Use JWT Auth against API Frontend

Author: MWClayson-NHS

application/CohortManager/src/Web/app/account/page.tsx

@@ -9,6 +9,7 @@ export const metadata: Metadata = {
 export default async function Page() {
   const breadcrumbItems = [{ label: "Home", url: "/" }];
   const session = await auth();
+  const isDevelopment = process.env.APP_ENV === "development";
 
   return (
     <>
@@ -52,6 +53,33 @@ export default async function Page() {
                   </ul>
                 </dd>
               </div>
+              {isDevelopment ? (
+                <>
+                  <div className="nhsuk-summary-list__row">
+                    <dt className="nhsuk-summary-list__key">
+                      Development ID token
+                    </dt>
+                    <dd className="nhsuk-summary-list__value">
+                      <p>
+                        Set AUTH_CIS2_DEV_ID_TOKEN or AUTH_CIS2_DEV_JWT_TOKEN
+                        in your local env to supply a JWT when using the
+                        development credentials sign-in.
+                      </p>
+                      <pre>{session?.idToken || "No ID token available"}</pre>
+                    </dd>
+                  </div>
+                  <div className="nhsuk-summary-list__row">
+                    <dt className="nhsuk-summary-list__key">
+                      Development access token
+                    </dt>
+                    <dd className="nhsuk-summary-list__value">
+                      <pre>
+                        {session?.accessToken || "No access token available"}
+                      </pre>
+                    </dd>
+                  </div>
+                </>
+              ) : null}
             </dl>
           </div>
         </div>

application/CohortManager/src/Web/app/lib/auth.ts

@@ -5,6 +5,20 @@ import { jwtDecode } from "jwt-decode";
 import { OAuthConfig } from "next-auth/providers";
 import { DecodedCIS2Token } from "@/app/types/auth";
 
+const isDevelopment = process.env.APP_ENV === "development";
+
+function getDevelopmentIdToken() {
+  return (
+    process.env.AUTH_CIS2_DEV_ID_TOKEN ??
+    process.env.AUTH_CIS2_DEV_JWT_TOKEN ??
+    process.env.AUTH_CIS2_DEV_JWT
+  );
+}
+
+function getDevelopmentAccessToken() {
+  return process.env.AUTH_CIS2_DEV_ACCESS_TOKEN ?? getDevelopmentIdToken();
+}
+
 const NHS_CIS2: OAuthConfig<Profile> = {
   id: "nhs-cis2",
   name: "NHS CIS2 Authentication",
@@ -31,7 +45,7 @@ const NHS_CIS2: OAuthConfig<Profile> = {
 export const { handlers, auth, signIn, signOut } = NextAuth({
   providers: [
     NHS_CIS2,
-    ...(process.env.APP_ENV === "development"
+    ...(isDevelopment
       ? [
           Credentials({
             credentials: {
@@ -61,10 +75,7 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
     },
     async signIn({ account }) {
       // Handle test accounts in development
-      if (
-        process.env.APP_ENV === "development" &&
-        account?.provider === "credentials"
-      ) {
+      if (isDevelopment && account?.provider === "credentials") {
         return true;
       }
 
@@ -88,6 +99,14 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
       return isValidToken;
     },
     async jwt({ account, token, profile }) {
+      if (typeof account?.access_token === "string") {
+        token.accessToken = account.access_token;
+      }
+
+      if (typeof account?.id_token === "string") {
+        token.idToken = account.id_token;
+      }
+
       if (account?.access_token) {
         try {
           const response = await fetch(
@@ -111,10 +130,7 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
       }
 
       // Handle test accounts in development
-      if (
-        process.env.APP_ENV === "development" &&
-        account?.provider === "credentials"
-      ) {
+      if (isDevelopment && account?.provider === "credentials") {
         Object.assign(token, {
           uid: "testuid",
           firstName: "Test",
@@ -123,6 +139,8 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
           sid: "5678",
           workgroups: ["Test Workgroup"],
           workgroups_codes: ["000000000000"],
+          accessToken: token.accessToken ?? getDevelopmentAccessToken(),
+          idToken: token.idToken ?? getDevelopmentIdToken(),
         });
       }
 
@@ -179,6 +197,12 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
           workgroups_codes,
         });
       }
+
+      session.accessToken =
+        typeof token.accessToken === "string" ? token.accessToken : undefined;
+      session.idToken =
+        typeof token.idToken === "string" ? token.idToken : undefined;
+
       return session;
     },
   },

application/CohortManager/src/Web/app/lib/fetchExceptions.test.ts

@@ -1,9 +1,20 @@
 import { fetchExceptions } from "@/app/lib/fetchExceptions";
+import { auth } from "@/app/lib/auth";
 import type { ExceptionsAPI } from "@/app/types/exceptionsApi";
+import type { Session } from "next-auth";
+
+jest.mock("@/app/lib/auth", () => ({
+  auth: jest.fn(),
+}));
+
+const mockAuth = auth as unknown as jest.MockedFunction<
+  () => Promise<Session | null>
+>;
 
 describe("fetchExceptions", () => {
   beforeEach(() => {
     jest.resetModules();
+    mockAuth.mockResolvedValue(null);
   });
 
   it("fetches exceptions from the API", async () => {
@@ -60,14 +71,21 @@ describe("fetchExceptions", () => {
         RecordUpdatedDate: "",
       },
     ];
-    global.fetch = jest.fn().mockResolvedValue({
+    globalThis.fetch = jest.fn().mockResolvedValue({
       ok: true,
       json: jest.fn().mockResolvedValue(mockResponse),
       headers: { get: jest.fn().mockReturnValue(null) },
     });
 
     const result = await fetchExceptions();
     expect(result.data).toEqual(mockResponse);
+    expect(globalThis.fetch).toHaveBeenCalledWith(
+      expect.stringContaining("/api/GetValidationExceptions?"),
+      expect.objectContaining({
+        cache: "no-store",
+        headers: undefined,
+      })
+    );
   });
 
   it("fetches individual exception details from the API", async () => {
@@ -93,7 +111,7 @@ describe("fetchExceptions", () => {
       },
     };
 
-    global.fetch = jest.fn().mockResolvedValue({
+    globalThis.fetch = jest.fn().mockResolvedValue({
       ok: true,
       json: jest.fn().mockResolvedValue(mockResponse),
       headers: { get: jest.fn().mockReturnValue(null) },
@@ -104,7 +122,7 @@ describe("fetchExceptions", () => {
   });
 
   it("throws an error if the response is not ok", async () => {
-    global.fetch = jest.fn().mockResolvedValue({
+    globalThis.fetch = jest.fn().mockResolvedValue({
       ok: false,
       statusText: "Not found",
     });
@@ -113,4 +131,35 @@ describe("fetchExceptions", () => {
       "Error fetching data: Not found"
     );
   });
+
+  it("adds the JWT token as an authorization header when available", async () => {
+    mockAuth.mockResolvedValue({
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      idToken: "dev-jwt-token",
+      user: {
+        name: "Test User",
+        email: null,
+        image: null,
+        uid: "testuid",
+      },
+    });
+
+    globalThis.fetch = jest.fn().mockResolvedValue({
+      ok: true,
+      json: jest.fn().mockResolvedValue([]),
+      headers: { get: jest.fn().mockReturnValue(null) },
+    });
+
+    await fetchExceptions();
+
+    expect(globalThis.fetch).toHaveBeenCalledWith(
+      expect.stringContaining("/api/GetValidationExceptions?"),
+      expect.objectContaining({
+        cache: "no-store",
+        headers: {
+          Authorization: "Bearer dev-jwt-token",
+        },
+      })
+    );
+  });
 });

application/CohortManager/src/Web/app/lib/fetchExceptions.ts

@@ -1,5 +1,7 @@
 "use server";
 
+import { auth } from "@/app/lib/auth";
+
 type FetchExceptionsParams = {
   exceptionId?: number;
   page?: number;
@@ -39,10 +41,26 @@ function buildQueryString(params: FetchExceptionsParams): string {
   return searchParams.toString();
 }
 
+async function getAuthHeaders() {
+  const session = await auth();
+  const bearerToken = session?.idToken ?? session?.accessToken;
+
+  if (!bearerToken) {
+    return undefined;
+  }
+
+  return {
+    Authorization: `Bearer ${bearerToken}`,
+  };
+}
+
 export async function fetchExceptions(params: FetchExceptionsParams = {}) {
   const query = buildQueryString(params);
   const apiUrl = `${process.env.EXCEPTIONS_API_URL}/api/GetValidationExceptions?${query}`;
-  const response = await fetch(apiUrl, { cache: 'no-store' });
+  const response = await fetch(apiUrl, {
+    cache: 'no-store',
+    headers: await getAuthHeaders(),
+  });
 
   if (!response.ok) {
     throw new Error(`Error fetching data: ${response.statusText}`);
@@ -79,7 +97,9 @@ export async function fetchExceptionsByType(
     process.env.EXCEPTIONS_API_URL
   }/api/GetValidationExceptionsByType?${query.toString()}`;
 
-  const response = await fetch(apiUrl);
+  const response = await fetch(apiUrl, {
+    headers: await getAuthHeaders(),
+  });
 
   if (response.status === 204 || response.status === 400 || response.status === 404) {
     return {

application/CohortManager/src/Web/app/types/auth/index.d.ts

@@ -1,3 +1,5 @@
+import type { DefaultSession } from "next-auth";
+
 declare module "next-auth" {
   interface User {
     uid: string;
@@ -10,6 +12,28 @@ declare module "next-auth" {
     workgroups?: string[];
     workgroups_codes?: string[];
   }
+
+  interface Session {
+    user?: DefaultSession["user"] & User;
+    accessToken?: string;
+    idToken?: string;
+  }
+}
+
+declare module "next-auth/jwt" {
+  interface JWT {
+    uid?: string;
+    firstName?: string;
+    lastName?: string;
+    sub?: string;
+    sid?: string;
+    odsCode?: string;
+    orgName?: string;
+    workgroups?: string[];
+    workgroups_codes?: string[];
+    accessToken?: string;
+    idToken?: string;
+  }
 }
 
 export interface DecodedCIS2Token {

application/CohortManager/src/Web/tsconfig.json

@@ -16,7 +16,7 @@
     "moduleResolution": "node",
     "resolveJsonModule": true,
     "isolatedModules": true,
-    "jsx": "preserve",
+    "jsx": "react-jsx",
     "incremental": true,
     "plugins": [
       {