Merge branch 'main' into forms-960-idp-refactor

app/src/forms/common/middleware/rateLimiter.js

@@ -7,8 +7,8 @@ const apiKeyRateLimiter = rateLimit({
 
   limit: config.get('server.rateLimit.public.max'),
 
-  // Skip Bearer token auth so that CHEFS app users are not limited.
-  skip: (req) => req.headers && req.headers.authorization && !req.headers.authorization.startsWith('Basic '),
+  // Skip everything except Basic auth so that CHEFS app users are not limited.
+  skip: (req) => !req.headers?.authorization || !req.headers.authorization.startsWith('Basic '),
 
   // Use the latest draft of the IETF standard for rate limiting headers.
   standardHeaders: 'draft-7',

app/src/forms/auth/middleware/params.js → app/src/forms/common/middleware/validateParameter.js

@@ -3,6 +3,21 @@ const uuid = require('uuid');
 
 const formService = require('../../form/service');
 
+/**
+ * Throws a 400 problem if the parameter is not a valid UUID.
+ *
+ * @param {*} parameter the parameter to validate as a UUID.
+ * @param {*} parameterName the name of the parameter to use in 400 Problems.
+ * @throws Problem if the parameter is not a valid UUID.
+ */
+const _validateUuid = (parameter, parameterName) => {
+  if (!uuid.validate(parameter)) {
+    throw new Problem(400, {
+      detail: 'Bad ' + parameterName,
+    });
+  }
+};
+
 /**
  * Validates that the :formId route parameter exists and is a UUID.
  *
@@ -13,11 +28,7 @@ const formService = require('../../form/service');
  */
 const validateFormId = async (_req, _res, next, formId) => {
   try {
-    if (!uuid.validate(formId)) {
-      throw new Problem(400, {
-        detail: 'Bad formId',
-      });
-    }
+    _validateUuid(formId, 'formId');
 
     next();
   } catch (error) {
@@ -36,11 +47,7 @@ const validateFormId = async (_req, _res, next, formId) => {
  */
 const validateFormVersionDraftId = async (req, _res, next, formVersionDraftId) => {
   try {
-    if (!uuid.validate(formVersionDraftId)) {
-      throw new Problem(400, {
-        detail: 'Bad formVersionDraftId',
-      });
-    }
+    _validateUuid(formVersionDraftId, 'formVersionDraftId');
 
     const formVersionDraft = await formService.readDraft(formVersionDraftId);
     if (!formVersionDraft || formVersionDraft.formId !== req.params.formId) {
@@ -66,11 +73,7 @@ const validateFormVersionDraftId = async (req, _res, next, formVersionDraftId) =
  */
 const validateFormVersionId = async (req, _res, next, formVersionId) => {
   try {
-    if (!uuid.validate(formVersionId)) {
-      throw new Problem(400, {
-        detail: 'Bad formVersionId',
-      });
-    }
+    _validateUuid(formVersionId, 'formVersionId');
 
     const formVersion = await formService.readVersion(formVersionId);
     if (!formVersion || formVersion.formId !== req.params.formId) {

app/src/forms/form/routes.js

@@ -1,7 +1,7 @@
 const routes = require('express').Router();
 const apiAccess = require('../auth/middleware/apiAccess');
 const { currentUser, hasFormPermissions } = require('../auth/middleware/userAccess');
-const params = require('../auth/middleware/params');
+const validateParameter = require('../common/middleware/validateParameter');
 const P = require('../common/constants').Permissions;
 const rateLimiter = require('../common/middleware').apiKeyRateLimiter;
 
@@ -10,9 +10,9 @@ const controller = require('./controller');
 
 routes.use(currentUser);
 
-routes.param('formId', params.validateFormId);
-routes.param('formVersionDraftId', params.validateFormVersionDraftId);
-routes.param('formVersionId', params.validateFormVersionId);
+routes.param('formId', validateParameter.validateFormId);
+routes.param('formVersionDraftId', validateParameter.validateFormVersionDraftId);
+routes.param('formVersionId', validateParameter.validateFormVersionId);
 
 routes.get('/', jwtService.protect('admin'), async (req, res, next) => {
   await controller.listForms(req, res, next);