Change session system (#13)

* add env example for AC replace cookie session package with express-session * add fake secret to .env * replace client id value * fix: lint + console.error * refactor: rename .env file * feat: udpate scopes used in AC * feat: show agentconnect button in agentconnect.env * refacto: do not run tests twice per push + fix typos * fix: bypass cypress session clearing by setting session cookie on every response --------- Co-authored-by: Raphaël Dubigny <[email protected]>
numerique-gouv · May 3, 2024 · 9ca97dc · 9ca97dc
1 parent 406da3c
commit 9ca97dc
Show file tree

Hide file tree

Showing 8 changed files with 113 additions and 123 deletions.
diff --git a/.env b/.env
@@ -11,3 +11,4 @@ LOGIN_HINT: ""
 MCP_ID_TOKEN_SIGNED_RESPONSE_ALG: RS256
 MCP_USERINFO_SIGNED_RESPONSE_ALG: ""
 ACR_VALUES: ""
+SESSION_SECRET: CeciEstUnFauxSecret
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,7 +4,9 @@ name: CI
 
 on:
   push:
-  pull_request:
+    branches:
+      - "**"
+      - "!master"
   workflow_dispatch:
 
 jobs:

diff --git a/agentconnect.env b/agentconnect.env
@@ -0,0 +1,15 @@
+HOST: http://localhost:3000
+PORT: 3000
+SITE_TITLE: "Bonjour monde !"
+STYLESHEET_URL: https://unpkg.com/bamboo.css
+CALLBACK_URL: /login-callback
+MCP_CLIENT_ID: client_id_localhost:3000
+MCP_CLIENT_SECRET: client_secret_localhost:3000
+MCP_PROVIDER: https://fca.integ01.dev-agentconnect.fr/api/v2
+MCP_SCOPES: "openid given_name usual_name email phone uid siren siret idp_id idp_acr"
+LOGIN_HINT: ""
+MCP_ID_TOKEN_SIGNED_RESPONSE_ALG: RS256
+MCP_USERINFO_SIGNED_RESPONSE_ALG: RS256
+ACR_VALUES: eidas1
+SESSION_SECRET: CeciEstUnFauxSecret
+SHOW_AGENTCONNECT_BUTTON: true
diff --git a/e2e/features/connexion.feature b/e2e/features/connexion.feature
@@ -1,15 +1,15 @@
 #language: fr
 Fonctionnalité: Connexion de [email protected]
-    
-  Scénario: Connexion d'un utilisateur 
+
+  Scénario: Connexion d'un utilisateur
     Etant donné que je navigue sur la page
     Alors je vois "Bonjour monde !"
     Quand je clique sur le bouton MonComptePro
 
     Quand je me connecte en tant que user@yopmail.com sur moncomptepro
     Et je vois "Votre organisation de rattachement" sur moncomptepro
-    Et je click sur "Continuer" sur moncomptepro
+    Et je clique sur "Continuer" sur moncomptepro
 
     Alors je suis redirigé sur "/"
-    Et je vois "Information utilisateur" 
+    Et je vois "Information utilisateur"
     Et je vois "[email protected]"
diff --git a/e2e/features/connexion.ts b/e2e/features/connexion.ts
@@ -28,7 +28,7 @@ When("je vois {string} sur moncomptepro", (_text: string) => {
   });
 });
 
-When("je click sur {string} sur moncomptepro", (_text: string) => {
+When("je clique sur {string} sur moncomptepro", (_text: string) => {
   cy.origin(Cypress.env("MCP_PROVIDER"), { args: _text }, (text) => {
     cy.contains(text).click();
   });

diff --git a/index.js b/index.js
@@ -1,7 +1,7 @@
 import "dotenv/config";
 import express from "express";
 import { Issuer } from "openid-client";
-import cookieSession from "cookie-session";
+import session from "express-session";
 import morgan from "morgan";
 import * as crypto from "crypto";
 
@@ -13,10 +13,11 @@ const app = express();
 
 app.set("view engine", "ejs");
 app.use(
-  cookieSession({
+  session({
     name: "mcp_session",
-    keys: ["key1", "key2"],
-  })
+    secret: process.env.SESSION_SECRET,
+    rolling: true,
+  }),
 );
 app.use(morgan("combined"));
 
@@ -86,14 +87,14 @@ app.post(
   "/select-organization",
   getAuthorizationControllerFactory({
     prompt: "select_organization",
-  })
+  }),
 );
 
 app.post(
   "/update-userinfo",
   getAuthorizationControllerFactory({
     prompt: "update_userinfo",
-  })
+  }),
 );
 
 app.post(
@@ -103,7 +104,7 @@ app.post(
     prompt: "login",
     // alternatively, you can use the 'max_age: 0'
     // if so, claims parameter is not necessary as auth_time will be returned
-  })
+  }),
 );
 
 app.get(process.env.CALLBACK_URL, async (req, res, next) => {
@@ -120,7 +121,7 @@ app.get(process.env.CALLBACK_URL, async (req, res, next) => {
     req.session.userinfo = await client.userinfo(tokenSet.access_token);
     req.session.idtoken = tokenSet.claims();
     req.session.id_token_hint = tokenSet.id_token;
-
+    req.session.oauth2token = tokenSet;
     res.redirect("/");
   } catch (e) {
     next(e);
@@ -130,7 +131,7 @@ app.get(process.env.CALLBACK_URL, async (req, res, next) => {
 app.post("/logout", async (req, res, next) => {
   try {
     const id_token_hint = req.session.id_token_hint;
-    req.session = null;
+    req.session.destroy();
     const client = await getMcpClient();
     const redirectUrl = client.endSessionUrl({
       post_logout_redirect_uri: `${origin}/`,