Update CloudFront cookie settings. (#31)

ministryofjustice · Dec 6, 2024 · 21c042c · 21c042c
1 parent ab13639
commit 21c042c
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 20 deletions.
diff --git a/conf/node/controllers/cloudfront.js b/conf/node/controllers/cloudfront.js
@@ -28,21 +28,21 @@ const cache = {
 /**
  * Infer the CloudFront CDN URL from the app host
  *
- * @param {string} appHost
+ * @param {URL} appUrl - The app URL
  * @returns {URL} cdnURL - The CloudFront CDN URL
  * @throws {Error} If the host is invalid
  */
 
-export const getCdnUrl = (appHost) => {
+export const getCdnUrl = (appUrl) => {
   // Check appHost starts with `app.`
-  if (!appHost.startsWith("app.")) {
+  if (!appUrl.host.startsWith("app.")) {
     throw new Error("Invalid host");
   }
 
-  const cdnHost = appHost.replace(/^app\./, "");
+  const cdnHost = appUrl.host.replace(/^app\./, "");
 
   // Use regex to replace the initial app. with an empty string.
-  return new URL(`https://${cdnHost}`);
+  return new URL(`${appUrl.protocol}//${cdnHost}`);
 };
 
 /**

diff --git a/conf/node/controllers/cloudfront.test.js b/conf/node/controllers/cloudfront.test.js
@@ -7,13 +7,15 @@ import {
 
 describe("getCdnUrl", () => {
   it("should return a cdn URL object", () => {
-    const result = getCdnUrl("app.archive.example.com");
+    const result = getCdnUrl(new URL("https://app.archive.example.com"));
     expect(result.host).toBe("archive.example.com");
     expect(result.origin).toBe("https://archive.example.com");
   });
 
   it("should throw an error for invalid host", () => {
-    expect(() => getCdnUrl("archive.example.com")).toThrow("Invalid host");
+    expect(() => getCdnUrl(new URL("https://archive.example.com"))).toThrow(
+      "Invalid host",
+    );
   });
 });
 

diff --git a/conf/node/controllers/s3.test.js b/conf/node/controllers/s3.test.js
@@ -60,6 +60,8 @@ describe("sync", () => {
   afterAll(async () => {
     // Remove the test file
     await fs.promises.unlink("/tmp/s3-test/test.txt");
+
+    await client.destroy();
   });
 
   it("should sync the files", async () => {
@@ -73,12 +75,6 @@ describe("sync", () => {
 
     expect(bodyString).toBe(fileContent);
   });
-
-  it("should throw an error if the source directory doesn't exist", async () => {
-    await expect(
-      sync("/tmp/invalid-directory", `s3://${s3BucketName}/test`),
-    ).rejects.toThrow();
-  });
 });
 
 describe("S3EmptyDir", () => {

diff --git a/conf/node/package.json b/conf/node/package.json
@@ -6,7 +6,7 @@
   "scripts": {
     "dev": "node --watch server.js",
     "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js",
-    "test:watch": "node --experimental-vm-modules node_modules/jest/bin/jest.js --watchAll"
+    "test:watch": "node  --experimental-vm-modules node_modules/jest/bin/jest.js --watchAll"
   },
   "type": "module",
   "repository": {

diff --git a/conf/node/server.js b/conf/node/server.js
@@ -67,7 +67,6 @@ app.post("/bucket-test", async function (_req, res, next) {
   }
 });
 
-
 app.post("/spider", function (req, res) {
   // Start the main function - without awiting for the result.
   main(req.mirror);
@@ -78,10 +77,14 @@ app.post("/spider", function (req, res) {
 app.get("/access-archive", async function (req, res, next) {
   try {
     // Get the current domain from the request
-    const appHost = req.headers["x-forwarded-host"] || req.headers["host"];
-
+    const appUrl = new URL(
+      `${req.headers["x-forwarded-proto"] || req.protocol}://${
+        req.headers["x-forwarded-host"] || req.headers["host"]
+      }`,
+    );
+
     // Get the CloudFront CDN URL
-    const cdnUrl = getCdnUrl(appHost);
+    const cdnUrl = getCdnUrl(appUrl);
 
     // Get the CloudFront cookies
     const cookies = getCookies({
@@ -92,9 +95,8 @@ app.get("/access-archive", async function (req, res, next) {
     // Set the cookies on the response
     Object.entries(cookies).forEach(([name, value]) => {
       res.cookie(name, value, {
-        path: "/",
         domain: cdnUrl.host,
-        secure: true,
+        secure: cdnUrl.protocol === "https:",
         sameSite: "Lax",
         httpOnly: true,
       });

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -35,6 +35,9 @@ services:
     environment:
       MINIO_ROOT_USER: ${AWS_ACCESS_KEY_ID}
       MINIO_ROOT_PASSWORD: ${AWS_SECRET_ACCESS_KEY}
+      # Accessible at this domain, so we can manually check that CloudFront cookies have been set correctly.
+      VIRTUAL_HOST: archive.intranet.docker
+      VIRTUAL_PORT: "9001"
     command: server --console-address ":9001" /data
     healthcheck:
       test: timeout 5s bash -c ':> /dev/tcp/127.0.0.1/9000' || exit 1