Add session_cookie_secure to taliman (#39)

* Add session_cookie_secure to taliman * Update pre validation step to render template instead of redirect * Updated status code
ONSdigital · Apr 18, 2024 · 0ea4692 · 0ea4692
1 parent 3c68e8f
commit 0ea4692
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 5 deletions.
diff --git a/rh_ui/app_setup.py b/rh_ui/app_setup.py
@@ -58,6 +58,7 @@ def get_locale() -> str:
         strict_transport_security_max_age=31536000,
         x_content_type_options='nosniff',
         permissions_policy=PERMISSION_POLICY,
+        session_cookie_secure=app.config["SESSION_COOKIE_SECURE"]
     )
 
     return app
diff --git a/rh_ui/views/start.py b/rh_ui/views/start.py
@@ -1,7 +1,7 @@
 import logging
 import re
 
-from flask import Blueprint, request, flash, g, redirect, current_app, render_template, url_for
+from flask import Blueprint, request, flash, g, redirect, current_app, render_template
 from flask.typing import ResponseReturnValue
 from requests import Response, HTTPError
 from structlog import wrap_logger
@@ -29,7 +29,7 @@ def start_post():
     uac = request.form.get('uac').upper().replace(' ', '')
     if error := pre_check_uac(uac):
         flash(error)
-        return redirect(url_for('i18n.start_bp.start_get'))
+        return render_template("start.html"), 401
     token_response = get_eq_token(uac, g.lang_code)
 
     if error_response := handle_token_error_response(token_response):

diff --git a/tests/unit/views/test_start.py b/tests/unit/views/test_start.py
@@ -36,22 +36,22 @@ def test_en_enter_uac_success(test_client):
 def test_en_enter_uac_blank(test_client):
     response = test_client.post(EN_START_ROUTE, data={"uac": ""}, follow_redirects=True)
 
-    assert response.status_code == 200
+    assert response.status_code == 401
     assert 'Enter an access code' in response.text
 
 
 def test_en_enter_uac_invalid_length(test_client):
     response = test_client.post(EN_START_ROUTE, data={"uac": "testing"}, follow_redirects=True)
 
-    assert response.status_code == 200
+    assert response.status_code == 401
     assert 'Enter a 16-character access code' in response.text
 
 
 def test_uac_pattern_match_failure(test_client):
     # When we try to hash a UAC that is an invalid format, then it raises the error
     response = test_client.post(EN_START_ROUTE, data={"uac": 'testing_uac_err-'}, follow_redirects=True)
 
-    assert response.status_code == 200
+    assert response.status_code == 401
     assert 'Access code not recognised. Enter the code again.' in response.text