Merge pull request #573 from companieshouse/IDVA5-1671-implementCSRFt…

…oken IDVA5-1671 implement csrf token
companieshouse · Jan 9, 2025 · c861a95 · c861a95
2 parents 15d9f57 + b21d319
commit c861a95
Show file tree

Hide file tree

Showing 50 changed files with 227 additions and 8 deletions.
diff --git a/locales/cy/error-pages.json b/locales/cy/error-pages.json
@@ -7,6 +7,15 @@
 
     "technicalDifficuliesTitle": "Mae'n ddrwg gennym ein bod yn profi anawsterau technegol",
     "technicalDifficuliesText1": "Ceisiwch eto mewn ychydig funudau.",
-    "technicalDifficuliesText2": "Os yw'r broblem hon yn parhau anfonwch e-bost i enquiries@companieshouse.gov.uk."
+    "technicalDifficuliesText2": "Os yw'r broblem hon yn parhau anfonwch e-bost i enquiries@companieshouse.gov.uk.",
 
+    "tryAgainLater": "Try again later welsh.",
+    "sorrySomethingWentWrong":"Sorry, something went wrong welsh",
+    "weHaveNotBeenAbleToSave":"We have not been able to save the information you submitted on the previous screen. This may be because the page was inactive for too long, or because of a technical issue. welsh",
+    "tryTheFollowing":"Try the following: welsh",
+    "useTheBackLink":"use the back link to return to the previous screen and resubmit the information welsh",
+    "signOutOfTheService":"sign out of the service, and then sign back in welsh",
+    "ifTheProblemContinues":"If the problem continues, welsh",
+    "contactUsLink":"contact us welsh",
+    "forHelp":"for help. welsh"
 }
diff --git a/locales/en/error-pages.json b/locales/en/error-pages.json
@@ -7,6 +7,15 @@
 
     "technicalDifficuliesTitle": "Sorry we are experiencing technical difficulties",
     "technicalDifficuliesText1": "Try again in a few moments.",
-    "technicalDifficuliesText2": "If this problem continues email enquiries@companieshouse.gov.uk."
-
+    "technicalDifficuliesText2": "If this problem continues email enquiries@companieshouse.gov.uk.",
+
+    "tryAgainLater": "Try again later.",
+    "sorrySomethingWentWrong":"Sorry, something went wrong",
+    "weHaveNotBeenAbleToSave":"We have not been able to save the information you submitted on the previous screen. This may be because the page was inactive for too long, or because of a technical issue.",
+    "tryTheFollowing":"Try the following:",
+    "useTheBackLink":"use the back link to return to the previous screen and resubmit the information",
+    "signOutOfTheService":"sign out of the service, and then sign back in",
+    "ifTheProblemContinues":"If the problem continues,",
+    "contactUsLink":"contact us",
+    "forHelp":"for help."
 }
diff --git a/src/app.ts b/src/app.ts
@@ -29,6 +29,8 @@ import { v4 as uuidv4 } from "uuid";
 import nocache from "nocache";
 import { prepareCSPConfig } from "./middleware/content_security_policy_middleware_config";
 
+import { csrfProtectionMiddleware } from "./middleware/csrf_protection_middleware";
+import errorHandler from "../src/controllers/csrfErrorController";
 const app = express();
 
 const nonce: string = uuidv4();
@@ -37,7 +39,9 @@ const nunjucksEnv = nunjucks.configure([path.join(__dirname, "views"),
     path.join(__dirname, "/../node_modules/govuk-frontend"),
     path.join(__dirname, "/../../node_modules/govuk-frontend"),
     path.join(__dirname, "/../node_modules/@companieshouse/ch-node-utils/templates"),
-    path.join(__dirname, "/../../node_modules/@companieshouse/ch-node-utils/templates")], {
+    path.join(__dirname, "/../../node_modules/@companieshouse/ch-node-utils/templates"),
+    path.join(__dirname, "/../node_modules/@companieshouse"),
+    path.join(__dirname, "/../../node_modules/@companieshouse")], {
     autoescape: true,
     express: app
 });
@@ -68,6 +72,7 @@ app.use(cookieParser());
 app.use(nocache());
 app.use(helmet(prepareCSPConfig(nonce)));
 app.use(`^(?!(${BASE_URL}${HEALTHCHECK}|${BASE_URL}$|${BASE_URL}${ACCESSIBILITY_STATEMENT}))*`, sessionMiddleware);
+app.use(`^(?!(${BASE_URL}${HEALTHCHECK}|${BASE_URL}$|${BASE_URL}${ACCESSIBILITY_STATEMENT}))*`, csrfProtectionMiddleware);
 app.use(`^(?!(${BASE_URL}${HEALTHCHECK}|${BASE_URL}$|${BASE_URL}${ACCESSIBILITY_STATEMENT})|(${BASE_URL}${SOLE_TRADER})|(${UPDATE_ACSP_DETAILS_BASE_URL}))*`, authenticationMiddleware);
 app.use(`^(${BASE_URL}${SOLE_TRADER})*`, authenticationMiddlewareForSoleTrader);
 app.use(commonTemplateVariablesMiddleware);
@@ -88,6 +93,8 @@ app.use((req: Request, res: Response, next: NextFunction) => {
 // Channel all requests through router dispatch
 routerDispatch(app);
 
+app.use(...errorHandler);
+
 // Unhandled errors
 app.use((err: Error, req: Request, res: Response, next: NextFunction) => {
     logger.error(`${err.name} - appError: ${err.message} - ${err.stack}`);

diff --git a/src/config/index.ts b/src/config/index.ts
@@ -45,6 +45,7 @@ export const SAVED_APPLICATION = `${BASE_COMMON_URL}/saved-application/saved-app
 export const ERROR_400 = `${BASE_PARTIALS_URL}/error_400`;
 export const ERROR_404 = `${BASE_PARTIALS_URL}/error_404`;
 export const ERROR_500 = `${BASE_PARTIALS_URL}/error_500`;
+export const ERROR_403 = `${BASE_PARTIALS_URL}/error_403`;
 
 export const SELECT_AML_SUPERVISOR = `${BASE_COMMON_URL}/select-aml-supervisory-bodies/select-aml-supervisory-bodies`;
 export const CHECK_YOUR_ANSWERS = `${BASE_COMMON_URL}/check-your-answers/check-your-answers`;

diff --git a/src/controllers/csrfErrorController.ts b/src/controllers/csrfErrorController.ts
@@ -0,0 +1,17 @@
+import type { ErrorRequestHandler, NextFunction, Request, Response } from "express";
+import { CsrfError } from "@companieshouse/web-security-node";
+import { ErrorService } from "../services/errorService";
+import { getLocalesService, selectLang } from "../utils/localise";
+import logger from "../utils/logger";
+
+export const csrfErrorHandler: ErrorRequestHandler = (err: any, req: Request, res: Response, next:NextFunction) => {
+    if (err instanceof CsrfError) {
+        logger.error(`${err.name} - appError: ${err.message} - ${err.stack}`);
+        const errorService = new ErrorService();
+        errorService.render403Page(res, getLocalesService(), selectLang(req.query.lang), req.url);
+    } else {
+        next(err);
+    }
+};
+
+export default [csrfErrorHandler];
diff --git a/src/middleware/csrf_protection_middleware.ts b/src/middleware/csrf_protection_middleware.ts
@@ -0,0 +1,9 @@
+import { CsrfProtectionMiddleware } from "@companieshouse/web-security-node";
+import { COOKIE_NAME } from "../utils/properties";
+import { sessionStore } from "./session_middleware";
+
+export const csrfProtectionMiddleware = CsrfProtectionMiddleware({
+    sessionStore,
+    enabled: true,
+    sessionCookieName: COOKIE_NAME
+});
diff --git a/src/middleware/session_middleware.ts b/src/middleware/session_middleware.ts
@@ -3,7 +3,7 @@ import Redis from "ioredis";
 import { CACHE_SERVER, COOKIE_DOMAIN, COOKIE_NAME, COOKIE_SECRET, COOKIE_SECURE_ONLY, DEFAULT_SESSION_EXPIRATION } from "../utils/properties";
 
 const redis = new Redis(CACHE_SERVER);
-const sessionStore = new SessionStore(redis);
+export const sessionStore = new SessionStore(redis);
 
 export const sessionMiddleware = SessionMiddleware({
     cookieDomain: COOKIE_DOMAIN,

diff --git a/src/services/errorService.ts b/src/services/errorService.ts
@@ -21,4 +21,12 @@ export class ErrorService {
             currentUrl: req.url
         });
     }
+
+    public render403Page = (res:Response, locales:LocalesService, lang:string, currentUrl: string) => {
+        res.status(403).render(config.ERROR_403, {
+            title: "Sorry, something went wrong",
+            ...getLocaleInfo(locales, lang),
+            currentUrl: currentUrl
+        });
+    }
 }
diff --git a/src/views/common/address-correspondance-selector/address-correspondance-selector.njk b/src/views/common/address-correspondance-selector/address-correspondance-selector.njk
@@ -23,6 +23,7 @@
     {% endif %}
 
     <form action="" method="POST">
+        {% include "partials/csrf_token.njk" %}
         {% if businessName %}
             {% include "partials/business_name.njk" %}
         {% endif %}

diff --git a/src/views/common/aml-body-number/aml-body-number.njk b/src/views/common/aml-body-number/aml-body-number.njk
@@ -6,6 +6,7 @@
 {% set title = i18n.amlMembershipTitle %}
 {% block main_content %}
     <form action="" method="post">
+        {% include "partials/csrf_token.njk" %}
         <fieldset class="govuk-fieldset">
             <legend class="govuk-fieldset__legend govuk-fieldset__legend--l">
                 {% if acspType === "SOLE_TRADER" %}

diff --git a/src/views/common/check-aml-details/check-aml-details.njk b/src/views/common/check-aml-details/check-aml-details.njk
@@ -6,6 +6,7 @@
 {% block main_content %}
 
   <form class="form" action="" method="post">
+    {% include "partials/csrf_token.njk" %}
     {% if typeOfBusiness === "SOLE_TRADER" %}
         {% include "partials/user_name.njk" %}
     {% else %}   

diff --git a/src/views/common/check-your-answers/check-your-answers.njk b/src/views/common/check-your-answers/check-your-answers.njk
@@ -28,6 +28,7 @@
 {% set title = i18n.checkYourAnswersHeading %}
 {% block main_content %}
     <form method="post">
+        {% include "partials/csrf_token.njk" %}
         <h1 class="govuk-heading-xl">{{ i18n.checkYourAnswersHeading }}</h1>
         {% if typeOfBusiness === "SOLE_TRADER" %}
             {% include "partials/check-your-answers/sole-trader-answers.njk" %}

diff --git a/src/views/common/correspondence-address-confirm/correspondence-address-confirm.njk b/src/views/common/correspondence-address-confirm/correspondence-address-confirm.njk
@@ -4,6 +4,7 @@
 {% set title = i18n.correspondenceAddressConfirmTitle %}
 {% block main_content %}
   <form class="form" action="" method="post">
+    {% include "partials/csrf_token.njk" %}
     {% if businessName %}
       {% include "partials/business_name.njk" %}
     {% elif firstName %}

diff --git a/src/views/common/correspondence-address-manual/capture-correspondence-address-manual.njk b/src/views/common/correspondence-address-manual/capture-correspondence-address-manual.njk
@@ -8,6 +8,7 @@
 {% set title = i18n.correspondenceAddressManualTitle %}
 {% block main_content %}
 <form action="" method="POST">
+    {% include "partials/csrf_token.njk" %}
     {% if businessName %}
         {% include "partials/business_name.njk" %}
     {% endif %}

diff --git a/src/views/common/correspondence-auto-lookup-address/auto-lookup-address.njk b/src/views/common/correspondence-auto-lookup-address/auto-lookup-address.njk
@@ -6,6 +6,7 @@
 {% set title = i18n.correspondenceLookUpAddressTitle %}
 {% block main_content %}
   <form action="" method="POST">
+    {% include "partials/csrf_token.njk" %}
     {% if businessName %}
       {% include "partials/business_name.njk" %}
     {% elif firstName %}

diff --git a/src/views/common/correspondence-auto-lookup-address/correspondence-address-list.njk b/src/views/common/correspondence-auto-lookup-address/correspondence-address-list.njk
@@ -21,6 +21,7 @@
     {% endfor %}
     {# Form section #}
     <form action="" method="POST">
+        {% include "partials/csrf_token.njk" %}
         {% if businessName %}
             {% include "partials/business_name.njk" %}
         {% endif %}

diff --git a/src/views/common/index/home.njk b/src/views/common/index/home.njk
@@ -6,6 +6,7 @@
 {% set matomoPageTitle = i18n.startPageTitle %}
 {% block main_content %}
   <form action="" method="POST">
+    {% include "partials/csrf_token.njk" %}
     <h1 class="govuk-heading-l">
       {{ i18n.startPageTitle }}
     </h1>

diff --git a/src/views/common/name-registered-with-aml/name-registered-with-aml.njk b/src/views/common/name-registered-with-aml/name-registered-with-aml.njk
@@ -5,6 +5,7 @@
 {% set title = i18n.nameRegisteredWithAmlTitle %}
 {% block main_content %}
   <form action="" method="POST">
+    {% include "partials/csrf_token.njk" %}
     {{ govukRadios({
       errorMessage: errors.nameRegisteredWithAml if errors,
       classes: "govuk-radios",

diff --git a/src/views/common/name/capture-name.njk b/src/views/common/name/capture-name.njk
@@ -5,6 +5,7 @@
 {% set title = i18n.whatIsYourNameTitle %}
 {% block main_content %}
     <form action="" method="POST">
+        {% include "partials/csrf_token.njk" %}
         <div class="govuk-form-group">
             <h1 class="govuk-heading-l">{{ i18n.whatIsYourNameTitle }}</h1>
             {{ govukInput({

diff --git a/src/views/common/other-type-of-business/other-type-of-business.njk b/src/views/common/other-type-of-business/other-type-of-business.njk
@@ -4,6 +4,7 @@
 {% set title = i18n.otherTypeOfBusinessTitle %}
 {% block main_content %}
     <form action="" method="POST">
+       {% include "partials/csrf_token.njk" %}
        {% include "partials/user_name.njk" %}
         <div class="govuk-form-group">
             {{ govukRadios({

diff --git a/src/views/common/saved-application/saved-application.njk b/src/views/common/saved-application/saved-application.njk
@@ -4,6 +4,7 @@
 {% set title = i18n.savedTitle %}
 {% block main_content %}
   <form action="" method="POST">
+    {% include "partials/csrf_token.njk" %}
     {{ govukRadios({
       errorMessage: errors.savedApplication if errors,
       classes: "govuk-radios--inline",

diff --git a/src/views/common/sector-you-work-in/sector-you-work-in.njk b/src/views/common/sector-you-work-in/sector-you-work-in.njk
@@ -5,6 +5,7 @@
 {% set title = i18n.sectorYouWorkInTitle %}
 {% block main_content %}
   <form action="" method="POST">
+    {% include "partials/csrf_token.njk" %}
     {% if acspType == "SOLE_TRADER" %}
       {% include "partials/user_name.njk" %}
     {% endif %}

diff --git a/src/views/common/select-aml-supervisory-bodies/select-aml-supervisory-bodies.njk b/src/views/common/select-aml-supervisory-bodies/select-aml-supervisory-bodies.njk
@@ -15,6 +15,7 @@
 {% set title = i18n.selectAmlSupervisorTitle %}
 {% block main_content %}
   <form action="" method="POST">
+    {% include "partials/csrf_token.njk" %}
     {% if acspType == "SOLE_TRADER" %}
       {% include "partials/user_name.njk" %}
     {% else %}

diff --git a/src/views/common/sign-out-page/sign-out.njk b/src/views/common/sign-out-page/sign-out.njk
@@ -11,6 +11,7 @@
 {% set title = i18n.signoutTitle %}
 {% block main_content %}
 	<form action="" method="POST">
+	    {% include "partials/csrf_token.njk" %}
 		{{ govukRadios({
 			errorMessage: errors.signout if errors,
 			classes: "govuk-radios--inline",

diff --git a/src/views/common/type-of-business/type-of-business.njk b/src/views/common/type-of-business/type-of-business.njk
@@ -4,6 +4,7 @@
 {% set title = i18n.typeOfBusinessTitle %}
 {% block main_content %}
   <form action="" method="POST">
+    {% include "partials/csrf_token.njk" %}
     {% include "partials/user_name.njk" %}
     {{ govukRadios({
       errorMessage: errors.typeOfBusinessRadio if errors,

diff --git a/src/views/common/what-is-the-business-name/what-is-the-business-name.njk b/src/views/common/what-is-the-business-name/what-is-the-business-name.njk
@@ -4,7 +4,8 @@
 
 {% set title = i18n.whatIsTheBusinessNameTitle %}
 {% block main_content %}
-  <form action="" method="POST">    
+  <form action="" method="POST">  
+    {% include "partials/csrf_token.njk" %}  
     {{ govukInput({
       label: {
         text: i18n.whatIsTheBusinessNameTitle,

diff --git a/src/views/common/what-is-your-email/what-is-your-email.njk b/src/views/common/what-is-your-email/what-is-your-email.njk
@@ -6,7 +6,8 @@
 
 {% set title = i18n.whatIsYourEmailAddressTitle %}
 {% block main_content %}
-    <form action="" method="POST">      
+    <form action="" method="POST">   
+    {% include "partials/csrf_token.njk" %}   
     {% set textHtml %}
         {{ govukInput({
             label: {

diff --git a/src/views/common/what-is-your-role/what-is-your-role.njk b/src/views/common/what-is-your-role/what-is-your-role.njk
@@ -5,6 +5,7 @@
 {% set title = i18n.whatIsYourRoleTitle %}
 {% block main_content %}
     <form action="" method="POST">
+        {% include "partials/csrf_token.njk" %}
         <div class="govuk-form-group">
             {{ govukRadios({
                 errorMessage: errors.WhatIsYourRole if errors,

diff --git a/src/views/common/which-sector-other/which-sector-other.njk b/src/views/common/which-sector-other/which-sector-other.njk
@@ -5,6 +5,7 @@
 {% set title = i18n.whichSectorOtherTitle %}
 {% block main_content %}
     <form action="" method="POST">
+        {% include "partials/csrf_token.njk" %} 
         {% if acspType == "SOLE_TRADER" %}
            {% include "partials/user_name.njk" %}
         {% endif %}

diff --git a/src/views/common/your-responsibilities/your-responsibilities.njk b/src/views/common/your-responsibilities/your-responsibilities.njk
@@ -5,6 +5,7 @@
 
 {% block main_content %}
   <form method="post">
+    {% include "partials/csrf_token.njk" %}
     {% if typeOfBusiness === "SOLE_TRADER" %}
       {% include "partials/user_name.njk" %}
     {% else %}

diff --git a/src/views/features/limited/business-mustbe-aml-registered/business-mustbe-aml-registered.njk b/src/views/features/limited/business-mustbe-aml-registered/business-mustbe-aml-registered.njk
@@ -13,6 +13,7 @@
 {% set title = i18n.amlInterruptTitle %}
 {% block main_content %}
     <form action="" method="POST">
+        {% include "partials/csrf_token.njk" %}
         <h1 class="govuk-heading-l">{{ i18n.amlInterruptTitle }}</h1>
         <p class="govuk-body">{{ i18n.text1 }}</p>
         <p class="govuk-body">{{ i18n.text2 }}</p>

diff --git a/src/views/features/limited/company-number/company-number.njk b/src/views/features/limited/company-number/company-number.njk
@@ -5,6 +5,7 @@
 {% set title = i18n.companyNumberTitle %}
 {% block main_content %}
   <form action="" method="POST">
+    {% include "partials/csrf_token.njk" %}
     <div class="govuk-form-group">
       {{ govukInput({
         label: {

diff --git a/src/views/features/limited/is-this-your-company/is-this-your-company.njk b/src/views/features/limited/is-this-your-company/is-this-your-company.njk
@@ -5,6 +5,7 @@
 {% block main_content %}
   <!-- The action will need to change depending on the location of the confirm-company page -->
   <form action="" method="post">
+    {% include "partials/csrf_token.njk" %}
     <h1 class="govuk-heading-l">{{i18n.isThisYourCompany}}</h1>
     <dl class="govuk-summary-list">
     <div class="govuk-summary-list__row">

diff --git a/src/views/features/limited/name-registered-with-aml/name-registered-with-aml.njk b/src/views/features/limited/name-registered-with-aml/name-registered-with-aml.njk
@@ -5,6 +5,7 @@
 {% set title = i18n.nameRegisteredWithAmlTitle %}
 {% block main_content %}
   <form action="" method="POST">
+    {% include "partials/csrf_token.njk" %}
     {{ govukRadios({
       errorMessage: errors.nameRegisteredWithAml if errors,
       classes: "govuk-radios",

diff --git a/src/views/features/sole-trader/nationality/nationality.njk b/src/views/features/sole-trader/nationality/nationality.njk
@@ -9,6 +9,7 @@
         {% set dropdownThreeError =  errors.nationality_input_2 %}
     {% endif %}
     <form action="" method="post">
+        {% include "partials/csrf_token.njk" %}
         <fieldset class="govuk-fieldset">
             <legend class="govuk-fieldset__legend govuk-fieldset__legend--l">
                 {% include "partials/user_name.njk" %}

diff --git a/src/views/features/sole-trader/what-is-the-business-name/what-is-the-business-name.njk b/src/views/features/sole-trader/what-is-the-business-name/what-is-the-business-name.njk
@@ -5,7 +5,8 @@
 
 {% set title = i18n.whatIsTheBusinessNameTitle %}
 {% block main_content %}
-  <form action="" method="POST">      
+  <form action="" method="POST">     
+    {% include "partials/csrf_token.njk" %} 
     {% set textHtml %}
       {{ govukInput({
         label: {

diff --git a/src/views/features/sole-trader/what-is-your-date-of-birth/what-is-your-date-of-birth.njk b/src/views/features/sole-trader/what-is-your-date-of-birth/what-is-your-date-of-birth.njk
@@ -18,6 +18,7 @@
 
   <div>
     <form action="" method="POST">
+      {% include "partials/csrf_token.njk" %}
       {% include "partials/user_name.njk" %}
 
       {{ govukDateInput({

diff --git a/src/views/features/sole-trader/where-do-you-live/where-do-you-live.njk b/src/views/features/sole-trader/where-do-you-live/where-do-you-live.njk
@@ -4,6 +4,7 @@
 {% set title = i18n.whereDoYouLiveTitle %}
 {% block main_content %}
   <form action="" method="post">
+    {% include "partials/csrf_token.njk" %}
     {% include "partials/user_name.njk" %}
     {% set countryInput %}
     <div id="typeahead-form-group" class="govuk-form-group">

diff --git a/src/views/features/unincorporated/business-address-auto-lookup/auto-lookup-address.njk b/src/views/features/unincorporated/business-address-auto-lookup/auto-lookup-address.njk
@@ -7,6 +7,7 @@
 {% block main_content %}
   <div class="govuk-width-container">
     <form action="" method="POST">
+      {% include "partials/csrf_token.njk" %}
       {% if businessName %}
         {% include "partials/business_name.njk" %}
       {% endif %}

diff --git a/src/views/features/unincorporated/business-address-auto-lookup/business-address-list.njk b/src/views/features/unincorporated/business-address-auto-lookup/business-address-list.njk
@@ -21,6 +21,7 @@
 {% endfor %}
     {# Form section #}
     <form action="" method="POST">
+        {% include "partials/csrf_token.njk" %}
         {% if businessName %}
             {% include "partials/business_name.njk" %}
         {% endif %}