fix(per): Ensure form-wizard journey is unique for each PER

Currently we use a generic session key for the form wizard and its journeys. This means that the session is shared for all Person Escort Records. This leads to an occurrance of CSRF resets and clashes when opening an old record to compare against a new record. To prevent this, each form-wizard and journey is given a unique name using the ID of the record.
ministryofjustice · Oct 30, 2020 · 0dca482 · 0dca482
1 parent be2fc31
commit 0dca482
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/app/person-escort-record/router.js b/app/person-escort-record/router.js
@@ -5,6 +5,7 @@ const FrameworkStepController = require('./controllers/framework-step')
 
 function defineFormWizard(req, res, next) {
   const { key, steps } = req.frameworkSection
+  const { id: personEscortRecordId } = req.personEscortRecord
   const firstStep = Object.values(steps)[0]
   const wizardFields = req.framework.questions
   const wizardSteps = {
@@ -25,9 +26,11 @@ function defineFormWizard(req, res, next) {
   const wizardConfig = {
     controller: FrameworkStepController,
     entryPoint: true,
-    journeyName: `person-escort-record-${key}`,
+    // Unique for each Person Escort Record and section
+    journeyName: `person-escort-record-${personEscortRecordId}-${key}`,
     journeyPageTitle: 'Person escort record',
-    name: `person-escort-record-${key}`,
+    // Unique for each Person Escort Record
+    name: `person-escort-record-${personEscortRecordId}`,
     template: 'framework-step',
     templatePath: 'person-escort-record/views/',
     defaultFormatters: ['trim', 'singlespaces', 'apostrophes', 'quotes'],

diff --git a/app/person-escort-record/router.test.js b/app/person-escort-record/router.test.js
@@ -50,6 +50,9 @@ describe('Person Escort Record router', function () {
 
     beforeEach(function () {
       req = {
+        personEscortRecord: {
+          id: '12345',
+        },
         framework: mockFramework,
         frameworkSection: {
           key: 'section-one',
@@ -95,9 +98,9 @@ describe('Person Escort Record router', function () {
         const config = {
           controller: FrameworkStepController,
           entryPoint: true,
-          journeyName: `person-escort-record-${req.frameworkSection.key}`,
+          journeyName: `person-escort-record-${req.personEscortRecord.id}-${req.frameworkSection.key}`,
           journeyPageTitle: 'Person escort record',
-          name: `person-escort-record-${req.frameworkSection.key}`,
+          name: `person-escort-record-${req.personEscortRecord.id}`,
           template: 'framework-step',
           templatePath: 'person-escort-record/views/',
           defaultFormatters: ['trim', 'singlespaces', 'apostrophes', 'quotes'],