WIP (#57)

Co-authored-by: FrostyApeOne <[email protected]>

Author: FrostyApeOne

src/DfE.ExternalApplications.Api/appsettings.Development.json

@@ -36,12 +36,16 @@
     "DiscoveryEndpoint": "https://test-oidc.signin.education.gov.uk/.well-known/openid-configuration"
   },
   "TestAuthentication": {
-    "Enabled": true,
+    "Enabled": false,
     "JwtSigningKey": "secret",
     "JwtIssuer": "test-external-applications",
     "JwtAudience": "external-applications-api"
   },
   "Frontend": {
     "Origin": "https://dev.apply-transfer-academy.education.gov.uk"
+  },
+  "CypressAuthentication": {
+    "AllowToggle": true,
+    "Secret": ""
   }
 }

src/DfE.ExternalApplications.Api/appsettings.Production.json

@@ -22,5 +22,9 @@
   },
   "Features": {
     "PerformanceLoggingEnabled": false
+  },
+  "CypressAuthentication": {
+    "AllowToggle": false,
+    "Secret": ""
   }
 }

src/DfE.ExternalApplications.Api/appsettings.Test.json

@@ -36,13 +36,17 @@
     "DiscoveryEndpoint": "https://pp-oidc.signin.education.gov.uk/.well-known/openid-configuration"
   },
   "TestAuthentication": {
-    "Enabled": true,
+    "Enabled": false,
     "JwtSigningKey": "secret",
     "JwtIssuer": "test-external-applications",
     "JwtAudience": "external-applications-api"
   },
   "Frontend": {
     "Origin": "https://test.apply-transfer-academy.education.gov.uk"
+  },
+  "CypressAuthentication": {
+    "AllowToggle": true,
+    "Secret": ""
   }
 }
 

src/DfE.ExternalApplications.Application/ApplicationServiceCollectionExtensions.cs

@@ -12,6 +12,7 @@
 using GovUK.Dfe.CoreLibs.Utilities.RateLimiting;
 using Microsoft.AspNetCore.Http;
 using GovUK.Dfe.CoreLibs.Email;
+using GovUK.Dfe.CoreLibs.Security.Interfaces;
 
 namespace Microsoft.Extensions.DependencyInjection
 {
@@ -40,6 +41,7 @@ public static IServiceCollection AddApplicationDependencyGroup(
                 }
             });
             services.AddScoped<IPermissionCheckerService, ClaimBasedPermissionCheckerService>();
+            services.AddScoped<ICustomRequestChecker, CypressRequestChecker>();
             services.AddTransient<IApplicationFactory, ApplicationFactory>();
             services.AddTransient<IUserFactory, UserFactory>();
             services.AddTransient<ITemplateFactory, TemplateFactory>();

src/DfE.ExternalApplications.Application/DfE.ExternalApplications.Application.csproj

@@ -21,7 +21,7 @@
 		<PackageReference Include="GovUK.Dfe.CoreLibs.Email" Version="0.1.0-prerelease-146" />
 		<PackageReference Include="GovUK.Dfe.CoreLibs.FileStorage" Version="0.1.3" />
 		<PackageReference Include="GovUK.Dfe.CoreLibs.Notifications" Version="0.1.5" />
-		<PackageReference Include="GovUK.Dfe.CoreLibs.Security" Version="1.1.17" />
+		<PackageReference Include="GovUK.Dfe.CoreLibs.Security" Version="1.1.19-prerelease-7" />
 		<PackageReference Include="GovUK.Dfe.CoreLibs.Utilities" Version="1.0.16" />
 		<PackageReference Include="FluentValidation" Version="12.0.0" />
 		<PackageReference Include="FluentValidation.AspNetCore" Version="11.3.0" />

src/DfE.ExternalApplications.Application/Services/CypressRequestChecker.cs

@@ -0,0 +1,86 @@
+using GovUK.Dfe.CoreLibs.Security.Interfaces;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+
+namespace DfE.ExternalApplications.Application.Services
+{
+    public class CypressRequestChecker(
+        IHostEnvironment env,
+        IConfiguration config,
+        ILogger<CypressRequestChecker> logger)
+        : ICustomRequestChecker
+    {
+        private const string CypressHeaderKey = "X-Cypress-Test";
+        private const string CypressSecretHeaderKey = "X-Cypress-Secret";
+        private const string ExpectedCypressValue = "true";
+
+        /// <summary>
+        /// Validates if the current HTTP request is a valid Cypress test request
+        /// </summary>
+        /// <param name="httpContext">The HTTP context to validate</param>
+        /// <returns>True if this is a valid Cypress request with correct headers and secret</returns>
+        public bool IsValidRequest(HttpContext httpContext)
+        {
+            // Check for Cypress header
+            var cypressHeader = httpContext.Request.Headers[CypressHeaderKey].ToString();
+            if (!string.Equals(cypressHeader, ExpectedCypressValue, StringComparison.OrdinalIgnoreCase))
+            {
+                return false;
+            }
+
+            // Only allow in Development, Staging or Test environments (NOT Production)
+            if (!(env.IsDevelopment() || env.IsStaging() || env.IsEnvironment("Test")))
+            {
+                logger.LogWarning(
+                    "Cypress authentication attempted in {Environment} environment from {IP} - rejected",
+                    env.EnvironmentName,
+                    httpContext.Connection.RemoteIpAddress);
+                return false;
+            }
+
+            // Check if Cypress toggle is allowed in configuration
+            var allowCypressToggle = config.GetValue<bool>("CypressAuthentication:AllowToggle");
+            if (!allowCypressToggle)
+            {
+                logger.LogWarning(
+                    "Cypress authentication attempted but AllowToggle is disabled from {IP}",
+                    httpContext.Connection.RemoteIpAddress);
+                return false;
+            }
+
+            // Validate secret
+            var expectedSecret = config["CypressAuthentication:Secret"];
+            var providedSecret = httpContext.Request.Headers[CypressSecretHeaderKey].ToString();
+
+            if (string.IsNullOrWhiteSpace(expectedSecret) || string.IsNullOrWhiteSpace(providedSecret))
+            {
+                logger.LogWarning(
+                    "Cypress authentication attempted with missing secret from {IP}",
+                    httpContext.Connection.RemoteIpAddress);
+                return false;
+            }
+
+            var isValid = string.Equals(providedSecret, expectedSecret, StringComparison.Ordinal);
+
+            if (isValid)
+            {
+                logger.LogInformation(
+                    "Valid Cypress test request detected from {IP} for path {Path}",
+                    httpContext.Connection.RemoteIpAddress,
+                    httpContext.Request.Path);
+            }
+            else
+            {
+                logger.LogWarning(
+                    "Invalid Cypress secret provided from {IP} for path {Path}",
+                    httpContext.Connection.RemoteIpAddress,
+                    httpContext.Request.Path);
+            }
+
+            return isValid;
+        }
+    }
+
+}

src/DfE.ExternalApplications.Application/Users/Commands/RegisterUserCommandHandler.cs

@@ -37,7 +37,7 @@ public async Task<Result<UserDto>> Handle(
         {
             // Validate external token and extract claims
             var externalUser = await externalValidator
-                .ValidateIdTokenAsync(request.SubjectToken, cancellationToken);
+                .ValidateIdTokenAsync(request.SubjectToken, false, cancellationToken);
 
             var email = externalUser.FindFirst(ClaimTypes.Email)?.Value
                         ?? throw new SecurityTokenException("RegisterUserCommandHandler > Missing email");

src/DfE.ExternalApplications.Application/Users/Queries/ExchangeTokenQueryHandler.cs

@@ -18,13 +18,16 @@ public class ExchangeTokenQueryHandler(
         IExternalIdentityValidator externalValidator,
         IEaRepository<User> userRepo,
         IUserTokenService tokenSvc,
-        IHttpContextAccessor httpCtxAcc)
+        IHttpContextAccessor httpCtxAcc, 
+        ICustomRequestChecker cypressRequestChecker)
         : IRequestHandler<ExchangeTokenQuery, ExchangeTokenDto>
     {
         public async Task<ExchangeTokenDto> Handle(ExchangeTokenQuery req, CancellationToken ct)
         {
+            var validCypressReq = cypressRequestChecker.IsValidRequest(httpCtxAcc.HttpContext!);
+
             var externalUser = await externalValidator
-                .ValidateIdTokenAsync(req.SubjectToken, ct);
+                .ValidateIdTokenAsync(req.SubjectToken, validCypressReq, ct);
 
             var email = externalUser.FindFirst(ClaimTypes.Email)?.Value
                         ?? throw new SecurityTokenException("ExchangeTokenQueryHandler > Missing email");

src/DfE.ExternalApplications.Infrastructure/DfE.ExternalApplications.Infrastructure.csproj

@@ -5,7 +5,7 @@
   </PropertyGroup>
 
 	<ItemGroup>
-		<PackageReference Include="GovUK.Dfe.CoreLibs.Security" Version="1.1.17" />
+		<PackageReference Include="GovUK.Dfe.CoreLibs.Security" Version="1.1.19-prerelease-7" />
 		<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.18" />
 		<PackageReference Include="Microsoft.EntityFrameworkCore" Version="8.0.18" />
 		<PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="8.0.18">

src/GovUK.Dfe.ExternalApplications.Api.Client/Extensions/ServiceCollectionExtensions.cs

@@ -32,6 +32,7 @@ public static IServiceCollection AddExternalApplicationsApiClient<TClientInterfa
             services.AddHttpContextAccessor();
 
             // Register handlers
+            services.AddTransient<HeaderForwardingHandler>();
             services.AddTransient<AzureBearerTokenHandler>();
 
             if (apiSettings.RequestTokenExchange)
@@ -95,6 +96,10 @@ public static IServiceCollection AddExternalApplicationsApiClient<TClientInterfa
                         serviceProvider, httpClient, apiSettings.BaseUrl!);
                 });
 
+                // Add header forwarding handler FIRST in the chain
+                // This ensures headers like X-Cypress-Test are available for all subsequent handlers
+                builder.AddHttpMessageHandler<HeaderForwardingHandler>();
+
                 if (apiSettings.RequestTokenExchange)
                 {
                     // Frontend clients: Use exchange flow