fix: Updated pay return url to allow insecure redirect urls if the en…

…vironment is in test (#1178) * Updated config schema to allow http if the environment is in test * Updated pay return url to work in development as well * Updated config tests * Added different tests for different scenarios when an insecure return url is allowed * Added documentation on the pay return url in default.js
XGovFormBuilder · Jan 2, 2024 · 3bbefd1 · 3bbefd1
1 parent c9ad961
commit 3bbefd1
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 2 deletions.
diff --git a/runner/config/default.js b/runner/config/default.js
@@ -104,6 +104,9 @@ module.exports = {
   // Control which is used. Accepts "test" | "production" | "".
   apiEnv: "",
   payApiUrl: "https://publicapi.payments.service.gov.uk/v1",
+  // If both the api env and node env are set to "production", the pay return url will need to be secure.
+  // This is not the case if either are set to "test", or if the node env is set to "development"
+  // payReturnUrl: "http://localhost:3009"
   // documentUploadApiUrl: "",
   // ordnanceSurveyKey: "", // deprecated - this API is deprecated
   // browserRefreshUrl: "", // deprecated - idk what this does

diff --git a/runner/src/server/utils/configSchema.ts b/runner/src/server/utils/configSchema.ts
@@ -31,7 +31,15 @@ export const configSchema = Joi.object({
   matomoId: Joi.string().optional(),
   matomoUrl: Joi.string().custom(secureUrl).optional(),
   payApiUrl: Joi.string().custom(secureUrl),
-  payReturnUrl: Joi.string().custom(secureUrl),
+  payReturnUrl: Joi.when("env", {
+    is: Joi.string().valid("development", "test"),
+    then: Joi.string().default("http://localhost:3009"),
+    otherwise: Joi.when("apiEnv", {
+      is: Joi.string().valid("test"),
+      then: Joi.string().default("http://localhost:3009"),
+      otherwise: Joi.string().custom(secureUrl),
+    }),
+  }),
   serviceUrl: Joi.string().optional(),
   redisHost: Joi.string().optional(),
   redisPort: Joi.number().optional(),

diff --git a/runner/test/cases/server/config.test.js b/runner/test/cases/server/config.test.js
@@ -28,9 +28,11 @@ suite(`Server config validation`, () => {
     );
   });
 
-  test("it throws when PAY_RETURN_URL is insecure", () => {
+  test("it throws when PAY_RETURN_URL is insecure and the environment is production", () => {
     const configWithInsecureUrl = {
       payReturnUrl: "http://insecure.url",
+      env: "production",
+      apiEnv: "production",
     };
 
     const { error } = configSchema.validate(configWithInsecureUrl);
@@ -40,6 +42,30 @@ suite(`Server config validation`, () => {
     );
   });
 
+  test("it succeeds when PAY_RETURN_URL is insecure and the node environment is test", () => {
+    const configWithInsecureUrl = {
+      payReturnUrl: "http://insecure.url",
+      env: "test",
+      apiEnv: "production",
+    };
+
+    const result = configSchema.validate(configWithInsecureUrl);
+
+    expect(Object.keys(result)).to.not.contain("error");
+  });
+
+  test("it succeeds when PAY_RETURN_URL is insecure and the api environment is test", () => {
+    const configWithInsecureUrl = {
+      payReturnUrl: "http://insecure.url",
+      env: "production",
+      apiEnv: "test",
+    };
+
+    const result = configSchema.validate(configWithInsecureUrl);
+
+    expect(Object.keys(result)).to.not.contain("error");
+  });
+
   test("it throws when oAuth config is incomplete", () => {
     const configWithIncompleteAuth = {
       authEnabled: true,