From 3bbefd1c06e252e6860b8efa4f0abf25dc490ab1 Mon Sep 17 00:00:00 2001 From: ziggy-cyb <120458506+ziggy-cyb@users.noreply.github.com> Date: Tue, 2 Jan 2024 17:28:48 +0000 Subject: [PATCH] fix: Updated pay return url to allow insecure redirect urls if the environment is in test (#1178) * Updated config schema to allow http if the environment is in test * Updated pay return url to work in development as well * Updated config tests * Added different tests for different scenarios when an insecure return url is allowed * Added documentation on the pay return url in default.js --- runner/config/default.js | 3 +++ runner/src/server/utils/configSchema.ts | 10 ++++++++- runner/test/cases/server/config.test.js | 28 ++++++++++++++++++++++++- 3 files changed, 39 insertions(+), 2 deletions(-) diff --git a/runner/config/default.js b/runner/config/default.js index a0db542dfb..fc252bb751 100644 --- a/runner/config/default.js +++ b/runner/config/default.js @@ -104,6 +104,9 @@ module.exports = { // Control which is used. Accepts "test" | "production" | "". apiEnv: "", payApiUrl: "https://publicapi.payments.service.gov.uk/v1", + // If both the api env and node env are set to "production", the pay return url will need to be secure. + // This is not the case if either are set to "test", or if the node env is set to "development" + // payReturnUrl: "http://localhost:3009" // documentUploadApiUrl: "", // ordnanceSurveyKey: "", // deprecated - this API is deprecated // browserRefreshUrl: "", // deprecated - idk what this does diff --git a/runner/src/server/utils/configSchema.ts b/runner/src/server/utils/configSchema.ts index 87c896613d..88032ebf27 100644 --- a/runner/src/server/utils/configSchema.ts +++ b/runner/src/server/utils/configSchema.ts @@ -31,7 +31,15 @@ export const configSchema = Joi.object({ matomoId: Joi.string().optional(), matomoUrl: Joi.string().custom(secureUrl).optional(), payApiUrl: Joi.string().custom(secureUrl), - payReturnUrl: Joi.string().custom(secureUrl), + payReturnUrl: Joi.when("env", { + is: Joi.string().valid("development", "test"), + then: Joi.string().default("http://localhost:3009"), + otherwise: Joi.when("apiEnv", { + is: Joi.string().valid("test"), + then: Joi.string().default("http://localhost:3009"), + otherwise: Joi.string().custom(secureUrl), + }), + }), serviceUrl: Joi.string().optional(), redisHost: Joi.string().optional(), redisPort: Joi.number().optional(), diff --git a/runner/test/cases/server/config.test.js b/runner/test/cases/server/config.test.js index 978d495ae2..3b9a8291b1 100644 --- a/runner/test/cases/server/config.test.js +++ b/runner/test/cases/server/config.test.js @@ -28,9 +28,11 @@ suite(`Server config validation`, () => { ); }); - test("it throws when PAY_RETURN_URL is insecure", () => { + test("it throws when PAY_RETURN_URL is insecure and the environment is production", () => { const configWithInsecureUrl = { payReturnUrl: "http://insecure.url", + env: "production", + apiEnv: "production", }; const { error } = configSchema.validate(configWithInsecureUrl); @@ -40,6 +42,30 @@ suite(`Server config validation`, () => { ); }); + test("it succeeds when PAY_RETURN_URL is insecure and the node environment is test", () => { + const configWithInsecureUrl = { + payReturnUrl: "http://insecure.url", + env: "test", + apiEnv: "production", + }; + + const result = configSchema.validate(configWithInsecureUrl); + + expect(Object.keys(result)).to.not.contain("error"); + }); + + test("it succeeds when PAY_RETURN_URL is insecure and the api environment is test", () => { + const configWithInsecureUrl = { + payReturnUrl: "http://insecure.url", + env: "production", + apiEnv: "test", + }; + + const result = configSchema.validate(configWithInsecureUrl); + + expect(Object.keys(result)).to.not.contain("error"); + }); + test("it throws when oAuth config is incomplete", () => { const configWithIncompleteAuth = { authEnabled: true,