email, allowedEmailDomains)) {
+        request.logger.warn([
+          "DomainValidation",
+          `Email domain '${email.split("@")[1]}' not allowed`,
+        ]);
+        return redirectTo(request, h, InvalidDomainRedirectPage);
+      }
+
       const hmacKey = this.model.def.outputs[0].outputConfiguration.hmacKey;
       const currentTime = Math.floor(Date.now() / 1000);
 

runner/src/server/plugins/views.ts

@@ -61,28 +61,36 @@ export default {
       `${path.dirname(resolve.sync("hmpo-components"))}/components`,
     ],
     isCached: !config.isDev,
-    context: (request: HapiRequest) => ({
-      appVersion: pkg.version,
-      assetPath: "/assets",
-      cookiesPolicy: request?.state?.cookies_policy,
-      serviceName: capitalize(config.serviceName),
-      feedbackLink: config.feedbackLink,
-      pageTitle: config.serviceName + " - GOV.UK",
-      analyticsAccount: config.analyticsAccount,
-      gtmId1: config.gtmId1,
-      gtmId2: config.gtmId2,
-      location: request?.app.location,
-      matomoId: config.matomoId,
-      matomoUrl: config.matomoUrl,
-      BROWSER_REFRESH_URL: config.browserRefreshUrl,
-      sessionTimeout: config.sessionTimeout,
-      skipTimeoutWarning: false,
-      serviceStartPage: config.serviceStartPage || "#",
-      privacyPolicyUrl: config.privacyPolicyUrl || "/help/privacy",
-      phaseTag: config.phaseTag,
-      navigation: request?.auth.isAuthenticated
-        ? [{ text: "Sign out", href: "/logout" }]
-        : null,
-    }),
+    context: (request: HapiRequest) => {
+      const id = request.params?.id;
+      const forms = request.server?.app?.forms;
+      const model = id && forms?.[id];
+      const analytics = model?.def?.analytics || {};
+
+      return {
+        appVersion: pkg.version,
+        assetPath: "/assets",
+        cookiesPolicy: request?.state?.cookies_policy,
+        serviceName: capitalize(request.server?.app?.forms?.[request.params?.id]?.def?.serviceName || config.serviceName),
+        feedbackLink: config.feedbackLink,
+        pageTitle: (request.server?.app?.forms?.[request.params?.id]?.def?.serviceName || config.serviceName) + " - GOV.UK",
+        analyticsAccount: config.analyticsAccount,
+        gtmId1: analytics.gtmId1 || "",
+        gtmId2: analytics.gtmId2 || "",
+        location: request?.app.location,
+        matomoId: analytics.matomoId || "",
+        matomoUrl: analytics.matomoUrl || "",
+        BROWSER_REFRESH_URL: config.browserRefreshUrl,
+        sessionTimeout: config.sessionTimeout,
+        skipTimeoutWarning: false,
+        serviceStartPage: request.server?.app?.forms?.[request.params?.id]?.def?.fullStartPage || config.serviceName || "#",
+        privacyPolicyUrl: config.privacyPolicyUrl || "/help/privacy",
+        phaseTag: config.phaseTag,
+        navigation: request?.auth.isAuthenticated
+          ? [{ text: "Sign out", href: "/logout" }]
+          : null,
+      };
+    },
+
   },
 };

runner/src/server/services/statusService.ts

@@ -1,4 +1,5 @@
 import { HapiRequest, HapiServer } from "../types";
+import { createHmacRaw } from "../utils/hmac";
 import {
   CacheService,
   NotifyService,
@@ -130,6 +131,29 @@ export class StatusService {
 
     let newReference;
 
+    /**
+     * If the OPTIONAL config contains webhookHmacSharedKey, then we send HMAC Auth headers
+     * This is used to confirm ONLY X-Gov's backend is sending data to our API
+     * Everyone else will be Rejected
+     */
+    const id = request.params?.id;
+    const forms = request.server?.app?.forms;
+    const model = id && forms?.[id];
+    const hmacKey = model?.def?.webhookHmacSharedKey;
+    let customSecurityHeaders: Record<string, string> = {};
+
+    if (hmacKey) {
+      const [hmacSignature, requestTime, hmacExpiryTime] = await createHmacRaw(
+        request.yar.id,
+        hmacKey
+      );
+      customSecurityHeaders = {
+        "X-Request-ID": request.yar.id.toString(),
+        "X-HMAC-Signature": hmacSignature.toString(),
+        "X-HMAC-Time": requestTime.toString(),
+      };
+    }
+
     if (callback) {
       this.logger.info(
         ["StatusService", "outputRequests"],
@@ -153,7 +177,8 @@ export class StatusService {
         firstWebhook.outputData.url,
         { ...formData },
         "POST",
-        firstWebhook.outputData.sendAdditionalPayMetadata
+        firstWebhook.outputData.sendAdditionalPayMetadata,
+        customSecurityHeaders
       );
       await this.cacheService.mergeState(request, {
         reference: newReference,
@@ -178,7 +203,8 @@ export class StatusService {
             ...formData,
           },
           "POST",
-          sendAdditionalPayMetadata
+          sendAdditionalPayMetadata,
+          customSecurityHeaders
         )
       ),
     ];

runner/src/server/services/webhookService.ts

@@ -27,20 +27,26 @@ export class WebhookService {
     url: string,
     data: object,
     method: "POST" | "PUT" = "POST",
-    sendAdditionalPayMetadata: boolean = false
+    sendAdditionalPayMetadata: boolean = false,
+    authHeaders?: Record<string, string>
   ) {
     // Commented out due to potential for logging PII
     // this.logger.info(
     //   ["WebhookService", "postRequest body"],
     //   JSON.stringify(data)
     // );
+
     let request = method === "POST" ? post : put;
     try {
       if (!sendAdditionalPayMetadata) {
         delete data?.metadata?.pay;
       }
       const { payload } = await request(url, {
         ...DEFAULT_OPTIONS,
+        headers: {
+          ...DEFAULT_OPTIONS.headers,
+          ...(authHeaders || {}),
+        },
         payload: JSON.stringify(data),
       });
 

runner/src/server/utils/domain.ts

@@ -0,0 +1,21 @@
+export function isAllowedDomain(
+  email: string,
+  allowedDomains: string[]
+): boolean {
+  if (!allowedDomains || allowedDomains.length === 0) {
+    return true;
+  }
+
+  const trimmedEmail = email.trim();
+  const basicEmailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+
+  if (!basicEmailRegex.test(trimmedEmail)) {
+    return false;
+  }
+
+  const domain = trimmedEmail.split("@")[1].toLowerCase();
+  return allowedDomains.some((allowed) => {
+    const allowedLower = allowed.toLowerCase();
+    return domain === allowedLower || domain.endsWith("." + allowedLower);
+  });
+}

runner/src/server/utils/hmac.ts

@@ -80,6 +80,29 @@ export async function createHmac(email: string, hmacKey: string) {
   }
 }
 
+/**
+ * Similar to the above but returns raw epoch timestamps,
+ * making it preferable for cryptographic logic.
+ * The other function may benefit from refactoring
+ * to separate display logic from core logic. */
+export async function createHmacRaw(message: string, hmacKey: string) {
+  try {
+    const currentTimestamp = Math.floor(Date.now() / 1000);
+    const dataToHash = message + currentTimestamp;
+    const hmac = crypto
+      .createHmac("sha256", hmacKey)
+      .update(dataToHash)
+      .digest("hex");
+
+    const expiryTimestamp = currentTimestamp + TIME_THRESHOLD;
+
+    return [hmac, currentTimestamp, expiryTimestamp];
+  } catch (error) {
+    console.error("Error creating HMAC (raw):", error);
+    throw error;
+  }
+}
+
 /**
  * Validates an HMAC signature
  */

runner/src/server/views/timeout.html

@@ -14,7 +14,7 @@ <h1 class="govuk-heading-l">Your application has timed out</h1>
           We have reset your application because you did not do anything for {{ sessionTimeout / 60000 }} minutes. We did this
           to keep your information secure.
         </p>
-        <a href="{{ serviceStartPage }}" class="govuk-button">Start application again</a>
+        <a href="{{ startPage }}" class="govuk-button">Start application again</a>
       </div>
     </div>
   </div>