Encode TRNs in URLs

Exposing a TRN in the URL opens us up to someone being able to enumerate through the values and capture data on people. We want to prevent this by encoding the values passed in the URL. This ensures that the UI is the only way to access someone's record. I opted to use a symmetric encoding process to allow us to encode/decode using a secret that we control. This is an easy to understand encryption that is as secure as our secret key.
DFE-Digital · Oct 13, 2023 · 4e30a8d · 4e30a8d
1 parent 17d1e0f
commit 4e30a8d
Show file tree

Hide file tree

Showing 5 changed files with 101 additions and 2 deletions.
diff --git a/app/controllers/check_records/teachers_controller.rb b/app/controllers/check_records/teachers_controller.rb
@@ -2,7 +2,8 @@ module CheckRecords
   class TeachersController < CheckRecordsController
     def show
       client = QualificationsApi::Client.new(token: ENV["QUALIFICATIONS_API_FIXED_TOKEN"])
-      @teacher = client.teacher(trn: params[:id])
+      trn = SecureIdentifier.decode(params[:id])
+      @teacher = client.teacher(trn:)
       @npqs = @teacher.qualifications.filter(&:npq?)
       @other_qualifications = @teacher.qualifications.filter { |qualification| !qualification.npq? }
     rescue QualificationsApi::TeacherNotFoundError

diff --git a/app/models/secure_identifier.rb b/app/models/secure_identifier.rb
@@ -0,0 +1,32 @@
+class SecureIdentifier
+  SECRET_KEY = Rails.application.credentials.secret_key_base.byteslice(0..31)
+  CIPHER = 'aes-256-cbc'
+
+  def self.encode(value)
+    raise ArgumentError, "value cannot be nil" if value.nil?
+    return value if value.empty?
+
+    cipher = OpenSSL::Cipher.new(CIPHER)
+    cipher.encrypt
+    cipher.key = SECRET_KEY
+
+    encrypted = cipher.update(value) + cipher.final
+    Base64.urlsafe_encode64(encrypted).strip
+  end
+
+  def self.decode(value)
+    raise ArgumentError, "value cannot be nil" if value.nil?
+    return value if value.empty?
+
+    decipher = OpenSSL::Cipher.new(CIPHER)
+    decipher.decrypt
+    decipher.key = SECRET_KEY
+
+    begin
+      decoded = Base64.urlsafe_decode64(value)
+      decipher.update(decoded) + decipher.final
+    rescue ArgumentError => e
+      return value
+    end
+  end
+end
diff --git a/app/views/check_records/search/show.html.erb b/app/views/check_records/search/show.html.erb
@@ -14,7 +14,7 @@
         <% @teachers.each do |teacher| %>
           <div class="search-results__item">
             <h2 class="govuk-heading-s">
-              <%= link_to teacher.name, check_records_teacher_path(teacher.trn), class: "govuk-link--no-visited-state" %>
+              <%= link_to teacher.name, check_records_teacher_path(SecureIdentifier.encode(teacher.trn)), class: "govuk-link--no-visited-state" %>
             </h2>
             <strong class="govuk-tag govuk-tag--<%= teacher.sanctions.any? ? "red" : "green" %>"%>
               <%= teacher.sanctions.any? ? "Restrictions" : "No restrictions" %>

diff --git a/spec/models/secure_identifier_spec.rb b/spec/models/secure_identifier_spec.rb
@@ -0,0 +1,61 @@
+require 'rails_helper'
+
+RSpec.describe SecureIdentifier do
+  let(:plain_text) { 'Hello, World!' }
+
+  describe '.encode' do
+    subject { described_class.encode(plain_text) }
+
+    it { is_expected.not_to eq(plain_text) }
+
+    it 'returns a Base64 encoded string' do
+      is_expected.to eq(
+        Base64.strict_encode64(Base64.strict_decode64(SecureIdentifier.encode(plain_text)))
+      )
+    end
+
+    context 'when given an empty string' do
+      let(:plain_text) { '' }
+
+      it { is_expected.to eq(plain_text) }
+    end
+
+    context 'when given nil' do
+      let(:plain_text) { nil }
+
+      it 'raises an ArgumentError' do
+        expect { subject }.to raise_error(ArgumentError)
+      end
+    end
+  end
+
+  describe '.decode' do
+    subject { described_class.decode(encoded_text) }
+
+    let(:encoded_text) { described_class.encode(plain_text) }
+
+    it { is_expected.to eq(plain_text) }
+
+    context 'when given an invalid Base64 string' do
+      let(:encoded_text) { 'invalid' }
+
+      it 'returns the passed value' do
+        is_expected.to eq(encoded_text)
+      end
+    end
+
+    context 'when given an empty string' do
+      let(:encoded_text) { '' }
+
+      it { is_expected.to eq(encoded_text) }
+    end
+
+    context 'when given nil' do
+      let(:encoded_text) { nil }
+
+      it 'raises an ArgumentError' do
+        expect { subject }.to raise_error(ArgumentError)
+      end
+    end
+  end
+end
diff --git a/spec/system/check_records/user_searches_with_valid_last_name_and_dob_spec.rb b/spec/system/check_records/user_searches_with_valid_last_name_and_dob_spec.rb
@@ -16,6 +16,7 @@
     and_they_have_no_restrictions
 
     when_i_click_on_the_teacher_record
+    then_the_trn_is_not_in_the_url
     then_i_see_induction_details
     then_i_see_qts_details
     then_i_see_itt_details
@@ -38,6 +39,10 @@ def then_i_see_a_teacher_record_in_the_results
     expect(page).to have_content "Terry Walsh"
   end
 
+  def then_the_trn_is_not_in_the_url
+    expect(page).not_to have_current_path(/teachers\/1234567/)
+  end
+
   def and_my_search_is_logged
     expect(SearchLog.last.last_name).to eq "Walsh"
     expect(SearchLog.last.date_of_birth.to_s).to eq "1992-04-05"