Merge pull request #1413 from guardian/ahe/keep-ncom-query-params

Newspaper archive auth - add query params override, validate return URL

Author: andrewHEguardian

server/middleware/identityMiddleware.ts

@@ -65,8 +65,11 @@ const signedOutAfterTokensIssued = ({
 	// where the middleware may continually keep running performAuthorizationCodeFlow().
 	guSoTimestamp <= Math.floor(Date.now() / 1000);
 
-export const withIdentity: (statusCodeOverride?: number) => RequestHandler =
-	(statusCodeOverride?: number) =>
+export const withIdentity: (
+	statusCodeOverride?: number,
+	keepQueryParams?: boolean,
+) => RequestHandler =
+	(statusCodeOverride?: number, keepQueryParams?: boolean) =>
 	async (req: Request, res: Response, next: NextFunction) => {
 		if (CYPRESS === 'SKIP_IDAPI') {
 			return next();
@@ -80,7 +83,13 @@ export const withIdentity: (statusCodeOverride?: number) => RequestHandler =
 					: {};
 			const oktaConfig = await getOktaConfig(oktaConfigOverride);
 			if (oktaConfig.useOkta) {
-				return authenticateWithOAuth(req, res, next, oktaConfig);
+				return authenticateWithOAuth(
+					req,
+					res,
+					next,
+					oktaConfig,
+					keepQueryParams,
+				);
 			} else {
 				return authenticateWithIdapi(statusCodeOverride)(
 					req,
@@ -98,10 +107,12 @@ export const authenticateWithOAuth = async (
 	res: Response,
 	next: NextFunction,
 	oktaConfig: OktaConfig,
+	keepQueryParams: boolean = false,
 ) => {
 	// Get the path of the current page and use it as our returnPath after the OAuth callback.
-	const returnPath = sanitizeReturnPath(req.originalUrl);
-
+	const returnPath = keepQueryParams
+		? req.originalUrl
+		: sanitizeReturnPath(req.originalUrl);
 	try {
 		const verifiedTokens = await verifyOAuthCookiesLocally(req);
 		const guSoTimestamp = parseInt(req.cookies['GU_SO']);

server/routes/newspaperArchive.ts

@@ -36,7 +36,7 @@ const newspaperArchiveConfigPromise: Promise<
 
 const router = Router();
 
-router.use(withIdentity(401));
+router.use(withIdentity(401, true));
 
 router.get('/auth', async (req: Request, res: Response) => {
 	try {
@@ -81,6 +81,12 @@ router.get('/auth', async (req: Request, res: Response) => {
 			const tpaToken = new URL(responseJson.url).searchParams.get('tpa');
 
 			const archiveReturnUrl = new URL(archiveReturnUrlString);
+
+			if (archiveReturnUrl.hostname !== 'theguardian.newspapers.com') {
+				log.error('Invalid ncom return URL hostname');
+				return res.redirect(responseJson.url);
+			}
+
 			archiveReturnUrl.searchParams.set('tpa', tpaToken ?? '');
 			return res.redirect(archiveReturnUrl.toString());
 		}