From 64e9a9461c971ccba3ac77ecbfc7bd31e724c5cb Mon Sep 17 00:00:00 2001
From: Richard Smith <richard.smith33@nhs.net>
Date: Wed, 11 Oct 2023 10:42:35 +0100
Subject: [PATCH 01/32] BCL handler and test files

---
 .../handlers/back_channel_logout_handler.py   |  59 ++++++++++
 .../test_back_channel_logout_handler.py       | 106 ++++++++++++++++++
 2 files changed, 165 insertions(+)
 create mode 100644 lambdas/handlers/back_channel_logout_handler.py
 create mode 100644 lambdas/tests/unit/handlers/test_back_channel_logout_handler.py

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
new file mode 100644
index 000000000..3d5aef086
--- /dev/null
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -0,0 +1,59 @@
+import logging
+import os
+
+import boto3
+import jwt
+from botocore.exceptions import ClientError
+from services.dynamo_service import DynamoDBService
+from utils.lambda_response import ApiGatewayResponse
+
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+
+
+def lambda_handler(event, context):
+    token = event["headers"]["x-auth"]
+    return logout_handler(token)
+
+
+def logout_handler(token):
+    try:
+        ssm_public_key_parameter_name = os.environ["SSM_PARAM_JWT_TOKEN_PUBLIC_KEY"]
+        ssm_response = get_ssm_parameter(key=ssm_public_key_parameter_name)
+        jwt_class = jwt
+        public_key = ssm_response["Parameter"]["Value"]
+        logger.info("decoding token")
+        decoded_token = decode_token(jwt_class=jwt_class, token=token, key=public_key)
+        session_id = decoded_token["ndr_session_id"]
+        remove_session_from_dynamo_db(session_id)
+
+    except ClientError as e:
+        logger.error(f"Error logging out user: {e}")
+        return ApiGatewayResponse(
+            500, "Error logging user out", "GET"
+        ).create_api_gateway_response()
+    except (jwt.PyJWTError, KeyError) as e:
+        logger.error(f"error while decoding JWT: {e}")
+        return ApiGatewayResponse(
+            400, "Invalid x-auth header", "GET"
+        ).create_api_gateway_response()
+    return ApiGatewayResponse(200, "", "GET").create_api_gateway_response()
+
+
+def get_ssm_parameter(key):
+    client = boto3.client("ssm", region_name="eu-west-2")
+    ssm_response = client.get_parameter(Name=key, WithDecryption=True)
+    return ssm_response
+
+
+def decode_token(jwt_class, token, key):
+    return jwt_class.decode(token, key, algorithms=["RS256"])
+
+
+def remove_session_from_dynamo_db(session_id):
+    logger.info(f"Session to be removed: {session_id}")
+    dynamodb_name = os.environ["AUTH_DYNAMODB_NAME"]
+    dynamodb_service = DynamoDBService()
+    dynamodb_service.delete_item(
+        key={"NDRSessionId": session_id}, table_name=dynamodb_name
+    )
diff --git a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
new file mode 100644
index 000000000..ab81ec711
--- /dev/null
+++ b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
@@ -0,0 +1,106 @@
+from botocore.exceptions import ClientError
+from handlers.logout_handler import lambda_handler
+from jwt.exceptions import PyJWTError
+from tests.unit.helpers.ssm_responses import \
+    MOCK_SINGLE_SECURE_STRING_PARAMETER_RESPONSE
+from utils.lambda_response import ApiGatewayResponse
+
+
+def test_logout_handler_valid_jwt_returns_200(mocker, monkeypatch):
+    mock_token = "mock_token"
+    mock_session_id = "mock_session_id"
+    mock_decoded_token = {"ndr_session_id": mock_session_id}
+    monkeypatch.setenv("SSM_PARAM_JWT_TOKEN_PUBLIC_KEY", "mock_public_key")
+    mock_token_validator = mocker.patch("jwt.decode", return_value=mock_decoded_token)
+    mock_dynamo_service = mocker.patch(
+        "handlers.logout_handler.remove_session_from_dynamo_db"
+    )
+    mock_ssm_service = mocker.patch(
+        "handlers.logout_handler.get_ssm_parameter",
+        return_value=MOCK_SINGLE_SECURE_STRING_PARAMETER_RESPONSE,
+    )
+
+    expected = ApiGatewayResponse(200, "", "GET").create_api_gateway_response()
+
+    actual = lambda_handler(build_event_from_token(mock_token), None)
+
+    assert expected == actual
+    mock_token_validator.asset_called_with(mock_token)
+    mock_dynamo_service.assert_called_with(mock_session_id)
+    mock_ssm_service.assert_called_once()
+
+
+def test_logout_handler_invalid_jwt_returns_400(mocker, monkeypatch):
+    mock_token = "mock_token"
+    monkeypatch.setenv("SSM_PARAM_JWT_TOKEN_PUBLIC_KEY", "mock_public_key")
+    mock_token_validator = mocker.patch("jwt.decode", side_effect=PyJWTError())
+    mock_ssm_service = mocker.patch(
+        "handlers.logout_handler.get_ssm_parameter",
+        return_value=MOCK_SINGLE_SECURE_STRING_PARAMETER_RESPONSE,
+    )
+
+    expected = ApiGatewayResponse(
+        400, "Invalid x-auth header", "GET"
+    ).create_api_gateway_response()
+
+    actual = lambda_handler(build_event_from_token(mock_token), None)
+
+    assert expected == actual
+    mock_token_validator.asset_called_with(mock_token)
+    mock_ssm_service.assert_called_once()
+
+
+def test_logout_handler_jwt_without_ndr_session_id_returns_400(mocker, monkeypatch):
+    mock_token = "mock_token"
+    monkeypatch.setenv("SSM_PARAM_JWT_TOKEN_PUBLIC_KEY", "mock_public_key")
+    mock_token_validator = mocker.patch(
+        "jwt.decode",
+        return_value={"token_decode_correctly": "but_no_ndr_session_id_in_content"},
+    )
+    mock_ssm_service = mocker.patch(
+        "handlers.logout_handler.get_ssm_parameter",
+        return_value=MOCK_SINGLE_SECURE_STRING_PARAMETER_RESPONSE,
+    )
+
+    expected = ApiGatewayResponse(
+        400, "Invalid x-auth header", "GET"
+    ).create_api_gateway_response()
+
+    actual = lambda_handler(build_event_from_token(mock_token), None)
+
+    assert expected == actual
+    mock_token_validator.asset_called_with(mock_token)
+    mock_ssm_service.assert_called_once()
+
+
+def test_logout_handler_boto_error_returns_500(mocker, monkeypatch):
+    mock_token = "mock_token"
+    mock_session_id = "mock_session_id"
+    mock_decoded_token = {"ndr_session_id": mock_session_id}
+    monkeypatch.setenv("SSM_PARAM_JWT_TOKEN_PUBLIC_KEY", "mock_public_key")
+    mock_token_validator = mocker.patch("jwt.decode", return_value=mock_decoded_token)
+    mock_dynamo_service = mocker.patch(
+        "handlers.logout_handler.remove_session_from_dynamo_db",
+        side_effect=ClientError(
+            {"Error": {"Code": "500", "Message": "mocked error"}}, "test"
+        ),
+    )
+    mock_ssm_service = mocker.patch(
+        "handlers.logout_handler.get_ssm_parameter",
+        return_value=MOCK_SINGLE_SECURE_STRING_PARAMETER_RESPONSE,
+    )
+
+    expected = ApiGatewayResponse(
+        500, "Error logging user out", "GET"
+    ).create_api_gateway_response()
+
+    actual = lambda_handler(build_event_from_token(mock_token), None)
+
+    assert expected == actual
+    mock_token_validator.asset_called_with(mock_token)
+    mock_dynamo_service.assert_called_with(mock_session_id)
+    mock_ssm_service.assert_called_once()
+
+
+def build_event_from_token(token: str) -> dict:
+    return {"headers": {"x-auth": token}}

From 6809cf5a0c7e6334abe4c8c1b05ec4be09ef2a9e Mon Sep 17 00:00:00 2001
From: Richard Smith <richard.smith33@nhs.net>
Date: Wed, 11 Oct 2023 11:39:21 +0100
Subject: [PATCH 02/32] Use CIS2 public key to validate logout token

---
 lambdas/handlers/back_channel_logout_handler.py  |  7 ++++---
 .../handlers/test_back_channel_logout_handler.py | 16 ++++++++--------
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index 3d5aef086..c09842ccf 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -18,25 +18,26 @@ def lambda_handler(event, context):
 
 def logout_handler(token):
     try:
-        ssm_public_key_parameter_name = os.environ["SSM_PARAM_JWT_TOKEN_PUBLIC_KEY"]
+        ssm_public_key_parameter_name = os.environ["SSM_PARAM_CIS2_BCL_PUBLIC_KEY"]
         ssm_response = get_ssm_parameter(key=ssm_public_key_parameter_name)
         jwt_class = jwt
         public_key = ssm_response["Parameter"]["Value"]
         logger.info("decoding token")
         decoded_token = decode_token(jwt_class=jwt_class, token=token, key=public_key)
-        session_id = decoded_token["ndr_session_id"]
+        session_id = decoded_token["sid"]
         remove_session_from_dynamo_db(session_id)
 
     except ClientError as e:
         logger.error(f"Error logging out user: {e}")
         return ApiGatewayResponse(
-            500, "Error logging user out", "GET"
+            400, "Internal error logging user out", "GET"
         ).create_api_gateway_response()
     except (jwt.PyJWTError, KeyError) as e:
         logger.error(f"error while decoding JWT: {e}")
         return ApiGatewayResponse(
             400, "Invalid x-auth header", "GET"
         ).create_api_gateway_response()
+    
     return ApiGatewayResponse(200, "", "GET").create_api_gateway_response()
 
 
diff --git a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
index ab81ec711..28fe58e47 100644
--- a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
+++ b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
@@ -6,11 +6,11 @@
 from utils.lambda_response import ApiGatewayResponse
 
 
-def test_logout_handler_valid_jwt_returns_200(mocker, monkeypatch):
+def test_logout_handler_valid_jwt_returns_200_if_session_exists(mocker, monkeypatch):
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
     mock_decoded_token = {"ndr_session_id": mock_session_id}
-    monkeypatch.setenv("SSM_PARAM_JWT_TOKEN_PUBLIC_KEY", "mock_public_key")
+    monkeypatch.setenv("SSM_PARAM_CIS2_BCL_PUBLIC_KEY", "mock_public_key")
     mock_token_validator = mocker.patch("jwt.decode", return_value=mock_decoded_token)
     mock_dynamo_service = mocker.patch(
         "handlers.logout_handler.remove_session_from_dynamo_db"
@@ -30,9 +30,9 @@ def test_logout_handler_valid_jwt_returns_200(mocker, monkeypatch):
     mock_ssm_service.assert_called_once()
 
 
-def test_logout_handler_invalid_jwt_returns_400(mocker, monkeypatch):
+def test_logout_handler_invalid_jwt_returns_200_if_session_doesnt_exist(mocker, monkeypatch):
     mock_token = "mock_token"
-    monkeypatch.setenv("SSM_PARAM_JWT_TOKEN_PUBLIC_KEY", "mock_public_key")
+    monkeypatch.setenv("SSM_PARAM_CIS2_BCL_PUBLIC_KEY", "mock_public_key")
     mock_token_validator = mocker.patch("jwt.decode", side_effect=PyJWTError())
     mock_ssm_service = mocker.patch(
         "handlers.logout_handler.get_ssm_parameter",
@@ -52,7 +52,7 @@ def test_logout_handler_invalid_jwt_returns_400(mocker, monkeypatch):
 
 def test_logout_handler_jwt_without_ndr_session_id_returns_400(mocker, monkeypatch):
     mock_token = "mock_token"
-    monkeypatch.setenv("SSM_PARAM_JWT_TOKEN_PUBLIC_KEY", "mock_public_key")
+    monkeypatch.setenv("SSM_PARAM_CIS2_BCL_PUBLIC_KEY", "mock_public_key")
     mock_token_validator = mocker.patch(
         "jwt.decode",
         return_value={"token_decode_correctly": "but_no_ndr_session_id_in_content"},
@@ -73,11 +73,11 @@ def test_logout_handler_jwt_without_ndr_session_id_returns_400(mocker, monkeypat
     mock_ssm_service.assert_called_once()
 
 
-def test_logout_handler_boto_error_returns_500(mocker, monkeypatch):
+def test_logout_handler_boto_error_returns_400(mocker, monkeypatch):
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
     mock_decoded_token = {"ndr_session_id": mock_session_id}
-    monkeypatch.setenv("SSM_PARAM_JWT_TOKEN_PUBLIC_KEY", "mock_public_key")
+    monkeypatch.setenv("SSM_PARAM_CIS2_BCL_PUBLIC_KEY", "mock_public_key")
     mock_token_validator = mocker.patch("jwt.decode", return_value=mock_decoded_token)
     mock_dynamo_service = mocker.patch(
         "handlers.logout_handler.remove_session_from_dynamo_db",
@@ -91,7 +91,7 @@ def test_logout_handler_boto_error_returns_500(mocker, monkeypatch):
     )
 
     expected = ApiGatewayResponse(
-        500, "Error logging user out", "GET"
+        400, "Error logging user out", "GET"
     ).create_api_gateway_response()
 
     actual = lambda_handler(build_event_from_token(mock_token), None)

From 1dd4a47df40adbc63a367ed81c0629a5b105b719 Mon Sep 17 00:00:00 2001
From: Richard Smith <richard.smith33@nhs.net>
Date: Wed, 11 Oct 2023 12:16:02 +0100
Subject: [PATCH 03/32] Change error messages to JSON according to CIS2 spec

---
 .../handlers/back_channel_logout_handler.py   |  4 +--
 .../test_back_channel_logout_handler.py       | 32 +++++++++----------
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index c09842ccf..5546fc67a 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -30,12 +30,12 @@ def logout_handler(token):
     except ClientError as e:
         logger.error(f"Error logging out user: {e}")
         return ApiGatewayResponse(
-            400, "Internal error logging user out", "GET"
+            400, """{ "error":"Internal error logging user out"}""", "GET"
         ).create_api_gateway_response()
     except (jwt.PyJWTError, KeyError) as e:
         logger.error(f"error while decoding JWT: {e}")
         return ApiGatewayResponse(
-            400, "Invalid x-auth header", "GET"
+            400, """{ "error":"Invalid x-auth header"}""", "GET"
         ).create_api_gateway_response()
     
     return ApiGatewayResponse(200, "", "GET").create_api_gateway_response()
diff --git a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
index 28fe58e47..332d96f0e 100644
--- a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
+++ b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
@@ -1,22 +1,22 @@
 from botocore.exceptions import ClientError
-from handlers.logout_handler import lambda_handler
+from handlers.back_channel_logout_handler import lambda_handler
 from jwt.exceptions import PyJWTError
 from tests.unit.helpers.ssm_responses import \
     MOCK_SINGLE_SECURE_STRING_PARAMETER_RESPONSE
 from utils.lambda_response import ApiGatewayResponse
 
 
-def test_logout_handler_valid_jwt_returns_200_if_session_exists(mocker, monkeypatch):
+def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(mocker, monkeypatch):
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
-    mock_decoded_token = {"ndr_session_id": mock_session_id}
+    mock_decoded_token = {"sid": mock_session_id}
     monkeypatch.setenv("SSM_PARAM_CIS2_BCL_PUBLIC_KEY", "mock_public_key")
     mock_token_validator = mocker.patch("jwt.decode", return_value=mock_decoded_token)
     mock_dynamo_service = mocker.patch(
-        "handlers.logout_handler.remove_session_from_dynamo_db"
+        "handlers.back_channel_logout_handler.remove_session_from_dynamo_db"
     )
     mock_ssm_service = mocker.patch(
-        "handlers.logout_handler.get_ssm_parameter",
+        "handlers.back_channel_logout_handler.get_ssm_parameter",
         return_value=MOCK_SINGLE_SECURE_STRING_PARAMETER_RESPONSE,
     )
 
@@ -35,12 +35,12 @@ def test_logout_handler_invalid_jwt_returns_200_if_session_doesnt_exist(mocker,
     monkeypatch.setenv("SSM_PARAM_CIS2_BCL_PUBLIC_KEY", "mock_public_key")
     mock_token_validator = mocker.patch("jwt.decode", side_effect=PyJWTError())
     mock_ssm_service = mocker.patch(
-        "handlers.logout_handler.get_ssm_parameter",
+        "handlers.back_channel_logout_handler.get_ssm_parameter",
         return_value=MOCK_SINGLE_SECURE_STRING_PARAMETER_RESPONSE,
     )
 
     expected = ApiGatewayResponse(
-        400, "Invalid x-auth header", "GET"
+        400,  """{ "error":"Invalid x-auth header"}""", "GET"
     ).create_api_gateway_response()
 
     actual = lambda_handler(build_event_from_token(mock_token), None)
@@ -50,20 +50,20 @@ def test_logout_handler_invalid_jwt_returns_200_if_session_doesnt_exist(mocker,
     mock_ssm_service.assert_called_once()
 
 
-def test_logout_handler_jwt_without_ndr_session_id_returns_400(mocker, monkeypatch):
+def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mocker, monkeypatch):
     mock_token = "mock_token"
     monkeypatch.setenv("SSM_PARAM_CIS2_BCL_PUBLIC_KEY", "mock_public_key")
     mock_token_validator = mocker.patch(
         "jwt.decode",
-        return_value={"token_decode_correctly": "but_no_ndr_session_id_in_content"},
+        return_value={"token_decode_correctly": "but_no_session_id_in_content"},
     )
     mock_ssm_service = mocker.patch(
-        "handlers.logout_handler.get_ssm_parameter",
+        "handlers.back_channel_logout_handler.get_ssm_parameter",
         return_value=MOCK_SINGLE_SECURE_STRING_PARAMETER_RESPONSE,
     )
 
     expected = ApiGatewayResponse(
-        400, "Invalid x-auth header", "GET"
+        400,  """{ "error":"Invalid x-auth header"}""", "GET"
     ).create_api_gateway_response()
 
     actual = lambda_handler(build_event_from_token(mock_token), None)
@@ -73,25 +73,25 @@ def test_logout_handler_jwt_without_ndr_session_id_returns_400(mocker, monkeypat
     mock_ssm_service.assert_called_once()
 
 
-def test_logout_handler_boto_error_returns_400(mocker, monkeypatch):
+def test_back_channel_logout_handler_boto_error_returns_400(mocker, monkeypatch):
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
-    mock_decoded_token = {"ndr_session_id": mock_session_id}
+    mock_decoded_token = {"sid": mock_session_id}
     monkeypatch.setenv("SSM_PARAM_CIS2_BCL_PUBLIC_KEY", "mock_public_key")
     mock_token_validator = mocker.patch("jwt.decode", return_value=mock_decoded_token)
     mock_dynamo_service = mocker.patch(
-        "handlers.logout_handler.remove_session_from_dynamo_db",
+        "handlers.back_channel_logout_handler.remove_session_from_dynamo_db",
         side_effect=ClientError(
             {"Error": {"Code": "500", "Message": "mocked error"}}, "test"
         ),
     )
     mock_ssm_service = mocker.patch(
-        "handlers.logout_handler.get_ssm_parameter",
+        "handlers.back_channel_logout_handler.get_ssm_parameter",
         return_value=MOCK_SINGLE_SECURE_STRING_PARAMETER_RESPONSE,
     )
 
     expected = ApiGatewayResponse(
-        400, "Error logging user out", "GET"
+        400, """{ "error":"Internal error logging user out"}""", "GET"
     ).create_api_gateway_response()
 
     actual = lambda_handler(build_event_from_token(mock_token), None)

From e42d9d0b88a466153cbef379b20f251ad3479b02 Mon Sep 17 00:00:00 2001
From: Richard Smith <richard.smith33@nhs.net>
Date: Wed, 11 Oct 2023 16:34:07 +0100
Subject: [PATCH 04/32] Reduce duplicate code

---
 .../handlers/back_channel_logout_handler.py   |  24 +---
 lambdas/handlers/logout_handler.py            |  18 +--
 .../test_back_channel_logout_handler.py       |  37 ++----
 ...uest_handler.py => test_logout_handler.py} |  12 +-
 .../tests/unit/services/test_ssm_service.py   | 106 ++++++++++++++++++
 5 files changed, 127 insertions(+), 70 deletions(-)
 rename lambdas/tests/unit/handlers/{test_logout_request_handler.py => test_logout_handler.py} (86%)
 create mode 100755 lambdas/tests/unit/services/test_ssm_service.py

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index 5546fc67a..ac2bb7007 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -1,12 +1,12 @@
 import logging
 import os
-
-import boto3
 import jwt
 from botocore.exceptions import ClientError
 from services.dynamo_service import DynamoDBService
+from services.ssm_service import get_ssm_parameter
 from utils.lambda_response import ApiGatewayResponse
 
+
 logger = logging.getLogger()
 logger.setLevel(logging.INFO)
 
@@ -18,12 +18,11 @@ def lambda_handler(event, context):
 
 def logout_handler(token):
     try:
-        ssm_public_key_parameter_name = os.environ["SSM_PARAM_CIS2_BCL_PUBLIC_KEY"]
-        ssm_response = get_ssm_parameter(key=ssm_public_key_parameter_name)
-        jwt_class = jwt
+        ssm_response = get_ssm_parameter("SSM_PARAM_CIS2_BCL_PUBLIC_KEY")
         public_key = ssm_response["Parameter"]["Value"]
+        
         logger.info("decoding token")
-        decoded_token = decode_token(jwt_class=jwt_class, token=token, key=public_key)
+        decoded_token = jwt.decode(token, public_key, algorithms=["RS256"])
         session_id = decoded_token["sid"]
         remove_session_from_dynamo_db(session_id)
 
@@ -40,18 +39,7 @@ def logout_handler(token):
     
     return ApiGatewayResponse(200, "", "GET").create_api_gateway_response()
 
-
-def get_ssm_parameter(key):
-    client = boto3.client("ssm", region_name="eu-west-2")
-    ssm_response = client.get_parameter(Name=key, WithDecryption=True)
-    return ssm_response
-
-
-def decode_token(jwt_class, token, key):
-    return jwt_class.decode(token, key, algorithms=["RS256"])
-
-
-def remove_session_from_dynamo_db(session_id):
+def remove_session_from_dynamo_db(session_id):#move to parent class
     logger.info(f"Session to be removed: {session_id}")
     dynamodb_name = os.environ["AUTH_DYNAMODB_NAME"]
     dynamodb_service = DynamoDBService()
diff --git a/lambdas/handlers/logout_handler.py b/lambdas/handlers/logout_handler.py
index 3d5aef086..6535324ce 100644
--- a/lambdas/handlers/logout_handler.py
+++ b/lambdas/handlers/logout_handler.py
@@ -4,6 +4,7 @@
 import boto3
 import jwt
 from botocore.exceptions import ClientError
+from lambdas.services.ssm_service import get_ssm_parameter
 from services.dynamo_service import DynamoDBService
 from utils.lambda_response import ApiGatewayResponse
 
@@ -18,12 +19,11 @@ def lambda_handler(event, context):
 
 def logout_handler(token):
     try:
-        ssm_public_key_parameter_name = os.environ["SSM_PARAM_JWT_TOKEN_PUBLIC_KEY"]
-        ssm_response = get_ssm_parameter(key=ssm_public_key_parameter_name)
-        jwt_class = jwt
+        ssm_response = get_ssm_parameter("SSM_PARAM_JWT_TOKEN_PUBLIC_KEY")
         public_key = ssm_response["Parameter"]["Value"]
+        
         logger.info("decoding token")
-        decoded_token = decode_token(jwt_class=jwt_class, token=token, key=public_key)
+        decoded_token = jwt.decode(token, public_key, algorithms=["RS256"])
         session_id = decoded_token["ndr_session_id"]
         remove_session_from_dynamo_db(session_id)
 
@@ -40,16 +40,6 @@ def logout_handler(token):
     return ApiGatewayResponse(200, "", "GET").create_api_gateway_response()
 
 
-def get_ssm_parameter(key):
-    client = boto3.client("ssm", region_name="eu-west-2")
-    ssm_response = client.get_parameter(Name=key, WithDecryption=True)
-    return ssm_response
-
-
-def decode_token(jwt_class, token, key):
-    return jwt_class.decode(token, key, algorithms=["RS256"])
-
-
 def remove_session_from_dynamo_db(session_id):
     logger.info(f"Session to be removed: {session_id}")
     dynamodb_name = os.environ["AUTH_DYNAMODB_NAME"]
diff --git a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
index 332d96f0e..3a378be30 100644
--- a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
+++ b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
@@ -10,15 +10,14 @@ def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(moc
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
     mock_decoded_token = {"sid": mock_session_id}
-    monkeypatch.setenv("SSM_PARAM_CIS2_BCL_PUBLIC_KEY", "mock_public_key")
     mock_token_validator = mocker.patch("jwt.decode", return_value=mock_decoded_token)
-    mock_dynamo_service = mocker.patch(
-        "handlers.back_channel_logout_handler.remove_session_from_dynamo_db"
-    )
     mock_ssm_service = mocker.patch(
-        "handlers.back_channel_logout_handler.get_ssm_parameter",
+        "handlers.back_channel_logout_handler.get_ssm_parameter", 
         return_value=MOCK_SINGLE_SECURE_STRING_PARAMETER_RESPONSE,
     )
+    mock_dynamo_service = mocker.patch(
+        "handlers.back_channel_logout_handler.remove_session_from_dynamo_db"
+    )
 
     expected = ApiGatewayResponse(200, "", "GET").create_api_gateway_response()
 
@@ -27,32 +26,11 @@ def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(moc
     assert expected == actual
     mock_token_validator.asset_called_with(mock_token)
     mock_dynamo_service.assert_called_with(mock_session_id)
-    mock_ssm_service.assert_called_once()
-
-
-def test_logout_handler_invalid_jwt_returns_200_if_session_doesnt_exist(mocker, monkeypatch):
-    mock_token = "mock_token"
-    monkeypatch.setenv("SSM_PARAM_CIS2_BCL_PUBLIC_KEY", "mock_public_key")
-    mock_token_validator = mocker.patch("jwt.decode", side_effect=PyJWTError())
-    mock_ssm_service = mocker.patch(
-        "handlers.back_channel_logout_handler.get_ssm_parameter",
-        return_value=MOCK_SINGLE_SECURE_STRING_PARAMETER_RESPONSE,
-    )
-
-    expected = ApiGatewayResponse(
-        400,  """{ "error":"Invalid x-auth header"}""", "GET"
-    ).create_api_gateway_response()
-
-    actual = lambda_handler(build_event_from_token(mock_token), None)
-
-    assert expected == actual
-    mock_token_validator.asset_called_with(mock_token)
-    mock_ssm_service.assert_called_once()
+    mock_ssm_service.assert_called_once_with("SSM_PARAM_CIS2_BCL_PUBLIC_KEY")
 
 
-def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mocker, monkeypatch):
+def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mocker):
     mock_token = "mock_token"
-    monkeypatch.setenv("SSM_PARAM_CIS2_BCL_PUBLIC_KEY", "mock_public_key")
     mock_token_validator = mocker.patch(
         "jwt.decode",
         return_value={"token_decode_correctly": "but_no_session_id_in_content"},
@@ -73,11 +51,10 @@ def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mocker,
     mock_ssm_service.assert_called_once()
 
 
-def test_back_channel_logout_handler_boto_error_returns_400(mocker, monkeypatch):
+def test_back_channel_logout_handler_boto_error_returns_400(mocker):
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
     mock_decoded_token = {"sid": mock_session_id}
-    monkeypatch.setenv("SSM_PARAM_CIS2_BCL_PUBLIC_KEY", "mock_public_key")
     mock_token_validator = mocker.patch("jwt.decode", return_value=mock_decoded_token)
     mock_dynamo_service = mocker.patch(
         "handlers.back_channel_logout_handler.remove_session_from_dynamo_db",
diff --git a/lambdas/tests/unit/handlers/test_logout_request_handler.py b/lambdas/tests/unit/handlers/test_logout_handler.py
similarity index 86%
rename from lambdas/tests/unit/handlers/test_logout_request_handler.py
rename to lambdas/tests/unit/handlers/test_logout_handler.py
index ab81ec711..bf32e75d2 100644
--- a/lambdas/tests/unit/handlers/test_logout_request_handler.py
+++ b/lambdas/tests/unit/handlers/test_logout_handler.py
@@ -6,11 +6,10 @@
 from utils.lambda_response import ApiGatewayResponse
 
 
-def test_logout_handler_valid_jwt_returns_200(mocker, monkeypatch):
+def test_logout_handler_valid_jwt_returns_200(mocker):
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
     mock_decoded_token = {"ndr_session_id": mock_session_id}
-    monkeypatch.setenv("SSM_PARAM_JWT_TOKEN_PUBLIC_KEY", "mock_public_key")
     mock_token_validator = mocker.patch("jwt.decode", return_value=mock_decoded_token)
     mock_dynamo_service = mocker.patch(
         "handlers.logout_handler.remove_session_from_dynamo_db"
@@ -30,9 +29,8 @@ def test_logout_handler_valid_jwt_returns_200(mocker, monkeypatch):
     mock_ssm_service.assert_called_once()
 
 
-def test_logout_handler_invalid_jwt_returns_400(mocker, monkeypatch):
+def test_logout_handler_invalid_jwt_returns_400(mocker):
     mock_token = "mock_token"
-    monkeypatch.setenv("SSM_PARAM_JWT_TOKEN_PUBLIC_KEY", "mock_public_key")
     mock_token_validator = mocker.patch("jwt.decode", side_effect=PyJWTError())
     mock_ssm_service = mocker.patch(
         "handlers.logout_handler.get_ssm_parameter",
@@ -50,9 +48,8 @@ def test_logout_handler_invalid_jwt_returns_400(mocker, monkeypatch):
     mock_ssm_service.assert_called_once()
 
 
-def test_logout_handler_jwt_without_ndr_session_id_returns_400(mocker, monkeypatch):
+def test_logout_handler_jwt_without_ndr_session_id_returns_400(mocker):
     mock_token = "mock_token"
-    monkeypatch.setenv("SSM_PARAM_JWT_TOKEN_PUBLIC_KEY", "mock_public_key")
     mock_token_validator = mocker.patch(
         "jwt.decode",
         return_value={"token_decode_correctly": "but_no_ndr_session_id_in_content"},
@@ -73,11 +70,10 @@ def test_logout_handler_jwt_without_ndr_session_id_returns_400(mocker, monkeypat
     mock_ssm_service.assert_called_once()
 
 
-def test_logout_handler_boto_error_returns_500(mocker, monkeypatch):
+def test_logout_handler_boto_error_returns_500(mocker):
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
     mock_decoded_token = {"ndr_session_id": mock_session_id}
-    monkeypatch.setenv("SSM_PARAM_JWT_TOKEN_PUBLIC_KEY", "mock_public_key")
     mock_token_validator = mocker.patch("jwt.decode", return_value=mock_decoded_token)
     mock_dynamo_service = mocker.patch(
         "handlers.logout_handler.remove_session_from_dynamo_db",
diff --git a/lambdas/tests/unit/services/test_ssm_service.py b/lambdas/tests/unit/services/test_ssm_service.py
new file mode 100755
index 000000000..711fd6a2e
--- /dev/null
+++ b/lambdas/tests/unit/services/test_ssm_service.py
@@ -0,0 +1,106 @@
+from services.s3_service import S3Service
+from tests.unit.conftest import (MOCK_BUCKET, TEST_FILE_KEY, TEST_FILE_NAME,
+                                 TEST_OBJECT_KEY)
+
+MOCK_PRESIGNED_POST_RESPONSE = {
+    "url": "https://ndr-dev-document-store.s3.amazonaws.com/",
+    "fields": {
+        "key": "0abed67c-0d0b-4a11-a600-a2f19ee61281",
+        "x-amz-algorithm": "AWS4-HMAC-SHA256",
+        "x-amz-credential": "ASIAXYSUA44VTL5M5LWL/20230911/eu-west-2/s3/aws4_request",
+        "x-amz-date": "20230911T084756Z",
+        "x-amz-security-token": "test-security-token",
+        "policy": "test-policy",
+        "x-amz-signature": "b6afcf8b27fc883b0e0a25a789dd2ab272ea4c605a8c68267f73641d7471132f",
+    },
+}
+
+MOCK_PRESIGNED_URL_RESPONSE = {
+    "url": "https://ndr-dev-document-store.s3.amazonaws.com/",
+    "fields": {
+        "key": "0abed67c-0d0b-4a11-a600-a2f19ee61281",
+        "x-amz-algorithm": "AWS4-HMAC-SHA256",
+        "x-amz-credential": "ASIAXYSUA44VTL5M5LWL/20230911/eu-west-2/s3/aws4_request",
+        "x-amz-date": "20230911T084756Z",
+        "x-amz-expires": "1800",
+        "x-amz-signed-headers": "test-host",
+        "x-amz-signature": "test-signature",
+    },
+}
+
+TEST_DOWNLOAD_PATH = "test_path"
+MOCK_EVENT_BODY = {
+    "resourceType": "DocumentReference",
+    "subject": {"identifier": {"value": 111111000}},
+    "content": [{"attachment": {"contentType": "application/pdf"}}],
+    "description": "test_filename.pdf",
+}
+
+
+def test_create_document_presigned_url(set_env, mocker):
+    mock_generate_presigned_post = mocker.patch(
+        "botocore.signers.generate_presigned_post"
+    )
+
+    mock_generate_presigned_post.return_value = MOCK_PRESIGNED_POST_RESPONSE
+
+    service = S3Service()
+
+    return_value = service.create_document_presigned_url_handler(
+        MOCK_BUCKET, TEST_OBJECT_KEY
+    )
+
+    assert return_value == MOCK_PRESIGNED_POST_RESPONSE
+    mock_generate_presigned_post.assert_called_once()
+
+
+def test_create_zip_presigned_url(set_env, mocker):
+    mock_generate_presigned_url = mocker.patch(
+        "botocore.signers.generate_presigned_url"
+    )
+
+    mock_generate_presigned_url.return_value = MOCK_PRESIGNED_URL_RESPONSE
+
+    service = S3Service()
+
+    return_value = service.create_download_presigned_url(MOCK_BUCKET, TEST_FILE_KEY)
+
+    assert return_value == MOCK_PRESIGNED_URL_RESPONSE
+    mock_generate_presigned_url.assert_called_once()
+
+
+def test_download_file(mocker):
+    mocker.patch("boto3.client")
+    service = S3Service()
+    mock_download_file = mocker.patch.object(service.client, "download_file")
+    service.download_file(MOCK_BUCKET, TEST_FILE_KEY, TEST_DOWNLOAD_PATH)
+
+    mock_download_file.assert_called_once_with(
+        MOCK_BUCKET, TEST_FILE_KEY, TEST_DOWNLOAD_PATH
+    )
+
+
+def test_upload_file(mocker):
+    mocker.patch("boto3.client")
+    service = S3Service()
+    mock_upload_file = mocker.patch.object(service.client, "upload_file")
+
+    service.upload_file(TEST_FILE_NAME, MOCK_BUCKET, TEST_FILE_KEY)
+
+    mock_upload_file.assert_called_once_with(TEST_FILE_NAME, MOCK_BUCKET, TEST_FILE_KEY)
+
+
+def test_upload_file_with_extra_args(mocker):
+    mocker.patch("boto3.client")
+    service = S3Service()
+    mock_upload_file = mocker.patch.object(service.client, "upload_file")
+
+    test_extra_args = {"mock_tag": 123, "apple": "red", "banana": "true"}
+
+    service.upload_file_with_extra_args(
+        TEST_FILE_NAME, MOCK_BUCKET, TEST_FILE_KEY, test_extra_args
+    )
+
+    mock_upload_file.assert_called_once_with(
+        TEST_FILE_NAME, MOCK_BUCKET, TEST_FILE_KEY, test_extra_args
+    )

From a6150f584c319a627e39f908e09e56846fe944aa Mon Sep 17 00:00:00 2001
From: Richard Smith <richard.smith33@nhs.net>
Date: Thu, 12 Oct 2023 12:02:17 +0100
Subject: [PATCH 05/32] Use CIS2s published key to validate the logout token

---
 .../handlers/back_channel_logout_handler.py   | 22 +++---
 lambdas/handlers/logout_handler.py            | 20 +++--
 .../test_back_channel_logout_handler.py       | 73 +++++++++++--------
 .../unit/handlers/test_logout_handler.py      | 14 ++--
 4 files changed, 79 insertions(+), 50 deletions(-)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index ac2bb7007..cf5e9d710 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -2,8 +2,9 @@
 import os
 import jwt
 from botocore.exceptions import ClientError
+from lambdas.services.oidc_service import OidcService
+from lambdas.utils.exceptions import AuthorisationException
 from services.dynamo_service import DynamoDBService
-from services.ssm_service import get_ssm_parameter
 from utils.lambda_response import ApiGatewayResponse
 
 
@@ -12,17 +13,15 @@
 
 
 def lambda_handler(event, context):
-    token = event["headers"]["x-auth"]
+    token = event["body"]["logout_token"]
     return logout_handler(token)
 
 
 def logout_handler(token):
     try:
-        ssm_response = get_ssm_parameter("SSM_PARAM_CIS2_BCL_PUBLIC_KEY")
-        public_key = ssm_response["Parameter"]["Value"]
-        
         logger.info("decoding token")
-        decoded_token = jwt.decode(token, public_key, algorithms=["RS256"])
+        oidc_service = OidcService()
+        decoded_token = oidc_service.validate_and_decode_token(token)
         session_id = decoded_token["sid"]
         remove_session_from_dynamo_db(session_id)
 
@@ -31,15 +30,20 @@ def logout_handler(token):
         return ApiGatewayResponse(
             400, """{ "error":"Internal error logging user out"}""", "GET"
         ).create_api_gateway_response()
-    except (jwt.PyJWTError, KeyError) as e:
+    except AuthorisationException as e:
         logger.error(f"error while decoding JWT: {e}")
         return ApiGatewayResponse(
-            400, """{ "error":"Invalid x-auth header"}""", "GET"
+            400, """{ "error":"JWT was invalid"}""", "GET"
+        ).create_api_gateway_response()
+    except KeyError as e:
+        logger.error(f"No field 'sid' in decoded token: {e}")
+        return ApiGatewayResponse(
+            400, """{ "error":"No sid field in decoded token"}""", "GET"
         ).create_api_gateway_response()
     
     return ApiGatewayResponse(200, "", "GET").create_api_gateway_response()
 
-def remove_session_from_dynamo_db(session_id):#move to parent class
+def remove_session_from_dynamo_db(session_id):
     logger.info(f"Session to be removed: {session_id}")
     dynamodb_name = os.environ["AUTH_DYNAMODB_NAME"]
     dynamodb_service = DynamoDBService()
diff --git a/lambdas/handlers/logout_handler.py b/lambdas/handlers/logout_handler.py
index 6535324ce..d4b286553 100644
--- a/lambdas/handlers/logout_handler.py
+++ b/lambdas/handlers/logout_handler.py
@@ -4,7 +4,6 @@
 import boto3
 import jwt
 from botocore.exceptions import ClientError
-from lambdas.services.ssm_service import get_ssm_parameter
 from services.dynamo_service import DynamoDBService
 from utils.lambda_response import ApiGatewayResponse
 
@@ -19,11 +18,12 @@ def lambda_handler(event, context):
 
 def logout_handler(token):
     try:
-        ssm_response = get_ssm_parameter("SSM_PARAM_JWT_TOKEN_PUBLIC_KEY")
+        ssm_public_key_parameter_name = os.environ["SSM_PARAM_JWT_TOKEN_PUBLIC_KEY"]
+        ssm_response = get_ssm_parameter(key=ssm_public_key_parameter_name)
+        jwt_class = jwt
         public_key = ssm_response["Parameter"]["Value"]
-        
         logger.info("decoding token")
-        decoded_token = jwt.decode(token, public_key, algorithms=["RS256"])
+        decoded_token = decode_token(jwt_class=jwt_class, token=token, key=public_key)
         session_id = decoded_token["ndr_session_id"]
         remove_session_from_dynamo_db(session_id)
 
@@ -40,10 +40,20 @@ def logout_handler(token):
     return ApiGatewayResponse(200, "", "GET").create_api_gateway_response()
 
 
+def get_ssm_parameter(key):
+    client = boto3.client("ssm", region_name="eu-west-2")
+    ssm_response = client.get_parameter(Name=key, WithDecryption=True)
+    return ssm_response
+
+
+def decode_token(jwt_class, token, key):
+    return jwt_class.decode(token, key, algorithms=["RS256"])
+
+
 def remove_session_from_dynamo_db(session_id):
     logger.info(f"Session to be removed: {session_id}")
     dynamodb_name = os.environ["AUTH_DYNAMODB_NAME"]
     dynamodb_service = DynamoDBService()
     dynamodb_service.delete_item(
         key={"NDRSessionId": session_id}, table_name=dynamodb_name
-    )
+    )
\ No newline at end of file
diff --git a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
index 3a378be30..67013e83f 100644
--- a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
+++ b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
@@ -1,20 +1,28 @@
 from botocore.exceptions import ClientError
+import pytest
 from handlers.back_channel_logout_handler import lambda_handler
-from jwt.exceptions import PyJWTError
+from lambdas.services.oidc_service import OidcService
+from lambdas.utils.exceptions import AuthorisationException
 from tests.unit.helpers.ssm_responses import \
     MOCK_SINGLE_SECURE_STRING_PARAMETER_RESPONSE
 from utils.lambda_response import ApiGatewayResponse
 
-
-def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(mocker, monkeypatch):
+@pytest.fixture
+def mock_oidc_service(mocker):
+    mocker.patch.object(
+        OidcService, 
+        "__init__", 
+        return_value = None)
+    mock_oidc_service = mocker.patch.object(
+        OidcService, 
+        "validate_and_decode_token")
+    yield mock_oidc_service
+
+def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(mocker, mock_oidc_service):
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
     mock_decoded_token = {"sid": mock_session_id}
-    mock_token_validator = mocker.patch("jwt.decode", return_value=mock_decoded_token)
-    mock_ssm_service = mocker.patch(
-        "handlers.back_channel_logout_handler.get_ssm_parameter", 
-        return_value=MOCK_SINGLE_SECURE_STRING_PARAMETER_RESPONSE,
-    )
+    mock_oidc_service.return_value = mock_decoded_token
     mock_dynamo_service = mocker.patch(
         "handlers.back_channel_logout_handler.remove_session_from_dynamo_db"
     )
@@ -24,48 +32,52 @@ def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(moc
     actual = lambda_handler(build_event_from_token(mock_token), None)
 
     assert expected == actual
-    mock_token_validator.asset_called_with(mock_token)
+    mock_oidc_service.asset_called_with(mock_token)
     mock_dynamo_service.assert_called_with(mock_session_id)
-    mock_ssm_service.assert_called_once_with("SSM_PARAM_CIS2_BCL_PUBLIC_KEY")
 
 
-def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mocker):
+def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mock_oidc_service):
     mock_token = "mock_token"
-    mock_token_validator = mocker.patch(
-        "jwt.decode",
-        return_value={"token_decode_correctly": "but_no_session_id_in_content"},
-    )
-    mock_ssm_service = mocker.patch(
-        "handlers.back_channel_logout_handler.get_ssm_parameter",
-        return_value=MOCK_SINGLE_SECURE_STRING_PARAMETER_RESPONSE,
-    )
+    mock_session_id = "mock_session_id"
+    mock_decoded_token = {"not_an_sid": mock_session_id}
+    mock_oidc_service.return_value = mock_decoded_token
 
     expected = ApiGatewayResponse(
-        400,  """{ "error":"Invalid x-auth header"}""", "GET"
+        400,  """{ "error":"No sid field in decoded token"}""", "GET"
     ).create_api_gateway_response()
 
     actual = lambda_handler(build_event_from_token(mock_token), None)
 
     assert expected == actual
-    mock_token_validator.asset_called_with(mock_token)
-    mock_ssm_service.assert_called_once()
+    mock_oidc_service.asset_called_with(mock_token)
 
 
-def test_back_channel_logout_handler_boto_error_returns_400(mocker):
+def test_back_channel_logout_handler_invalid_jwt_returns_400(mock_oidc_service):
+    mock_token = "mock_token"
+    mock_session_id = "mock_session_id"
+    mock_oidc_service.side_effect=AuthorisationException
+
+    expected = ApiGatewayResponse(
+        400,  """{ "error":"JWT was invalid"}""", "GET"
+    ).create_api_gateway_response()
+
+    actual = lambda_handler(build_event_from_token(mock_token), None)
+
+    assert expected == actual
+    mock_oidc_service.asset_called_with(mock_token)
+
+
+def test_back_channel_logout_handler_boto_error_returns_400(mocker, mock_oidc_service):
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
     mock_decoded_token = {"sid": mock_session_id}
-    mock_token_validator = mocker.patch("jwt.decode", return_value=mock_decoded_token)
+    mock_oidc_service.return_value = mock_decoded_token
     mock_dynamo_service = mocker.patch(
         "handlers.back_channel_logout_handler.remove_session_from_dynamo_db",
         side_effect=ClientError(
             {"Error": {"Code": "500", "Message": "mocked error"}}, "test"
         ),
     )
-    mock_ssm_service = mocker.patch(
-        "handlers.back_channel_logout_handler.get_ssm_parameter",
-        return_value=MOCK_SINGLE_SECURE_STRING_PARAMETER_RESPONSE,
-    )
 
     expected = ApiGatewayResponse(
         400, """{ "error":"Internal error logging user out"}""", "GET"
@@ -74,10 +86,9 @@ def test_back_channel_logout_handler_boto_error_returns_400(mocker):
     actual = lambda_handler(build_event_from_token(mock_token), None)
 
     assert expected == actual
-    mock_token_validator.asset_called_with(mock_token)
+    mock_oidc_service.asset_called_with(mock_token)
     mock_dynamo_service.assert_called_with(mock_session_id)
-    mock_ssm_service.assert_called_once()
 
 
 def build_event_from_token(token: str) -> dict:
-    return {"headers": {"x-auth": token}}
+    return {"body": {"logout_token": token}}
diff --git a/lambdas/tests/unit/handlers/test_logout_handler.py b/lambdas/tests/unit/handlers/test_logout_handler.py
index bf32e75d2..1729bce2b 100644
--- a/lambdas/tests/unit/handlers/test_logout_handler.py
+++ b/lambdas/tests/unit/handlers/test_logout_handler.py
@@ -6,10 +6,11 @@
 from utils.lambda_response import ApiGatewayResponse
 
 
-def test_logout_handler_valid_jwt_returns_200(mocker):
+def test_logout_handler_valid_jwt_returns_200(mocker, monkeypatch):
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
     mock_decoded_token = {"ndr_session_id": mock_session_id}
+    monkeypatch.setenv("SSM_PARAM_JWT_TOKEN_PUBLIC_KEY", "mock_public_key")
     mock_token_validator = mocker.patch("jwt.decode", return_value=mock_decoded_token)
     mock_dynamo_service = mocker.patch(
         "handlers.logout_handler.remove_session_from_dynamo_db"
@@ -29,8 +30,9 @@ def test_logout_handler_valid_jwt_returns_200(mocker):
     mock_ssm_service.assert_called_once()
 
 
-def test_logout_handler_invalid_jwt_returns_400(mocker):
+def test_logout_handler_invalid_jwt_returns_400(mocker, monkeypatch):
     mock_token = "mock_token"
+    monkeypatch.setenv("SSM_PARAM_JWT_TOKEN_PUBLIC_KEY", "mock_public_key")
     mock_token_validator = mocker.patch("jwt.decode", side_effect=PyJWTError())
     mock_ssm_service = mocker.patch(
         "handlers.logout_handler.get_ssm_parameter",
@@ -48,8 +50,9 @@ def test_logout_handler_invalid_jwt_returns_400(mocker):
     mock_ssm_service.assert_called_once()
 
 
-def test_logout_handler_jwt_without_ndr_session_id_returns_400(mocker):
+def test_logout_handler_jwt_without_ndr_session_id_returns_400(mocker, monkeypatch):
     mock_token = "mock_token"
+    monkeypatch.setenv("SSM_PARAM_JWT_TOKEN_PUBLIC_KEY", "mock_public_key")
     mock_token_validator = mocker.patch(
         "jwt.decode",
         return_value={"token_decode_correctly": "but_no_ndr_session_id_in_content"},
@@ -70,10 +73,11 @@ def test_logout_handler_jwt_without_ndr_session_id_returns_400(mocker):
     mock_ssm_service.assert_called_once()
 
 
-def test_logout_handler_boto_error_returns_500(mocker):
+def test_logout_handler_boto_error_returns_500(mocker, monkeypatch):
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
     mock_decoded_token = {"ndr_session_id": mock_session_id}
+    monkeypatch.setenv("SSM_PARAM_JWT_TOKEN_PUBLIC_KEY", "mock_public_key")
     mock_token_validator = mocker.patch("jwt.decode", return_value=mock_decoded_token)
     mock_dynamo_service = mocker.patch(
         "handlers.logout_handler.remove_session_from_dynamo_db",
@@ -99,4 +103,4 @@ def test_logout_handler_boto_error_returns_500(mocker):
 
 
 def build_event_from_token(token: str) -> dict:
-    return {"headers": {"x-auth": token}}
+    return {"headers": {"x-auth": token}}
\ No newline at end of file

From 6c76d6c7c96d30033b49af86d174c7e62ec5af55 Mon Sep 17 00:00:00 2001
From: Richard Smith <richard.smith33@nhs.net>
Date: Wed, 18 Oct 2023 14:58:45 +0100
Subject: [PATCH 06/32] Add new lambda to sandbox deployment workflow

---
 .../lambdas-deploy-feature-to-sandbox.yml     | 64 +++++++++++++++----
 1 file changed, 50 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/lambdas-deploy-feature-to-sandbox.yml b/.github/workflows/lambdas-deploy-feature-to-sandbox.yml
index f5290fc7f..2a09ea775 100644
--- a/.github/workflows/lambdas-deploy-feature-to-sandbox.yml
+++ b/.github/workflows/lambdas-deploy-feature-to-sandbox.yml
@@ -37,9 +37,9 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Make virtual environment
-        run: | 
+        run: |
           make env
-      
+
       - name: Start virtual environment
         run: |
           source ./lambdas/venv/bin/activate
@@ -58,7 +58,7 @@ jobs:
     environment: development
     strategy:
       matrix:
-        python-version: [ "3.11" ]
+        python-version: ["3.11"]
     needs: ["python_lambdas_test"]
 
     steps:
@@ -73,7 +73,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Make virtual environment
-        run: | 
+        run: |
           make env
 
       - name: Configure AWS Credentials
@@ -86,21 +86,21 @@ jobs:
       - name: Create release package for Create Document Reference
         run: |
           make lambda_name=create_document_reference_handler zip
-    
+
       - name: Upload Lambda Function for CreateDocRefLambda
         uses: appleboy/lambda-action@master
         with:
           aws_region: ${{ vars.AWS_REGION }}
           function_name: ${{ github.event.inputs.sandboxWorkspace}}_CreateDocRefLambda
           zip_file: package_lambdas_create_document_reference_handler.zip
-        
+
   python_deploy_search_patient_details_lambda:
     runs-on: ubuntu-latest
     environment: development
     strategy:
       matrix:
-        python-version: [ "3.11" ]
-    needs: [ "python_lambdas_test" ]
+        python-version: ["3.11"]
+    needs: ["python_lambdas_test"]
 
     steps:
       - name: Checkout
@@ -140,8 +140,8 @@ jobs:
     environment: development
     strategy:
       matrix:
-        python-version: [ "3.11" ]
-    needs: [ "python_lambdas_test" ]
+        python-version: ["3.11"]
+    needs: ["python_lambdas_test"]
 
     steps:
       - name: Checkout
@@ -254,7 +254,6 @@ jobs:
           function_name: ${{ github.event.inputs.sandboxWorkspace}}_LoginRedirectHandler
           zip_file: package_lambdas_login_redirect_handler.zip
 
-
   python_deploy_authoriser_lambda:
     runs-on: ubuntu-latest
     environment: test
@@ -294,7 +293,6 @@ jobs:
           function_name: ${{ github.event.inputs.sandboxWorkspace}}_AuthoriserLambda
           zip_file: package_lambdas_authoriser_handler.zip
 
-
   python_deploy_token_request_lambda:
     runs-on: ubuntu-latest
     environment: test
@@ -411,7 +409,6 @@ jobs:
           function_name: ${{ github.event.inputs.sandboxWorkspace}}_LloydGeorgeStitchLambda
           zip_file: package_lambdas_lloyd_george_record_stitch_handler.zip
 
-
   python_deploy_bulk_upload_metadata_lambda:
     runs-on: ubuntu-latest
     environment: development
@@ -488,4 +485,43 @@ jobs:
         with:
           aws_region: ${{ vars.AWS_REGION }}
           function_name: ${{ github.event.inputs.sandboxWorkspace}}_BulkUploadLambda
-          zip_file: package_lambdas_bulk_upload_handler.zip
\ No newline at end of file
+          zip_file: package_lambdas_bulk_upload_handler.zip
+
+  python_deploy_back_channel_logout_lambda:
+    runs-on: ubuntu-latest
+    environment: development
+    needs: ["python_lambdas_test"]
+    strategy:
+      matrix:
+        python-version: ["3.11"]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Make virtual environment
+        run: |
+          make env
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-skip-session-tagging: true
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Create release package for Bulk Upload Lambda
+        run: |
+          make lambda_name=back_channel_logout zip
+
+      - name: Upload Lambda Function for BackChannelLogout Lambda
+        uses: appleboy/lambda-action@master
+        with:
+          aws_region: ${{ vars.AWS_REGION }}
+          function_name: ${{ github.event.inputs.sandboxWorkspace}}_BackChannelLogoutLambda
+          zip_file: package_lambdas_back_channel_logout.zip

From 4e2d7a7187e8fdd36794e2ed4e49903c36e6deb2 Mon Sep 17 00:00:00 2001
From: Richard Smith <richard.smith33@nhs.net>
Date: Wed, 18 Oct 2023 15:10:32 +0100
Subject: [PATCH 07/32] Correction to file name

---
 .github/workflows/lambdas-deploy-feature-to-sandbox.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/lambdas-deploy-feature-to-sandbox.yml b/.github/workflows/lambdas-deploy-feature-to-sandbox.yml
index 2a09ea775..4a8031d8e 100644
--- a/.github/workflows/lambdas-deploy-feature-to-sandbox.yml
+++ b/.github/workflows/lambdas-deploy-feature-to-sandbox.yml
@@ -515,9 +515,9 @@ jobs:
           role-skip-session-tagging: true
           aws-region: ${{ vars.AWS_REGION }}
 
-      - name: Create release package for Bulk Upload Lambda
+      - name: Create release package for Back Channel Logout Lambda
         run: |
-          make lambda_name=back_channel_logout zip
+          make lambda_name=back_channel_logout_handler zip
 
       - name: Upload Lambda Function for BackChannelLogout Lambda
         uses: appleboy/lambda-action@master

From dc59d5675c06de2f9b1fcafc45354a6c36527d35 Mon Sep 17 00:00:00 2001
From: Richard Smith <richard.smith33@nhs.net>
Date: Wed, 18 Oct 2023 15:22:40 +0100
Subject: [PATCH 08/32] Correction to file name two

---
 .github/workflows/lambdas-deploy-feature-to-sandbox.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/lambdas-deploy-feature-to-sandbox.yml b/.github/workflows/lambdas-deploy-feature-to-sandbox.yml
index 4a8031d8e..797709b7a 100644
--- a/.github/workflows/lambdas-deploy-feature-to-sandbox.yml
+++ b/.github/workflows/lambdas-deploy-feature-to-sandbox.yml
@@ -524,4 +524,4 @@ jobs:
         with:
           aws_region: ${{ vars.AWS_REGION }}
           function_name: ${{ github.event.inputs.sandboxWorkspace}}_BackChannelLogoutLambda
-          zip_file: package_lambdas_back_channel_logout.zip
+          zip_file: package_lambdas_back_channel_logout_handler.zip

From c17617af74b8afb97dc99709e4df8c5f59ffbe74 Mon Sep 17 00:00:00 2001
From: Richard Smith <richard.smith33@nhs.net>
Date: Wed, 18 Oct 2023 15:42:17 +0100
Subject: [PATCH 09/32] Pwease work

---
 .github/workflows/lambdas-deploy-feature-to-sandbox.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/lambdas-deploy-feature-to-sandbox.yml b/.github/workflows/lambdas-deploy-feature-to-sandbox.yml
index 797709b7a..f8b03d365 100644
--- a/.github/workflows/lambdas-deploy-feature-to-sandbox.yml
+++ b/.github/workflows/lambdas-deploy-feature-to-sandbox.yml
@@ -519,9 +519,9 @@ jobs:
         run: |
           make lambda_name=back_channel_logout_handler zip
 
-      - name: Upload Lambda Function for BackChannelLogout Lambda
+      - name: Upload Lambda Function for Back Channel Logout Lambda
         uses: appleboy/lambda-action@master
         with:
           aws_region: ${{ vars.AWS_REGION }}
-          function_name: ${{ github.event.inputs.sandboxWorkspace}}_BackChannelLogoutLambda
+          function_name: ${{ github.event.inputs.sandboxWorkspace}}_BackChannelLogoutHandler
           zip_file: package_lambdas_back_channel_logout_handler.zip

From fe7246199d5a04bf29a7ba255161cbfe50dd8dbc Mon Sep 17 00:00:00 2001
From: Richard Smith <richard.smith33@nhs.net>
Date: Wed, 18 Oct 2023 16:54:16 +0100
Subject: [PATCH 10/32] Deploy new lambda for other workflows

---
 .../full-lambdas-dispatch-deploy.yml          |  65 +++++++---
 .../lambdas-deploy-to-perf-manual.yml         |  79 +++++++++---
 .../lambdas-deploy-to-pre-prod-manual.yml     | 114 ++++++++++++------
 .../lambdas-deploy-to-prod-manual.yml         |  80 ++++++++----
 .../lambdas-deploy-to-test-manual.yml         |  81 +++++++++----
 .github/workflows/lambdas-dev-to-main-ci.yml  |  60 +++++++--
 .../new_base-lambdas-reusable-deploy-all.yml  |  13 ++
 7 files changed, 364 insertions(+), 128 deletions(-)

diff --git a/.github/workflows/full-lambdas-dispatch-deploy.yml b/.github/workflows/full-lambdas-dispatch-deploy.yml
index 47ee5091a..61676a257 100644
--- a/.github/workflows/full-lambdas-dispatch-deploy.yml
+++ b/.github/workflows/full-lambdas-dispatch-deploy.yml
@@ -4,7 +4,6 @@ on:
   repository_dispatch:
     types: lambda-dispatch-deploy
 
-
 permissions:
   pull-requests: write
   id-token: write # This is required for requesting the JWT
@@ -13,8 +12,7 @@ permissions:
 jobs:
   view_action_parameters:
     runs-on: ubuntu-latest
-    steps: 
-    
+    steps:
       - name: Display client passed variables
         run: |
           echo Environement Equals: ${{ github.event.client_payload.environment }}
@@ -37,9 +35,9 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Make virtual environment
-        run: | 
+        run: |
           make env
-      
+
       - name: Start virtual environment
         run: |
           source ./lambdas/venv/bin/activate
@@ -58,7 +56,7 @@ jobs:
     environment: ${{ github.event.client_payload.environment }}
     strategy:
       matrix:
-        python-version: [ "3.11" ]
+        python-version: ["3.11"]
     needs: ["python_lambdas_test"]
 
     steps:
@@ -71,7 +69,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Make virtual environment
-        run: | 
+        run: |
           make env
 
       - name: Configure AWS Credentials
@@ -84,21 +82,21 @@ jobs:
       - name: Create release package for Create Document Reference
         run: |
           make lambda_name=create_document_reference_handler zip
-    
+
       - name: Upload Lambda Function for CreateDocRefLambda
         uses: appleboy/lambda-action@master
         with:
           aws_region: ${{ vars.AWS_REGION }}
           function_name: ${{ github.event.client_payload.sandbox }}_CreateDocRefLambda
           zip_file: package_lambdas_create_document_reference_handler.zip
-        
+
   python_deploy_search_patient_details_lambda:
     runs-on: ubuntu-latest
     environment: ${{ github.event.client_payload.environment }}
     strategy:
       matrix:
-        python-version: [ "3.11" ]
-    needs: [ "python_lambdas_test" ]
+        python-version: ["3.11"]
+    needs: ["python_lambdas_test"]
 
     steps:
       - name: Checkout
@@ -138,8 +136,8 @@ jobs:
     environment: ${{ github.event.client_payload.environment }}
     strategy:
       matrix:
-        python-version: [ "3.11" ]
-    needs: [ "python_lambdas_test" ]
+        python-version: ["3.11"]
+    needs: ["python_lambdas_test"]
 
     steps:
       - name: Checkout
@@ -211,4 +209,43 @@ jobs:
         with:
           aws_region: ${{ vars.AWS_REGION }}
           function_name: ${{ github.event.client_payload.sandbox }}_LloydGeorgeStitchLambda
-          zip_file: package_lambdas_lloyd_george_record_stitch_handler.zip
\ No newline at end of file
+          zip_file: package_lambdas_lloyd_george_record_stitch_handler.zip
+
+  python_deploy_back_channel_logout_lambda:
+    runs-on: ubuntu-latest
+    environment: development
+    needs: ["python_lambdas_test"]
+    strategy:
+      matrix:
+        python-version: ["3.11"]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Make virtual environment
+        run: |
+          make env
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-skip-session-tagging: true
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Create release package for Back Channel Logout Lambda
+        run: |
+          make lambda_name=back_channel_logout_handler zip
+
+      - name: Upload Lambda Function for Back Channel Logout Lambda
+        uses: appleboy/lambda-action@master
+        with:
+          aws_region: ${{ vars.AWS_REGION }}
+          function_name: ${{ github.event.inputs.sandboxWorkspace}}_BackChannelLogoutHandler
+          zip_file: package_lambdas_back_channel_logout_handler.zip
diff --git a/.github/workflows/lambdas-deploy-to-perf-manual.yml b/.github/workflows/lambdas-deploy-to-perf-manual.yml
index ab183e50a..9aa6c87c9 100644
--- a/.github/workflows/lambdas-deploy-to-perf-manual.yml
+++ b/.github/workflows/lambdas-deploy-to-perf-manual.yml
@@ -28,7 +28,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
         with:
-          fetch-depth: '0'
+          fetch-depth: "0"
           ref: ${{ github.event.inputs.buildBranch}}
 
       - name: Set up Python ${{ matrix.python-version }}
@@ -37,9 +37,9 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Make virtual environement
-        run: | 
+        run: |
           make env
-      
+
       - name: Start virtual environement
         run: |
           source ./lambdas/venv/bin/activate
@@ -60,21 +60,21 @@ jobs:
     strategy:
       matrix:
         python-version: ["3.11"]
-        
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
         with:
-          fetch-depth: '0'
+          fetch-depth: "0"
           ref: ${{ github.event.inputs.buildBranch}}
-      
+
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python-version }}
 
       - name: Make virtual environement
-        run: | 
+        run: |
           make env
 
       - name: Configure AWS Credentials
@@ -87,14 +87,14 @@ jobs:
       - name: Create release package for Create Document Reference
         run: |
           make lambda_name=create_document_reference_handler zip
-    
+
       - name: Upload Lambda Function for CreateDocRefLambda
         uses: appleboy/lambda-action@master
         with:
           aws_region: ${{ vars.AWS_REGION }}
           function_name: ${{ vars.BUILD_ENV }}_CreateDocRefLambda
           zip_file: package_lambdas_create_document_reference_handler.zip
-        
+
   python_deploy_search_patient_details_lambda:
     runs-on: ubuntu-latest
     environment: perf
@@ -108,14 +108,14 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.inputs.buildBranch}}
-      
+
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python-version }}
 
       - name: Make virtual environement
-        run: | 
+        run: |
           make env
 
       - name: Configure AWS Credentials
@@ -128,7 +128,7 @@ jobs:
       - name: Create release package for Search Patient Details Reference
         run: |
           make lambda_name=search_patient_details_handler zip
-    
+
       - name: Upload Lambda Function for SearchPatientDetailsHandler
         uses: appleboy/lambda-action@master
         with:
@@ -139,7 +139,7 @@ jobs:
   python_deploy_document_reference_search_lambda:
     runs-on: ubuntu-latest
     environment: perf
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -176,11 +176,11 @@ jobs:
           aws_region: ${{ vars.AWS_REGION }}
           function_name: ${{ github.event.inputs.sandboxWorkspace}}_SearchDocumentReferencesLambda
           zip_file: package_lambdas_document_reference_search_handler.zip
-        
+
   python_deploy_document_manifest_by_nhs_number_lambda:
     runs-on: ubuntu-latest
     environment: perf
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -221,7 +221,7 @@ jobs:
   python_deploy_login_redirect_lambda:
     runs-on: ubuntu-latest
     environment: perf
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -262,7 +262,7 @@ jobs:
   python_deploy_authoriser_lambda:
     runs-on: ubuntu-latest
     environment: perf
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -303,7 +303,7 @@ jobs:
   python_deploy_token_lambda:
     runs-on: ubuntu-latest
     environment: perf
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -344,7 +344,7 @@ jobs:
   python_deploy_logout_handler_lambda:
     runs-on: ubuntu-latest
     environment: perf
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -419,4 +419,43 @@ jobs:
         with:
           aws_region: ${{ vars.AWS_REGION }}
           function_name: ${{ github.event.inputs.sandboxWorkspace}}_LloydGeorgeStitchLambda
-          zip_file: package_lambdas_lloyd_george_record_stitch_handler.zip
\ No newline at end of file
+          zip_file: package_lambdas_lloyd_george_record_stitch_handler.zip
+
+  python_deploy_back_channel_logout_lambda:
+    runs-on: ubuntu-latest
+    environment: development
+    needs: ["python_lambdas_test"]
+    strategy:
+      matrix:
+        python-version: ["3.11"]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Make virtual environment
+        run: |
+          make env
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-skip-session-tagging: true
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Create release package for Back Channel Logout Lambda
+        run: |
+          make lambda_name=back_channel_logout_handler zip
+
+      - name: Upload Lambda Function for Back Channel Logout Lambda
+        uses: appleboy/lambda-action@master
+        with:
+          aws_region: ${{ vars.AWS_REGION }}
+          function_name: ${{ github.event.inputs.sandboxWorkspace}}_BackChannelLogoutHandler
+          zip_file: package_lambdas_back_channel_logout_handler.zip
diff --git a/.github/workflows/lambdas-deploy-to-pre-prod-manual.yml b/.github/workflows/lambdas-deploy-to-pre-prod-manual.yml
index b9829ee07..a3b4b542e 100644
--- a/.github/workflows/lambdas-deploy-to-pre-prod-manual.yml
+++ b/.github/workflows/lambdas-deploy-to-pre-prod-manual.yml
@@ -9,7 +9,6 @@ permissions:
   contents: read # This is required for actions/checkout
 
 jobs:
-
   tag_and_release:
     runs-on: ubuntu-latest
     environment: pre-prod
@@ -22,29 +21,28 @@ jobs:
     permissions: write-all
 
     steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: main
+          fetch-depth: "0"
 
-    - uses: actions/checkout@v3
-      with:
-        ref: main
-        fetch-depth: '0'
-
-    - name: Bump version and push tag
-      id: versioning
-      uses: anothrNick/github-tag-action@1.64.0
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        WITH_V: false
-        DEFAULT_BUMP: patch
-    
-    - name: View outputs
-      run: |
-        echo Current tag: ${{steps.versioning.outputs.tag}} 
-        echo New tag: ${{steps.versioning.outputs.new_tag}}
+      - name: Bump version and push tag
+        id: versioning
+        uses: anothrNick/github-tag-action@1.64.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          WITH_V: false
+          DEFAULT_BUMP: patch
+
+      - name: View outputs
+        run: |
+          echo Current tag: ${{steps.versioning.outputs.tag}} 
+          echo New tag: ${{steps.versioning.outputs.new_tag}}
 
   python_lambdas_test:
     runs-on: ubuntu-latest
     environment: pre-prod
-    needs: ['tag_and_release']
+    needs: ["tag_and_release"]
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -54,7 +52,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{needs.tag_and_release.outputs.tag}}
-          fetch-depth: '0'
+          fetch-depth: "0"
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v4
@@ -64,7 +62,7 @@ jobs:
       - name: Make virtual environement
         run: |
           make env
-      
+
       - name: Start virtual environement
         run: |
           source ./lambdas/venv/bin/activate
@@ -81,7 +79,7 @@ jobs:
   python_deploy_create_document_reference_lambda:
     runs-on: ubuntu-latest
     environment: pre-prod
-    needs: ["python_lambdas_test", 'tag_and_release']
+    needs: ["python_lambdas_test", "tag_and_release"]
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -91,7 +89,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{needs.tag_and_release.outputs.tag}}
-          fetch-depth: '0'
+          fetch-depth: "0"
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v4
@@ -101,7 +99,7 @@ jobs:
       - name: Make virtual environment
         run: |
           make env
-          
+
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v2
         with:
@@ -112,14 +110,14 @@ jobs:
       - name: Create release package for Create Document Reference
         run: |
           make lambda_name=create_document_reference_handler zip
-    
+
       - name: Upload Lambda Function for CreateDocRefLambda
         uses: appleboy/lambda-action@master
         with:
           aws_region: ${{ vars.AWS_REGION }}
           function_name: ${{ vars.BUILD_ENV }}_CreateDocRefLambda
           zip_file: package_lambdas_create_document_reference_handler.zip
-   
+
   python_deploy_search_patient_details_lambda:
     runs-on: ubuntu-latest
     environment: pre-prod
@@ -133,7 +131,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{needs.tag_and_release.outputs.tag}}
-          fetch-depth: '0'
+          fetch-depth: "0"
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v4
@@ -141,7 +139,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Make virtual environement
-        run: | 
+        run: |
           make env
 
       - name: Configure AWS Credentials
@@ -154,7 +152,7 @@ jobs:
       - name: Create release package for Search Patient Details Reference
         run: |
           make lambda_name=search_patient_details_handler zip
-    
+
       - name: Upload Lambda Function for SearchPatientDetailsHandler
         uses: appleboy/lambda-action@master
         with:
@@ -165,7 +163,7 @@ jobs:
   python_deploy_document_reference_search_lambda:
     runs-on: ubuntu-latest
     environment: pre-prod
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -206,7 +204,7 @@ jobs:
   python_deploy_document_manifest_by_nhs_number_lambda:
     runs-on: ubuntu-latest
     environment: pre-prod
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -244,11 +242,10 @@ jobs:
           function_name: ${{ github.event.inputs.sandboxWorkspace}}_DocumentManifestByNHSNumberLambda
           zip_file: package_lambdas_document_manifest_by_nhs_number_handler.zip
 
-
   python_deploy_login_redirect_lambda:
     runs-on: ubuntu-latest
     environment: pre-prod
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -289,7 +286,7 @@ jobs:
   python_deploy_authoriser_lambda:
     runs-on: ubuntu-latest
     environment: pre-prod
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -330,7 +327,7 @@ jobs:
   python_deploy_token_lambda:
     runs-on: ubuntu-latest
     environment: pre-prod
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -371,7 +368,7 @@ jobs:
   python_deploy_logout_handler_lambda:
     runs-on: ubuntu-latest
     environment: pre-prod
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -412,10 +409,10 @@ jobs:
   python_deploy_lloyd_george_record_stitch_lambda:
     runs-on: ubuntu-latest
     environment: development
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
-        python-version: [ "3.11" ]
+        python-version: ["3.11"]
 
     steps:
       - name: Checkout
@@ -448,4 +445,43 @@ jobs:
         with:
           aws_region: ${{ vars.AWS_REGION }}
           function_name: ${{ github.event.inputs.sandboxWorkspace}}_LloydGeorgeStitchLambda
-          zip_file: package_lambdas_lloyd_george_record_stitch_handler.zip
\ No newline at end of file
+          zip_file: package_lambdas_lloyd_george_record_stitch_handler.zip
+
+  python_deploy_back_channel_logout_lambda:
+    runs-on: ubuntu-latest
+    environment: development
+    needs: ["python_lambdas_test"]
+    strategy:
+      matrix:
+        python-version: ["3.11"]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Make virtual environment
+        run: |
+          make env
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-skip-session-tagging: true
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Create release package for Back Channel Logout Lambda
+        run: |
+          make lambda_name=back_channel_logout_handler zip
+
+      - name: Upload Lambda Function for Back Channel Logout Lambda
+        uses: appleboy/lambda-action@master
+        with:
+          aws_region: ${{ vars.AWS_REGION }}
+          function_name: ${{ github.event.inputs.sandboxWorkspace}}_BackChannelLogoutHandler
+          zip_file: package_lambdas_back_channel_logout_handler.zip
diff --git a/.github/workflows/lambdas-deploy-to-prod-manual.yml b/.github/workflows/lambdas-deploy-to-prod-manual.yml
index f0d5f491b..5cdf8ff91 100644
--- a/.github/workflows/lambdas-deploy-to-prod-manual.yml
+++ b/.github/workflows/lambdas-deploy-to-prod-manual.yml
@@ -26,7 +26,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.inputs.tagVersion}}
-          fetch-depth: '0'
+          fetch-depth: "0"
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v4
@@ -34,9 +34,9 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Make virtual environement
-        run: | 
+        run: |
           make env
-      
+
       - name: Start virtual environement
         run: |
           source ./lambdas/venv/bin/activate
@@ -63,7 +63,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.inputs.tagVersion}}
-          fetch-depth: '0'
+          fetch-depth: "0"
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v2
@@ -76,15 +76,15 @@ jobs:
         uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python-version }}
-        
+
       - name: Make virtual environement
-        run: | 
+        run: |
           make env
 
       - name: Create release package for Create Document Reference
         run: |
           make lambda_name=create_document_reference_handler zip
-    
+
       - name: Upload Lambda Function for CreateDocRefLambda
         uses: appleboy/lambda-action@master
         with:
@@ -105,7 +105,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.inputs.tagVersion}}
-          fetch-depth: '0'
+          fetch-depth: "0"
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v4
@@ -113,9 +113,9 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Make virtual environement
-        run: | 
+        run: |
           make env
-          
+
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v2
         with:
@@ -126,7 +126,7 @@ jobs:
       - name: Create release package for Create Document Reference
         run: |
           make lambda_name=search_patient_details_handler zip
-    
+
       - name: Upload Lambda Function for SearchPatientDetailsHandler
         uses: appleboy/lambda-action@master
         with:
@@ -137,7 +137,7 @@ jobs:
   python_deploy_document_reference_search_lambda:
     runs-on: ubuntu-latest
     environment: prod
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -178,7 +178,7 @@ jobs:
   python_deploy_document_manifest_by_nhs_number_lambda:
     runs-on: ubuntu-latest
     environment: prod
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -219,7 +219,7 @@ jobs:
   python_deploy_login_redirect_lambda:
     runs-on: ubuntu-latest
     environment: prod
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -257,11 +257,10 @@ jobs:
           function_name: ${{ github.event.inputs.sandboxWorkspace}}_LoginRedirectHandler
           zip_file: package_lambdas_login_redirect_handler.zip
 
-
   python_deploy_authoriser_lambda:
     runs-on: ubuntu-latest
     environment: prod
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -302,10 +301,10 @@ jobs:
   python_deploy_token_lambda:
     runs-on: ubuntu-latest
     environment: prod
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
-        python-version: [ "3.11" ]
+        python-version: ["3.11"]
 
     steps:
       - name: Checkout
@@ -343,10 +342,10 @@ jobs:
   python_deploy_logout_handler_lambda:
     runs-on: ubuntu-latest
     environment: prod
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
-        python-version: [ "3.11" ]
+        python-version: ["3.11"]
 
     steps:
       - name: Checkout
@@ -420,4 +419,43 @@ jobs:
         with:
           aws_region: ${{ vars.AWS_REGION }}
           function_name: ${{ github.event.inputs.sandboxWorkspace}}_LloydGeorgeStitchLambda
-          zip_file: package_lambdas_lloyd_george_record_stitch_handler.zip
\ No newline at end of file
+          zip_file: package_lambdas_lloyd_george_record_stitch_handler.zip
+
+  python_deploy_back_channel_logout_lambda:
+    runs-on: ubuntu-latest
+    environment: development
+    needs: ["python_lambdas_test"]
+    strategy:
+      matrix:
+        python-version: ["3.11"]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Make virtual environment
+        run: |
+          make env
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-skip-session-tagging: true
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Create release package for Back Channel Logout Lambda
+        run: |
+          make lambda_name=back_channel_logout_handler zip
+
+      - name: Upload Lambda Function for Back Channel Logout Lambda
+        uses: appleboy/lambda-action@master
+        with:
+          aws_region: ${{ vars.AWS_REGION }}
+          function_name: ${{ github.event.inputs.sandboxWorkspace}}_BackChannelLogoutHandler
+          zip_file: package_lambdas_back_channel_logout_handler.zip
diff --git a/.github/workflows/lambdas-deploy-to-test-manual.yml b/.github/workflows/lambdas-deploy-to-test-manual.yml
index f83a45079..b79f8eea4 100644
--- a/.github/workflows/lambdas-deploy-to-test-manual.yml
+++ b/.github/workflows/lambdas-deploy-to-test-manual.yml
@@ -33,9 +33,9 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Make virtual environement
-        run: | 
+        run: |
           make env
-      
+
       - name: Start virtual environement
         run: |
           source ./lambdas/venv/bin/activate
@@ -69,7 +69,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Make virtual environement
-        run: | 
+        run: |
           make env
 
       - name: Configure AWS Credentials
@@ -82,7 +82,7 @@ jobs:
       - name: Create release package for Create Document Reference
         run: |
           make lambda_name=create_document_reference_handler zip
-    
+
       - name: Upload Lambda Function for CreateDocRefLambda
         uses: appleboy/lambda-action@master
         with:
@@ -110,7 +110,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Make virtual environement
-        run: | 
+        run: |
           make env
 
       - name: Configure AWS Credentials
@@ -123,7 +123,7 @@ jobs:
       - name: Create release package for Search Patient Details Reference
         run: |
           make lambda_name=search_patient_details_handler zip
-    
+
       - name: Upload Lambda Function for SearchPatientDetailsHandler
         uses: appleboy/lambda-action@master
         with:
@@ -134,11 +134,11 @@ jobs:
   python_deploy_document_reference_search_lambda:
     runs-on: ubuntu-latest
     environment: test
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
         python-version: ["3.11"]
-        
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -151,7 +151,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Make virtual environement
-        run: | 
+        run: |
           make env
 
       - name: Configure AWS Credentials
@@ -175,11 +175,11 @@ jobs:
   python_deploy_document_manifest_by_nhs_number_lambda:
     runs-on: ubuntu-latest
     environment: test
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
         python-version: ["3.11"]
-        
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -192,7 +192,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Make virtual environement
-        run: | 
+        run: |
           make env
 
       - name: Configure AWS Credentials
@@ -216,7 +216,7 @@ jobs:
   python_deploy_login_redirect_lambda:
     runs-on: ubuntu-latest
     environment: test
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -233,7 +233,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Make virtual environement
-        run: | 
+        run: |
           make env
 
       - name: Configure AWS Credentials
@@ -257,10 +257,10 @@ jobs:
   python_deploy_authoriser_lambda:
     runs-on: ubuntu-latest
     environment: test
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
-        python-version: [ "3.11" ]
+        python-version: ["3.11"]
 
     steps:
       - name: Checkout
@@ -298,10 +298,10 @@ jobs:
   python_deploy_token_lambda:
     runs-on: ubuntu-latest
     environment: test
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
-        python-version: [ "3.11" ]
+        python-version: ["3.11"]
 
     steps:
       - name: Checkout
@@ -339,10 +339,10 @@ jobs:
   python_deploy_logout_handler_lambda:
     runs-on: ubuntu-latest
     environment: test
-    needs: [ "python_lambdas_test" ]
+    needs: ["python_lambdas_test"]
     strategy:
       matrix:
-        python-version: [ "3.11" ]
+        python-version: ["3.11"]
 
     steps:
       - name: Checkout
@@ -498,4 +498,43 @@ jobs:
         with:
           aws_region: ${{ vars.AWS_REGION }}
           function_name: ${{ vars.BUILD_ENV}}_BulkUpload Lambda
-          zip_file: package_lambdas_bulk_upload_handler.zip
\ No newline at end of file
+          zip_file: package_lambdas_bulk_upload_handler.zip
+
+  python_deploy_back_channel_logout_lambda:
+    runs-on: ubuntu-latest
+    environment: development
+    needs: ["python_lambdas_test"]
+    strategy:
+      matrix:
+        python-version: ["3.11"]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Make virtual environment
+        run: |
+          make env
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-skip-session-tagging: true
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Create release package for Back Channel Logout Lambda
+        run: |
+          make lambda_name=back_channel_logout_handler zip
+
+      - name: Upload Lambda Function for Back Channel Logout Lambda
+        uses: appleboy/lambda-action@master
+        with:
+          aws_region: ${{ vars.AWS_REGION }}
+          function_name: ${{ github.event.inputs.sandboxWorkspace}}_BackChannelLogoutHandler
+          zip_file: package_lambdas_back_channel_logout_handler.zip
diff --git a/.github/workflows/lambdas-dev-to-main-ci.yml b/.github/workflows/lambdas-dev-to-main-ci.yml
index 174d6cc86..f8fcb1654 100644
--- a/.github/workflows/lambdas-dev-to-main-ci.yml
+++ b/.github/workflows/lambdas-dev-to-main-ci.yml
@@ -73,9 +73,6 @@ jobs:
               - 'lambdas/handlers/lloyd_george_record_stitch_handler.py'
             bulk_upload_metadata:
               - 'lambdas/handlers/bulk_upload_metadata_handler.py'
-            
-  
-  
 
   python_lambdas_test:
     runs-on: ubuntu-latest
@@ -209,7 +206,7 @@ jobs:
   python_deploy_document_reference_search_lambda:
     runs-on: ubuntu-latest
     environment: development
-    needs: [ "python_lambdas_test", "identify_changed_functions" ]
+    needs: ["python_lambdas_test", "identify_changed_functions"]
     if: |
       (github.ref == 'refs/heads/main') 
         && (needs.identify_changed_functions.outputs.utils_changed == 'true'
@@ -256,7 +253,7 @@ jobs:
   python_deploy_document_manifest_by_nhs_number_lambda:
     runs-on: ubuntu-latest
     environment: development
-    needs: [ "python_lambdas_test", "identify_changed_functions" ]
+    needs: ["python_lambdas_test", "identify_changed_functions"]
     if: |
       (github.ref == 'refs/heads/main') 
         && (needs.identify_changed_functions.outputs.utils_changed == 'true'
@@ -300,11 +297,10 @@ jobs:
           function_name: ${{ vars.BUILD_ENV }}_DocumentManifestByNHSNumberLambda
           zip_file: package_lambdas_document_manifest_by_nhs_number_handler.zip
 
-
   python_deploy_login_redirect_lambda:
     runs-on: ubuntu-latest
     environment: development
-    needs: [ "python_lambdas_test", "identify_changed_functions" ]
+    needs: ["python_lambdas_test", "identify_changed_functions"]
     if: |
       (github.ref == 'refs/heads/main') 
         && (needs.identify_changed_functions.outputs.utils_changed == 'true'
@@ -351,7 +347,7 @@ jobs:
   python_deploy_authoriser_lambda:
     runs-on: ubuntu-latest
     environment: development
-    needs: [ "python_lambdas_test", "identify_changed_functions" ]
+    needs: ["python_lambdas_test", "identify_changed_functions"]
     if: |
       (github.ref == 'refs/heads/main') 
         && (needs.identify_changed_functions.outputs.utils_changed == 'true'
@@ -398,7 +394,7 @@ jobs:
   python_deploy_token_lambda:
     runs-on: ubuntu-latest
     environment: development
-    needs: [ "python_lambdas_test", "identify_changed_functions" ]
+    needs: ["python_lambdas_test", "identify_changed_functions"]
     if: |
       (github.ref == 'refs/heads/main') 
         && (needs.identify_changed_functions.outputs.utils_changed == 'true'
@@ -445,7 +441,7 @@ jobs:
   python_deploy_logout_handler_lambda:
     runs-on: ubuntu-latest
     environment: development
-    needs: [ "python_lambdas_test", "identify_changed_functions" ]
+    needs: ["python_lambdas_test", "identify_changed_functions"]
     if: |
       (github.ref == 'refs/heads/main') 
         && (needs.identify_changed_functions.outputs.utils_changed == 'true'
@@ -489,11 +485,10 @@ jobs:
           function_name: ${{ vars.BUILD_ENV }}_LogoutHandler
           zip_file: package_lambdas_logout_handler.zip
 
-
   python_deploy_lloyd_george_record_stitch_lambda:
     runs-on: ubuntu-latest
     environment: development
-    needs: [ "python_lambdas_test", "identify_changed_functions" ]
+    needs: ["python_lambdas_test", "identify_changed_functions"]
     if: |
       (github.ref == 'refs/heads/main') 
         && (needs.identify_changed_functions.outputs.utils_changed == 'true'
@@ -540,7 +535,7 @@ jobs:
   python_deploy_bulk_upload_metadata_lambda:
     runs-on: ubuntu-latest
     environment: development
-    needs: [ "python_lambdas_test", "identify_changed_functions" ]
+    needs: ["python_lambdas_test", "identify_changed_functions"]
     if: |
       (github.ref == 'refs/heads/main') 
         && (needs.identify_changed_functions.outputs.utils_changed == 'true'
@@ -583,3 +578,42 @@ jobs:
           aws_region: ${{ vars.AWS_REGION }}
           function_name: ${{ vars.BUILD_ENV}}_BulkUploadMetadataLambda
           zip_file: package_lambdas_bulk_upload_metadata_handler.zip
+
+  python_deploy_back_channel_logout_lambda:
+    runs-on: ubuntu-latest
+    environment: development
+    needs: ["python_lambdas_test"]
+    strategy:
+      matrix:
+        python-version: ["3.11"]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Make virtual environment
+        run: |
+          make env
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-skip-session-tagging: true
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Create release package for Back Channel Logout Lambda
+        run: |
+          make lambda_name=back_channel_logout_handler zip
+
+      - name: Upload Lambda Function for Back Channel Logout Lambda
+        uses: appleboy/lambda-action@master
+        with:
+          aws_region: ${{ vars.AWS_REGION }}
+          function_name: ${{ github.event.inputs.sandboxWorkspace}}_BackChannelLogoutHandler
+          zip_file: package_lambdas_back_channel_logout_handler.zip
diff --git a/.github/workflows/new_base-lambdas-reusable-deploy-all.yml b/.github/workflows/new_base-lambdas-reusable-deploy-all.yml
index 322d77b04..291be17ef 100644
--- a/.github/workflows/new_base-lambdas-reusable-deploy-all.yml
+++ b/.github/workflows/new_base-lambdas-reusable-deploy-all.yml
@@ -115,5 +115,18 @@ jobs:
       sandbox: ${{ inputs.sandbox }}
       lambda_handler_name: bulk_upload_handler
       lambda_aws_name: BulkUploadLambda
+    secrets:
+      AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
+
+  deploy_bulk_upload_lambda:
+    name: Deploy back_channel_logout_lambda
+    uses: ./.github/workflows/new_base-lambdas-reusable-deploy.yml
+    with:
+      environment: ${{ inputs.environment}}
+      python_version: ${{ inputs.python_version }}
+      build_branch: ${{ inputs.build_branch}}
+      sandbox: ${{ inputs.sandbox }}
+      lambda_handler_name: back_channel_logout_handler
+      lambda_aws_name: BackChannelLogoutHandler
     secrets:
       AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
\ No newline at end of file

From f99967bc948d3fb95cdb807501620cba75fe64aa Mon Sep 17 00:00:00 2001
From: Richard Smith <richard.smith33@nhs.net>
Date: Wed, 18 Oct 2023 17:00:32 +0100
Subject: [PATCH 11/32] Alter imports on BCL handler

---
 lambdas/handlers/back_channel_logout_handler.py              | 5 ++---
 .../tests/unit/handlers/test_back_channel_logout_handler.py  | 4 ++--
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index cf5e9d710..b11163024 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -1,9 +1,8 @@
 import logging
 import os
-import jwt
 from botocore.exceptions import ClientError
-from lambdas.services.oidc_service import OidcService
-from lambdas.utils.exceptions import AuthorisationException
+from services.oidc_service import OidcService
+from utils.exceptions import AuthorisationException
 from services.dynamo_service import DynamoDBService
 from utils.lambda_response import ApiGatewayResponse
 
diff --git a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
index 67013e83f..850826ddb 100644
--- a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
+++ b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
@@ -1,8 +1,8 @@
 from botocore.exceptions import ClientError
 import pytest
 from handlers.back_channel_logout_handler import lambda_handler
-from lambdas.services.oidc_service import OidcService
-from lambdas.utils.exceptions import AuthorisationException
+from services.oidc_service import OidcService
+from utils.exceptions import AuthorisationException
 from tests.unit.helpers.ssm_responses import \
     MOCK_SINGLE_SECURE_STRING_PARAMETER_RESPONSE
 from utils.lambda_response import ApiGatewayResponse

From 93ffe899e340d74ae55440eeea1f8884d5f26cb6 Mon Sep 17 00:00:00 2001
From: Richard Smith <richard.smith33@nhs.net>
Date: Thu, 19 Oct 2023 11:17:50 +0100
Subject: [PATCH 12/32] Extract request body before looking for token

---
 .../handlers/back_channel_logout_handler.py   |   4 +-
 .../test_back_channel_logout_handler.py       | 110 +++++++++---------
 2 files changed, 59 insertions(+), 55 deletions(-)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index b11163024..2f06ac754 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -1,3 +1,4 @@
+import json
 import logging
 import os
 from botocore.exceptions import ClientError
@@ -12,7 +13,8 @@
 
 
 def lambda_handler(event, context):
-    token = event["body"]["logout_token"]
+    body = json.loads(event["body"])
+    token = body["logout_token"]
     return logout_handler(token)
 
 
diff --git a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
index 850826ddb..1f9d53fcf 100644
--- a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
+++ b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
@@ -1,3 +1,4 @@
+import json
 from botocore.exceptions import ClientError
 import pytest
 from handlers.back_channel_logout_handler import lambda_handler
@@ -18,77 +19,78 @@ def mock_oidc_service(mocker):
         "validate_and_decode_token")
     yield mock_oidc_service
 
-def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(mocker, mock_oidc_service):
-    mock_token = "mock_token"
-    mock_session_id = "mock_session_id"
-    mock_decoded_token = {"sid": mock_session_id}
-    mock_oidc_service.return_value = mock_decoded_token
-    mock_dynamo_service = mocker.patch(
-        "handlers.back_channel_logout_handler.remove_session_from_dynamo_db"
-    )
+# def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(mocker, mock_oidc_service):
+#     mock_token = json.dumps("mock_token")
+#     mock_request = "logout_token=" + mock_token
+#     mock_session_id = "mock_session_id"
+#     mock_decoded_token = {"sid": mock_session_id}
+#     mock_oidc_service.return_value = mock_decoded_token
+#     mock_dynamo_service = mocker.patch(
+#         "handlers.back_channel_logout_handler.remove_session_from_dynamo_db"
+#     )
 
-    expected = ApiGatewayResponse(200, "", "GET").create_api_gateway_response()
+#     expected = ApiGatewayResponse(200, "", "GET").create_api_gateway_response()
 
-    actual = lambda_handler(build_event_from_token(mock_token), None)
+#     actual = lambda_handler(build_event_from_token(mock_request), None)
 
-    assert expected == actual
-    mock_oidc_service.asset_called_with(mock_token)
-    mock_dynamo_service.assert_called_with(mock_session_id)
+#     assert expected == actual
+#     mock_oidc_service.asset_called_with(mock_token)
+#     mock_dynamo_service.assert_called_with(mock_session_id)
 
 
-def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mock_oidc_service):
-    mock_token = "mock_token"
-    mock_session_id = "mock_session_id"
-    mock_decoded_token = {"not_an_sid": mock_session_id}
-    mock_oidc_service.return_value = mock_decoded_token
+# def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mock_oidc_service):
+#     mock_token = "mock_token"
+#     mock_session_id = "mock_session_id"
+#     mock_decoded_token = {"not_an_sid": mock_session_id}
+#     mock_oidc_service.return_value = mock_decoded_token
 
-    expected = ApiGatewayResponse(
-        400,  """{ "error":"No sid field in decoded token"}""", "GET"
-    ).create_api_gateway_response()
+#     expected = ApiGatewayResponse(
+#         400,  """{ "error":"No sid field in decoded token"}""", "GET"
+#     ).create_api_gateway_response()
 
-    actual = lambda_handler(build_event_from_token(mock_token), None)
+#     actual = lambda_handler(build_event_from_token(mock_token), None)
 
-    assert expected == actual
-    mock_oidc_service.asset_called_with(mock_token)
+#     assert expected == actual
+#     mock_oidc_service.asset_called_with(mock_token)
 
 
-def test_back_channel_logout_handler_invalid_jwt_returns_400(mock_oidc_service):
-    mock_token = "mock_token"
-    mock_session_id = "mock_session_id"
-    mock_oidc_service.side_effect=AuthorisationException
+# def test_back_channel_logout_handler_invalid_jwt_returns_400(mock_oidc_service):
+#     mock_token = "mock_token"
+#     mock_session_id = "mock_session_id"
+#     mock_oidc_service.side_effect=AuthorisationException
 
-    expected = ApiGatewayResponse(
-        400,  """{ "error":"JWT was invalid"}""", "GET"
-    ).create_api_gateway_response()
+#     expected = ApiGatewayResponse(
+#         400,  """{ "error":"JWT was invalid"}""", "GET"
+#     ).create_api_gateway_response()
 
-    actual = lambda_handler(build_event_from_token(mock_token), None)
+#     actual = lambda_handler(build_event_from_token(mock_token), None)
 
-    assert expected == actual
-    mock_oidc_service.asset_called_with(mock_token)
+#     assert expected == actual
+#     mock_oidc_service.asset_called_with(mock_token)
 
 
-def test_back_channel_logout_handler_boto_error_returns_400(mocker, mock_oidc_service):
-    mock_token = "mock_token"
-    mock_session_id = "mock_session_id"
-    mock_decoded_token = {"sid": mock_session_id}
-    mock_oidc_service.return_value = mock_decoded_token
-    mock_dynamo_service = mocker.patch(
-        "handlers.back_channel_logout_handler.remove_session_from_dynamo_db",
-        side_effect=ClientError(
-            {"Error": {"Code": "500", "Message": "mocked error"}}, "test"
-        ),
-    )
+# def test_back_channel_logout_handler_boto_error_returns_400(mocker, mock_oidc_service):
+#     mock_token = "mock_token"
+#     mock_session_id = "mock_session_id"
+#     mock_decoded_token = {"sid": mock_session_id}
+#     mock_oidc_service.return_value = mock_decoded_token
+#     mock_dynamo_service = mocker.patch(
+#         "handlers.back_channel_logout_handler.remove_session_from_dynamo_db",
+#         side_effect=ClientError(
+#             {"Error": {"Code": "500", "Message": "mocked error"}}, "test"
+#         ),
+#     )
 
-    expected = ApiGatewayResponse(
-        400, """{ "error":"Internal error logging user out"}""", "GET"
-    ).create_api_gateway_response()
+#     expected = ApiGatewayResponse(
+#         400, """{ "error":"Internal error logging user out"}""", "GET"
+#     ).create_api_gateway_response()
 
-    actual = lambda_handler(build_event_from_token(mock_token), None)
+#     actual = lambda_handler(build_event_from_token(mock_token), None)
 
-    assert expected == actual
-    mock_oidc_service.asset_called_with(mock_token)
-    mock_dynamo_service.assert_called_with(mock_session_id)
+#     assert expected == actual
+#     mock_oidc_service.asset_called_with(mock_token)
+#     mock_dynamo_service.assert_called_with(mock_session_id)
 
 
-def build_event_from_token(token: str) -> dict:
-    return {"body": {"logout_token": token}}
+# def build_event_from_token(token: str) -> dict:
+#     return {"body": {"logout_token": token}}

From f151bd9f93a6149ff5bf7b1dd6c80e93e2613dec Mon Sep 17 00:00:00 2001
From: AlexHerbertNHS <alexandra.herbert1@nhs.net>
Date: Thu, 19 Oct 2023 11:24:22 +0100
Subject: [PATCH 13/32] PRMDR-168

Fix for docs not being downloaded
---
 .github/workflows/new_base-lambdas-reusable-deploy-all.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/new_base-lambdas-reusable-deploy-all.yml b/.github/workflows/new_base-lambdas-reusable-deploy-all.yml
index 291be17ef..911649adf 100644
--- a/.github/workflows/new_base-lambdas-reusable-deploy-all.yml
+++ b/.github/workflows/new_base-lambdas-reusable-deploy-all.yml
@@ -118,7 +118,7 @@ jobs:
     secrets:
       AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
 
-  deploy_bulk_upload_lambda:
+  deploy_back_channel_logout_lambda:
     name: Deploy back_channel_logout_lambda
     uses: ./.github/workflows/new_base-lambdas-reusable-deploy.yml
     with:

From e539d1b8754819e0d4b0fd7a7b3cab43b5028c4e Mon Sep 17 00:00:00 2001
From: Richard Smith <richard.smith33@nhs.net>
Date: Thu, 19 Oct 2023 12:24:58 +0100
Subject: [PATCH 14/32] Code tidy up

---
 .../handlers/back_channel_logout_handler.py   |   4 +-
 .../test_back_channel_logout_handler.py       | 109 +++++++++---------
 2 files changed, 55 insertions(+), 58 deletions(-)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index 2f06ac754..92517ddce 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -13,11 +13,9 @@
 
 
 def lambda_handler(event, context):
-    body = json.loads(event["body"])
-    token = body["logout_token"]
+    token = event["body"]["logout_token"]
     return logout_handler(token)
 
-
 def logout_handler(token):
     try:
         logger.info("decoding token")
diff --git a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
index 1f9d53fcf..89e942553 100644
--- a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
+++ b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
@@ -19,78 +19,77 @@ def mock_oidc_service(mocker):
         "validate_and_decode_token")
     yield mock_oidc_service
 
-# def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(mocker, mock_oidc_service):
-#     mock_token = json.dumps("mock_token")
-#     mock_request = "logout_token=" + mock_token
-#     mock_session_id = "mock_session_id"
-#     mock_decoded_token = {"sid": mock_session_id}
-#     mock_oidc_service.return_value = mock_decoded_token
-#     mock_dynamo_service = mocker.patch(
-#         "handlers.back_channel_logout_handler.remove_session_from_dynamo_db"
-#     )
+def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(mocker, mock_oidc_service):
+    mock_token = "mock_token"
+    mock_session_id = "mock_session_id"
+    mock_decoded_token = {"sid": mock_session_id}
+    mock_oidc_service.return_value = mock_decoded_token
+    mock_dynamo_service = mocker.patch(
+        "handlers.back_channel_logout_handler.remove_session_from_dynamo_db"
+    )
 
-#     expected = ApiGatewayResponse(200, "", "GET").create_api_gateway_response()
+    expected = ApiGatewayResponse(200, "", "GET").create_api_gateway_response()
 
-#     actual = lambda_handler(build_event_from_token(mock_request), None)
+    actual = lambda_handler(build_event_from_token(mock_token), None)
 
-#     assert expected == actual
-#     mock_oidc_service.asset_called_with(mock_token)
-#     mock_dynamo_service.assert_called_with(mock_session_id)
+    assert expected == actual
+    mock_oidc_service.asset_called_with(mock_token)
+    mock_dynamo_service.assert_called_with(mock_session_id)
 
 
-# def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mock_oidc_service):
-#     mock_token = "mock_token"
-#     mock_session_id = "mock_session_id"
-#     mock_decoded_token = {"not_an_sid": mock_session_id}
-#     mock_oidc_service.return_value = mock_decoded_token
+def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mock_oidc_service):
+    mock_token = "mock_token"
+    mock_session_id = "mock_session_id"
+    mock_decoded_token = {"not_an_sid": mock_session_id}
+    mock_oidc_service.return_value = mock_decoded_token
 
-#     expected = ApiGatewayResponse(
-#         400,  """{ "error":"No sid field in decoded token"}""", "GET"
-#     ).create_api_gateway_response()
+    expected = ApiGatewayResponse(
+        400,  """{ "error":"No sid field in decoded token"}""", "GET"
+    ).create_api_gateway_response()
 
-#     actual = lambda_handler(build_event_from_token(mock_token), None)
+    actual = lambda_handler(build_event_from_token(mock_token), None)
 
-#     assert expected == actual
-#     mock_oidc_service.asset_called_with(mock_token)
+    assert expected == actual
+    mock_oidc_service.asset_called_with(mock_token)
 
 
-# def test_back_channel_logout_handler_invalid_jwt_returns_400(mock_oidc_service):
-#     mock_token = "mock_token"
-#     mock_session_id = "mock_session_id"
-#     mock_oidc_service.side_effect=AuthorisationException
+def test_back_channel_logout_handler_invalid_jwt_returns_400(mock_oidc_service):
+    mock_token = "mock_token"
+    mock_session_id = "mock_session_id"
+    mock_oidc_service.side_effect=AuthorisationException
 
-#     expected = ApiGatewayResponse(
-#         400,  """{ "error":"JWT was invalid"}""", "GET"
-#     ).create_api_gateway_response()
+    expected = ApiGatewayResponse(
+        400,  """{ "error":"JWT was invalid"}""", "GET"
+    ).create_api_gateway_response()
 
-#     actual = lambda_handler(build_event_from_token(mock_token), None)
+    actual = lambda_handler(build_event_from_token(mock_token), None)
 
-#     assert expected == actual
-#     mock_oidc_service.asset_called_with(mock_token)
+    assert expected == actual
+    mock_oidc_service.asset_called_with(mock_token)
 
 
-# def test_back_channel_logout_handler_boto_error_returns_400(mocker, mock_oidc_service):
-#     mock_token = "mock_token"
-#     mock_session_id = "mock_session_id"
-#     mock_decoded_token = {"sid": mock_session_id}
-#     mock_oidc_service.return_value = mock_decoded_token
-#     mock_dynamo_service = mocker.patch(
-#         "handlers.back_channel_logout_handler.remove_session_from_dynamo_db",
-#         side_effect=ClientError(
-#             {"Error": {"Code": "500", "Message": "mocked error"}}, "test"
-#         ),
-#     )
+def test_back_channel_logout_handler_boto_error_returns_400(mocker, mock_oidc_service):
+    mock_token = "mock_token"
+    mock_session_id = "mock_session_id"
+    mock_decoded_token = {"sid": mock_session_id}
+    mock_oidc_service.return_value = mock_decoded_token
+    mock_dynamo_service = mocker.patch(
+        "handlers.back_channel_logout_handler.remove_session_from_dynamo_db",
+        side_effect=ClientError(
+            {"Error": {"Code": "500", "Message": "mocked error"}}, "test"
+        ),
+    )
 
-#     expected = ApiGatewayResponse(
-#         400, """{ "error":"Internal error logging user out"}""", "GET"
-#     ).create_api_gateway_response()
+    expected = ApiGatewayResponse(
+        400, """{ "error":"Internal error logging user out"}""", "GET"
+    ).create_api_gateway_response()
 
-#     actual = lambda_handler(build_event_from_token(mock_token), None)
+    actual = lambda_handler(build_event_from_token(mock_token), None)
 
-#     assert expected == actual
-#     mock_oidc_service.asset_called_with(mock_token)
-#     mock_dynamo_service.assert_called_with(mock_session_id)
+    assert expected == actual
+    mock_oidc_service.asset_called_with(mock_token)
+    mock_dynamo_service.assert_called_with(mock_session_id)
 
 
-# def build_event_from_token(token: str) -> dict:
-#     return {"body": {"logout_token": token}}
+def build_event_from_token(token: str) -> dict:
+    return {"body": {"logout_token": token}}

From 9fdf02f8ee2c149ea6001663e7401cc6b4834e65 Mon Sep 17 00:00:00 2001
From: AlexHerbertNHS <alexandra.herbert1@nhs.net>
Date: Thu, 19 Oct 2023 12:40:41 +0100
Subject: [PATCH 15/32] PRMDR-168

Added fix to ensure environment variable exists
---
 .../handlers/back_channel_logout_handler.py   | 11 ++++++--
 .../test_back_channel_logout_handler.py       | 28 ++++++++++++++-----
 2 files changed, 29 insertions(+), 10 deletions(-)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index 92517ddce..4a1043c6a 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -3,19 +3,23 @@
 import os
 from botocore.exceptions import ClientError
 from services.oidc_service import OidcService
+from utils.decorators.ensure_env_var import ensure_environment_variables
 from utils.exceptions import AuthorisationException
 from services.dynamo_service import DynamoDBService
 from utils.lambda_response import ApiGatewayResponse
 
-
 logger = logging.getLogger()
 logger.setLevel(logging.INFO)
 
 
+@ensure_environment_variables(
+    ["OIDC_CALLBACK_URL"]
+)
 def lambda_handler(event, context):
     token = event["body"]["logout_token"]
     return logout_handler(token)
 
+
 def logout_handler(token):
     try:
         logger.info("decoding token")
@@ -37,11 +41,12 @@ def logout_handler(token):
     except KeyError as e:
         logger.error(f"No field 'sid' in decoded token: {e}")
         return ApiGatewayResponse(
-            400, """{ "error":"No sid field in decoded token"}""", "GET"
+            400, """{ "error":"No sid field in decoded token"}""", "POST"
         ).create_api_gateway_response()
-    
+
     return ApiGatewayResponse(200, "", "GET").create_api_gateway_response()
 
+
 def remove_session_from_dynamo_db(session_id):
     logger.info(f"Session to be removed: {session_id}")
     dynamodb_name = os.environ["AUTH_DYNAMODB_NAME"]
diff --git a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
index 89e942553..c356e6777 100644
--- a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
+++ b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
@@ -8,17 +8,31 @@
     MOCK_SINGLE_SECURE_STRING_PARAMETER_RESPONSE
 from utils.lambda_response import ApiGatewayResponse
 
+
 @pytest.fixture
 def mock_oidc_service(mocker):
     mocker.patch.object(
-        OidcService, 
-        "__init__", 
-        return_value = None)
+        OidcService,
+        "__init__",
+        return_value=None)
     mock_oidc_service = mocker.patch.object(
-        OidcService, 
+        OidcService,
         "validate_and_decode_token")
     yield mock_oidc_service
 
+
+def test_returns_500_when_env_vars_not_set():
+    mock_token = "mock_token"
+    expected = ApiGatewayResponse(
+        500,
+        "An error occurred due to missing key: 'OIDC_CALLBACK_URL'",
+        "GET",
+    ).create_api_gateway_response()
+    actual = lambda_handler(build_event_from_token(mock_token), None)
+
+    assert actual == expected
+
+
 def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(mocker, mock_oidc_service):
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
@@ -44,7 +58,7 @@ def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mock_oid
     mock_oidc_service.return_value = mock_decoded_token
 
     expected = ApiGatewayResponse(
-        400,  """{ "error":"No sid field in decoded token"}""", "GET"
+        400, """{ "error":"No sid field in decoded token"}""", "GET"
     ).create_api_gateway_response()
 
     actual = lambda_handler(build_event_from_token(mock_token), None)
@@ -56,10 +70,10 @@ def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mock_oid
 def test_back_channel_logout_handler_invalid_jwt_returns_400(mock_oidc_service):
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
-    mock_oidc_service.side_effect=AuthorisationException
+    mock_oidc_service.side_effect = AuthorisationException
 
     expected = ApiGatewayResponse(
-        400,  """{ "error":"JWT was invalid"}""", "GET"
+        400, """{ "error":"JWT was invalid"}""", "GET"
     ).create_api_gateway_response()
 
     actual = lambda_handler(build_event_from_token(mock_token), None)

From b72d5c6b984f0ffec36509a3fd28e3e08eacbe03 Mon Sep 17 00:00:00 2001
From: Richard Smith <richard.smith33@nhs.net>
Date: Thu, 19 Oct 2023 14:59:46 +0100
Subject: [PATCH 16/32] Return POST response for BCL

---
 .../handlers/back_channel_logout_handler.py   |  6 +++---
 .../test_back_channel_logout_handler.py       | 20 +++++++++++--------
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index 4a1043c6a..29cab6142 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -31,12 +31,12 @@ def logout_handler(token):
     except ClientError as e:
         logger.error(f"Error logging out user: {e}")
         return ApiGatewayResponse(
-            400, """{ "error":"Internal error logging user out"}""", "GET"
+            400, """{ "error":"Internal error logging user out"}""", "POST"
         ).create_api_gateway_response()
     except AuthorisationException as e:
         logger.error(f"error while decoding JWT: {e}")
         return ApiGatewayResponse(
-            400, """{ "error":"JWT was invalid"}""", "GET"
+            400, """{ "error":"JWT was invalid"}""", "POST"
         ).create_api_gateway_response()
     except KeyError as e:
         logger.error(f"No field 'sid' in decoded token: {e}")
@@ -44,7 +44,7 @@ def logout_handler(token):
             400, """{ "error":"No sid field in decoded token"}""", "POST"
         ).create_api_gateway_response()
 
-    return ApiGatewayResponse(200, "", "GET").create_api_gateway_response()
+    return ApiGatewayResponse(200, "", "POST").create_api_gateway_response()
 
 
 def remove_session_from_dynamo_db(session_id):
diff --git a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
index c356e6777..205b80e9d 100644
--- a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
+++ b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
@@ -33,7 +33,8 @@ def test_returns_500_when_env_vars_not_set():
     assert actual == expected
 
 
-def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(mocker, mock_oidc_service):
+def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(mocker, mock_oidc_service, monkeypatch):
+    monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
     mock_decoded_token = {"sid": mock_session_id}
@@ -42,7 +43,7 @@ def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(moc
         "handlers.back_channel_logout_handler.remove_session_from_dynamo_db"
     )
 
-    expected = ApiGatewayResponse(200, "", "GET").create_api_gateway_response()
+    expected = ApiGatewayResponse(200, "", "POST").create_api_gateway_response()
 
     actual = lambda_handler(build_event_from_token(mock_token), None)
 
@@ -51,14 +52,15 @@ def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(moc
     mock_dynamo_service.assert_called_with(mock_session_id)
 
 
-def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mock_oidc_service):
+def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mock_oidc_service, monkeypatch):
+    monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
     mock_decoded_token = {"not_an_sid": mock_session_id}
     mock_oidc_service.return_value = mock_decoded_token
 
     expected = ApiGatewayResponse(
-        400, """{ "error":"No sid field in decoded token"}""", "GET"
+        400, """{ "error":"No sid field in decoded token"}""", "POST"
     ).create_api_gateway_response()
 
     actual = lambda_handler(build_event_from_token(mock_token), None)
@@ -67,13 +69,14 @@ def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mock_oid
     mock_oidc_service.asset_called_with(mock_token)
 
 
-def test_back_channel_logout_handler_invalid_jwt_returns_400(mock_oidc_service):
+def test_back_channel_logout_handler_invalid_jwt_returns_400(mock_oidc_service, monkeypatch):
+    monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
     mock_oidc_service.side_effect = AuthorisationException
 
     expected = ApiGatewayResponse(
-        400, """{ "error":"JWT was invalid"}""", "GET"
+        400, """{ "error":"JWT was invalid"}""", "POST"
     ).create_api_gateway_response()
 
     actual = lambda_handler(build_event_from_token(mock_token), None)
@@ -82,7 +85,8 @@ def test_back_channel_logout_handler_invalid_jwt_returns_400(mock_oidc_service):
     mock_oidc_service.asset_called_with(mock_token)
 
 
-def test_back_channel_logout_handler_boto_error_returns_400(mocker, mock_oidc_service):
+def test_back_channel_logout_handler_boto_error_returns_400(mocker, mock_oidc_service, monkeypatch):
+    monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
     mock_decoded_token = {"sid": mock_session_id}
@@ -95,7 +99,7 @@ def test_back_channel_logout_handler_boto_error_returns_400(mocker, mock_oidc_se
     )
 
     expected = ApiGatewayResponse(
-        400, """{ "error":"Internal error logging user out"}""", "GET"
+        400, """{ "error":"Internal error logging user out"}""", "POST"
     ).create_api_gateway_response()
 
     actual = lambda_handler(build_event_from_token(mock_token), None)

From 7894b16abfd71350223c142ca81379573eb792df Mon Sep 17 00:00:00 2001
From: Richard Smith <richard.smith33@nhs.net>
Date: Thu, 19 Oct 2023 15:09:04 +0100
Subject: [PATCH 17/32] Issue deconstructing request

---
 lambdas/handlers/back_channel_logout_handler.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index 29cab6142..f8751ff86 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -13,7 +13,7 @@
 
 
 @ensure_environment_variables(
-    ["OIDC_CALLBACK_URL"]
+    names = ["OIDC_CALLBACK_URL"]
 )
 def lambda_handler(event, context):
     token = event["body"]["logout_token"]

From 06f4b3faaeec7ad81fe63b77426dd65beaef50fd Mon Sep 17 00:00:00 2001
From: Richard Smith <richard.smith33@nhs.net>
Date: Thu, 19 Oct 2023 15:27:22 +0100
Subject: [PATCH 18/32] Issue deconstructing request

---
 .../handlers/back_channel_logout_handler.py   |   3 +-
 .../test_back_channel_logout_handler.py       | 134 +++++++++---------
 2 files changed, 69 insertions(+), 68 deletions(-)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index f8751ff86..00bf02a52 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -16,7 +16,8 @@
     names = ["OIDC_CALLBACK_URL"]
 )
 def lambda_handler(event, context):
-    token = event["body"]["logout_token"]
+    body = json.load(event["body"])
+    token = body["logout_token"]
     return logout_handler(token)
 
 
diff --git a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
index 205b80e9d..019e3725b 100644
--- a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
+++ b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
@@ -21,93 +21,93 @@ def mock_oidc_service(mocker):
     yield mock_oidc_service
 
 
-def test_returns_500_when_env_vars_not_set():
-    mock_token = "mock_token"
-    expected = ApiGatewayResponse(
-        500,
-        "An error occurred due to missing key: 'OIDC_CALLBACK_URL'",
-        "GET",
-    ).create_api_gateway_response()
-    actual = lambda_handler(build_event_from_token(mock_token), None)
+# def test_returns_500_when_env_vars_not_set():
+#     mock_token = "mock_token"
+#     expected = ApiGatewayResponse(
+#         500,
+#         "An error occurred due to missing key: 'OIDC_CALLBACK_URL'",
+#         "GET",
+#     ).create_api_gateway_response()
+#     actual = lambda_handler(build_event_from_token(mock_token), None)
 
-    assert actual == expected
+#     assert actual == expected
 
 
-def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(mocker, mock_oidc_service, monkeypatch):
-    monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
-    mock_token = "mock_token"
-    mock_session_id = "mock_session_id"
-    mock_decoded_token = {"sid": mock_session_id}
-    mock_oidc_service.return_value = mock_decoded_token
-    mock_dynamo_service = mocker.patch(
-        "handlers.back_channel_logout_handler.remove_session_from_dynamo_db"
-    )
+# def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(mocker, mock_oidc_service, monkeypatch):
+#     monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
+#     mock_token = "mock_token"
+#     mock_session_id = "mock_session_id"
+#     mock_decoded_token = {"sid": mock_session_id}
+#     mock_oidc_service.return_value = mock_decoded_token
+#     mock_dynamo_service = mocker.patch(
+#         "handlers.back_channel_logout_handler.remove_session_from_dynamo_db"
+#     )
 
-    expected = ApiGatewayResponse(200, "", "POST").create_api_gateway_response()
+#     expected = ApiGatewayResponse(200, "", "POST").create_api_gateway_response()
 
-    actual = lambda_handler(build_event_from_token(mock_token), None)
+#     actual = lambda_handler(build_event_from_token(mock_token), None)
 
-    assert expected == actual
-    mock_oidc_service.asset_called_with(mock_token)
-    mock_dynamo_service.assert_called_with(mock_session_id)
+#     assert expected == actual
+#     mock_oidc_service.asset_called_with(mock_token)
+#     mock_dynamo_service.assert_called_with(mock_session_id)
 
 
-def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mock_oidc_service, monkeypatch):
-    monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
-    mock_token = "mock_token"
-    mock_session_id = "mock_session_id"
-    mock_decoded_token = {"not_an_sid": mock_session_id}
-    mock_oidc_service.return_value = mock_decoded_token
+# def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mock_oidc_service, monkeypatch):
+#     monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
+#     mock_token = "mock_token"
+#     mock_session_id = "mock_session_id"
+#     mock_decoded_token = {"not_an_sid": mock_session_id}
+#     mock_oidc_service.return_value = mock_decoded_token
 
-    expected = ApiGatewayResponse(
-        400, """{ "error":"No sid field in decoded token"}""", "POST"
-    ).create_api_gateway_response()
+#     expected = ApiGatewayResponse(
+#         400, """{ "error":"No sid field in decoded token"}""", "POST"
+#     ).create_api_gateway_response()
 
-    actual = lambda_handler(build_event_from_token(mock_token), None)
+#     actual = lambda_handler(build_event_from_token(mock_token), None)
 
-    assert expected == actual
-    mock_oidc_service.asset_called_with(mock_token)
+#     assert expected == actual
+#     mock_oidc_service.asset_called_with(mock_token)
 
 
-def test_back_channel_logout_handler_invalid_jwt_returns_400(mock_oidc_service, monkeypatch):
-    monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
-    mock_token = "mock_token"
-    mock_session_id = "mock_session_id"
-    mock_oidc_service.side_effect = AuthorisationException
+# def test_back_channel_logout_handler_invalid_jwt_returns_400(mock_oidc_service, monkeypatch):
+#     monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
+#     mock_token = "mock_token"
+#     mock_session_id = "mock_session_id"
+#     mock_oidc_service.side_effect = AuthorisationException
 
-    expected = ApiGatewayResponse(
-        400, """{ "error":"JWT was invalid"}""", "POST"
-    ).create_api_gateway_response()
+#     expected = ApiGatewayResponse(
+#         400, """{ "error":"JWT was invalid"}""", "POST"
+#     ).create_api_gateway_response()
 
-    actual = lambda_handler(build_event_from_token(mock_token), None)
+#     actual = lambda_handler(build_event_from_token(mock_token), None)
 
-    assert expected == actual
-    mock_oidc_service.asset_called_with(mock_token)
+#     assert expected == actual
+#     mock_oidc_service.asset_called_with(mock_token)
 
 
-def test_back_channel_logout_handler_boto_error_returns_400(mocker, mock_oidc_service, monkeypatch):
-    monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
-    mock_token = "mock_token"
-    mock_session_id = "mock_session_id"
-    mock_decoded_token = {"sid": mock_session_id}
-    mock_oidc_service.return_value = mock_decoded_token
-    mock_dynamo_service = mocker.patch(
-        "handlers.back_channel_logout_handler.remove_session_from_dynamo_db",
-        side_effect=ClientError(
-            {"Error": {"Code": "500", "Message": "mocked error"}}, "test"
-        ),
-    )
+# def test_back_channel_logout_handler_boto_error_returns_400(mocker, mock_oidc_service, monkeypatch):
+#     monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
+#     mock_token = "mock_token"
+#     mock_session_id = "mock_session_id"
+#     mock_decoded_token = {"sid": mock_session_id}
+#     mock_oidc_service.return_value = mock_decoded_token
+#     mock_dynamo_service = mocker.patch(
+#         "handlers.back_channel_logout_handler.remove_session_from_dynamo_db",
+#         side_effect=ClientError(
+#             {"Error": {"Code": "500", "Message": "mocked error"}}, "test"
+#         ),
+#     )
 
-    expected = ApiGatewayResponse(
-        400, """{ "error":"Internal error logging user out"}""", "POST"
-    ).create_api_gateway_response()
+#     expected = ApiGatewayResponse(
+#         400, """{ "error":"Internal error logging user out"}""", "POST"
+#     ).create_api_gateway_response()
 
-    actual = lambda_handler(build_event_from_token(mock_token), None)
+#     actual = lambda_handler(build_event_from_token(mock_token), None)
 
-    assert expected == actual
-    mock_oidc_service.asset_called_with(mock_token)
-    mock_dynamo_service.assert_called_with(mock_session_id)
+#     assert expected == actual
+#     mock_oidc_service.asset_called_with(mock_token)
+#     mock_dynamo_service.assert_called_with(mock_session_id)
 
 
-def build_event_from_token(token: str) -> dict:
-    return {"body": {"logout_token": token}}
+# def build_event_from_token(token: str) -> dict:
+#     return {"body": {"logout_token": token}}

From b5cffb9063c518735e8a594498659393be6bd5c0 Mon Sep 17 00:00:00 2001
From: AlexHerbertNHS <alexandra.herbert1@nhs.net>
Date: Thu, 19 Oct 2023 15:27:53 +0100
Subject: [PATCH 19/32] PRMDR-168

Adding debug code
---
 lambdas/handlers/back_channel_logout_handler.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index f8751ff86..07b600880 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -16,6 +16,7 @@
     names = ["OIDC_CALLBACK_URL"]
 )
 def lambda_handler(event, context):
+    logger.info(f"event = {event}")
     token = event["body"]["logout_token"]
     return logout_handler(token)
 

From ba0eeea05c334a0f98a5a4a5f384d54941692df7 Mon Sep 17 00:00:00 2001
From: Richard Smith <richard.smith33@nhs.net>
Date: Thu, 19 Oct 2023 15:33:31 +0100
Subject: [PATCH 20/32] Issue deconstructing request

---
 lambdas/handlers/back_channel_logout_handler.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index 00bf02a52..dae7c9eba 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -16,7 +16,7 @@
     names = ["OIDC_CALLBACK_URL"]
 )
 def lambda_handler(event, context):
-    body = json.load(event["body"])
+    body = json.loads(event["body"])
     token = body["logout_token"]
     return logout_handler(token)
 

From 3aa6319d3d173653f8ae70859014a28e93e046c9 Mon Sep 17 00:00:00 2001
From: AlexHerbertNHS <alexandra.herbert1@nhs.net>
Date: Thu, 19 Oct 2023 15:34:05 +0100
Subject: [PATCH 21/32] PRMDR-168

Adding debug code and fixing json load
---
 lambdas/handlers/back_channel_logout_handler.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index c95f06cdc..1a803c362 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -17,7 +17,7 @@
 )
 def lambda_handler(event, context):
     logger.info(f"event = {event}")
-    body = json.load(event["body"])
+    body = json.loads(event["body"])
     token = body["logout_token"]
     return logout_handler(token)
 

From 06783038280818c00e3a13c4a84d172fc489d85f Mon Sep 17 00:00:00 2001
From: Richard Smith <richard.smith33@nhs.net>
Date: Thu, 19 Oct 2023 15:47:19 +0100
Subject: [PATCH 22/32] Fix divergent branches

---
 lambdas/handlers/back_channel_logout_handler.py | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index 028650827..1a803c362 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -16,10 +16,7 @@
     names = ["OIDC_CALLBACK_URL"]
 )
 def lambda_handler(event, context):
-<<<<<<< HEAD
-=======
     logger.info(f"event = {event}")
->>>>>>> 3aa6319d3d173653f8ae70859014a28e93e046c9
     body = json.loads(event["body"])
     token = body["logout_token"]
     return logout_handler(token)

From cfb51603d83439529bd1dac964e2eba01976f6ea Mon Sep 17 00:00:00 2001
From: AlexHerbertNHS <alexandra.herbert1@nhs.net>
Date: Thu, 19 Oct 2023 15:53:08 +0100
Subject: [PATCH 23/32] PRMDR-168

Removing debug code
Adding in variable HTTP method to decorator classes to ensure it's returning GET or POST as appropriate
adding http methods to every test case
---
 .../handlers/back_channel_logout_handler.py   |  6 +----
 lambdas/tests/unit/handlers/conftest.py       |  7 ++++++
 .../test_back_channel_logout_handler.py       | 25 +++++++++++--------
 ...test_lloyd_george_record_stitch_handler.py |  1 +
 .../tests/unit/utils/decorators/conftest.py   | 10 ++++++++
 lambdas/utils/decorators/ensure_env_var.py    |  2 +-
 .../decorators/validate_document_type.py      |  6 ++---
 .../utils/decorators/validate_patient_id.py   |  4 +--
 8 files changed, 39 insertions(+), 22 deletions(-)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index 028650827..f50d3e1a1 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -13,13 +13,9 @@
 
 
 @ensure_environment_variables(
-    names = ["OIDC_CALLBACK_URL"]
+    names=["OIDC_CALLBACK_URL"]
 )
 def lambda_handler(event, context):
-<<<<<<< HEAD
-=======
-    logger.info(f"event = {event}")
->>>>>>> 3aa6319d3d173653f8ae70859014a28e93e046c9
     body = json.loads(event["body"])
     token = body["logout_token"]
     return logout_handler(token)
diff --git a/lambdas/tests/unit/handlers/conftest.py b/lambdas/tests/unit/handlers/conftest.py
index 2c3f9fa42..3c253ff65 100755
--- a/lambdas/tests/unit/handlers/conftest.py
+++ b/lambdas/tests/unit/handlers/conftest.py
@@ -8,6 +8,7 @@
 @pytest.fixture
 def valid_id_event():
     api_gateway_proxy_event = {
+        "httpMethod": "GET",
         "queryStringParameters": {"patientId": "9000000009"},
     }
     return api_gateway_proxy_event
@@ -16,6 +17,7 @@ def valid_id_event():
 @pytest.fixture
 def valid_id_and_both_doctype_event():
     api_gateway_proxy_event = {
+        "httpMethod": "GET",
         "queryStringParameters": {"patientId": "9000000009", "docType": "LG,ARF"},
     }
     return api_gateway_proxy_event
@@ -24,6 +26,7 @@ def valid_id_and_both_doctype_event():
 @pytest.fixture
 def valid_id_and_arf_doctype_event():
     api_gateway_proxy_event = {
+        "httpMethod": "GET",
         "queryStringParameters": {"patientId": "9000000009", "docType": "ARF"},
     }
     return api_gateway_proxy_event
@@ -32,6 +35,7 @@ def valid_id_and_arf_doctype_event():
 @pytest.fixture
 def valid_id_and_lg_doctype_event():
     api_gateway_proxy_event = {
+        "httpMethod": "GET",
         "queryStringParameters": {"patientId": "9000000009", "docType": "LG"},
     }
     return api_gateway_proxy_event
@@ -40,6 +44,7 @@ def valid_id_and_lg_doctype_event():
 @pytest.fixture
 def valid_id_and_invalid_doctype_event():
     api_gateway_proxy_event = {
+        "httpMethod": "GET",
         "queryStringParameters": {"patientId": "9000000009", "docType": "MANGO"},
     }
     return api_gateway_proxy_event
@@ -48,6 +53,7 @@ def valid_id_and_invalid_doctype_event():
 @pytest.fixture
 def invalid_id_event():
     api_gateway_proxy_event = {
+        "httpMethod": "GET",
         "queryStringParameters": {"patientId": "900000000900"},
     }
     return api_gateway_proxy_event
@@ -56,6 +62,7 @@ def invalid_id_event():
 @pytest.fixture
 def missing_id_event():
     api_gateway_proxy_event = {
+        "httpMethod": "GET",
         "queryStringParameters": {"invalid": ""},
     }
     return api_gateway_proxy_event
diff --git a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
index 019e3725b..03650dbe5 100644
--- a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
+++ b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
@@ -21,16 +21,16 @@ def mock_oidc_service(mocker):
     yield mock_oidc_service
 
 
-# def test_returns_500_when_env_vars_not_set():
-#     mock_token = "mock_token"
-#     expected = ApiGatewayResponse(
-#         500,
-#         "An error occurred due to missing key: 'OIDC_CALLBACK_URL'",
-#         "GET",
-#     ).create_api_gateway_response()
-#     actual = lambda_handler(build_event_from_token(mock_token), None)
+def test_returns_500_when_env_vars_not_set():
+    mock_token = "mock_token"
+    expected = ApiGatewayResponse(
+        500,
+        "An error occurred due to missing key: 'OIDC_CALLBACK_URL'",
+        "POST",
+    ).create_api_gateway_response()
+    actual = lambda_handler(build_event_from_token(mock_token), None)
 
-#     assert actual == expected
+    assert actual == expected
 
 
 # def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(mocker, mock_oidc_service, monkeypatch):
@@ -109,5 +109,8 @@ def mock_oidc_service(mocker):
 #     mock_dynamo_service.assert_called_with(mock_session_id)
 
 
-# def build_event_from_token(token: str) -> dict:
-#     return {"body": {"logout_token": token}}
+def build_event_from_token(token: str) -> dict:
+    return {
+        "httpMethod": "POST",
+        "body": {"logout_token": token}
+    }
diff --git a/lambdas/tests/unit/handlers/test_lloyd_george_record_stitch_handler.py b/lambdas/tests/unit/handlers/test_lloyd_george_record_stitch_handler.py
index 66647efdf..79a7f96a8 100755
--- a/lambdas/tests/unit/handlers/test_lloyd_george_record_stitch_handler.py
+++ b/lambdas/tests/unit/handlers/test_lloyd_george_record_stitch_handler.py
@@ -227,6 +227,7 @@ def mock_tempfile():
 @pytest.fixture
 def joe_bloggs_event():
     api_gateway_proxy_event = {
+        "httpMethod": "GET",
         "queryStringParameters": {"patientId": "1234567890"},
     }
     return api_gateway_proxy_event
diff --git a/lambdas/tests/unit/utils/decorators/conftest.py b/lambdas/tests/unit/utils/decorators/conftest.py
index 84a085a07..0f524b368 100644
--- a/lambdas/tests/unit/utils/decorators/conftest.py
+++ b/lambdas/tests/unit/utils/decorators/conftest.py
@@ -6,6 +6,7 @@
 @pytest.fixture
 def valid_id_event():
     api_gateway_proxy_event = {
+        "httpMethod": "GET",
         "queryStringParameters": {"patientId": "9000000009"},
     }
     return api_gateway_proxy_event
@@ -14,6 +15,7 @@ def valid_id_event():
 @pytest.fixture
 def invalid_id_event():
     api_gateway_proxy_event = {
+        "httpMethod": "GET",
         "queryStringParameters": {"patientId": "900000000900"},
     }
     return api_gateway_proxy_event
@@ -22,6 +24,7 @@ def invalid_id_event():
 @pytest.fixture
 def missing_id_event():
     api_gateway_proxy_event = {
+        "httpMethod": "GET",
         "queryStringParameters": {"invalid": ""},
     }
     return api_gateway_proxy_event
@@ -43,6 +46,7 @@ class LambdaContext:
 @pytest.fixture
 def valid_id_and_arf_doctype_event():
     api_gateway_proxy_event = {
+        "httpMethod": "GET",
         "queryStringParameters": {"patientId": "9000000009", "docType": "ARF"},
     }
     return api_gateway_proxy_event
@@ -51,6 +55,7 @@ def valid_id_and_arf_doctype_event():
 @pytest.fixture
 def valid_id_and_lg_doctype_event():
     api_gateway_proxy_event = {
+        "httpMethod": "GET",
         "queryStringParameters": {"patientId": "9000000009", "docType": "LG"},
     }
     return api_gateway_proxy_event
@@ -59,6 +64,7 @@ def valid_id_and_lg_doctype_event():
 @pytest.fixture
 def valid_id_and_both_doctype_event():
     api_gateway_proxy_event = {
+        "httpMethod": "GET",
         "queryStringParameters": {"patientId": "9000000009", "docType": "LG,ARF"},
     }
     return api_gateway_proxy_event
@@ -67,6 +73,7 @@ def valid_id_and_both_doctype_event():
 @pytest.fixture
 def valid_id_and_invalid_doctype_event():
     api_gateway_proxy_event = {
+        "httpMethod": "GET",
         "queryStringParameters": {"patientId": "9000000009", "docType": "MANGO"},
     }
     return api_gateway_proxy_event
@@ -75,6 +82,7 @@ def valid_id_and_invalid_doctype_event():
 @pytest.fixture
 def valid_id_and_nonsense_doctype_event():
     api_gateway_proxy_event = {
+        "httpMethod": "GET",
         "queryStringParameters": {"patientId": "9000000009", "docType": "sdfjfvsjhfvsukjARFfjdhtgdkjughLG"},
     }
     return api_gateway_proxy_event
@@ -83,6 +91,7 @@ def valid_id_and_nonsense_doctype_event():
 @pytest.fixture
 def valid_id_and_empty_doctype_event():
     api_gateway_proxy_event = {
+        "httpMethod": "GET",
         "queryStringParameters": {"patientId": "9000000009", "docType": ""},
     }
     return api_gateway_proxy_event
@@ -91,6 +100,7 @@ def valid_id_and_empty_doctype_event():
 @pytest.fixture
 def valid_id_and_none_doctype_event():
     api_gateway_proxy_event = {
+        "httpMethod": "GET",
         "queryStringParameters": {"patientId": "9000000009", "docType": None},
     }
     return api_gateway_proxy_event
diff --git a/lambdas/utils/decorators/ensure_env_var.py b/lambdas/utils/decorators/ensure_env_var.py
index 341ef171c..bc4fc1bd1 100644
--- a/lambdas/utils/decorators/ensure_env_var.py
+++ b/lambdas/utils/decorators/ensure_env_var.py
@@ -25,7 +25,7 @@ def interceptor(event, context):
                 if name not in os.environ:
                     logger.info(f"missing env var: '{name}'")
                     return ApiGatewayResponse(
-                        500, f"An error occurred due to missing key: '{name}'", "GET"
+                        500, f"An error occurred due to missing key: '{name}'", event["httpMethod"]
                     ).create_api_gateway_response()
 
             # Validation done. Return control flow to original lambda handler
diff --git a/lambdas/utils/decorators/validate_document_type.py b/lambdas/utils/decorators/validate_document_type.py
index 46447a0fb..39fd25c4b 100755
--- a/lambdas/utils/decorators/validate_document_type.py
+++ b/lambdas/utils/decorators/validate_document_type.py
@@ -20,15 +20,15 @@ def interceptor(event, context):
             doc_type = event["queryStringParameters"]["docType"]
             if doc_type is None:
                 return ApiGatewayResponse(
-                    400, "docType not supplied", "GET"
+                    400, "docType not supplied", event["httpMethod"]
                 ).create_api_gateway_response()
             if not doc_type_is_valid(doc_type):
                 return ApiGatewayResponse(
-                    400, "Invalid document type requested", "GET"
+                    400, "Invalid document type requested", event["httpMethod"]
                 ).create_api_gateway_response()
         except KeyError as e:
             return ApiGatewayResponse(
-                400, f"An error occurred due to missing key: {str(e)}", "GET"
+                400, f"An error occurred due to missing key: {str(e)}", event["httpMethod"]
             ).create_api_gateway_response()
 
         # Validation done. Return control flow to original lambda handler
diff --git a/lambdas/utils/decorators/validate_patient_id.py b/lambdas/utils/decorators/validate_patient_id.py
index 285de552a..464d6850a 100644
--- a/lambdas/utils/decorators/validate_patient_id.py
+++ b/lambdas/utils/decorators/validate_patient_id.py
@@ -27,11 +27,11 @@ def interceptor(event, context):
             validate_id(nhs_number)
         except InvalidResourceIdException:
             return ApiGatewayResponse(
-                400, "Invalid NHS number", "GET"
+                400, "Invalid NHS number", event["httpMethod"]
             ).create_api_gateway_response()
         except KeyError as e:
             return ApiGatewayResponse(
-                400, f"An error occurred due to missing key: {str(e)}", "GET"
+                400, f"An error occurred due to missing key: {str(e)}", event["httpMethod"]
             ).create_api_gateway_response()
 
         # Validation done. Return control flow to original lambda handler

From 3788563bee4987badfdb17abb1c2ed18626beec7 Mon Sep 17 00:00:00 2001
From: AlexHerbertNHS <alexandra.herbert1@nhs.net>
Date: Thu, 19 Oct 2023 16:21:46 +0100
Subject: [PATCH 24/32] PRMDR-168

fixes for tests and adding another test back
---
 .../handlers/back_channel_logout_handler.py   |  9 ++--
 .../test_back_channel_logout_handler.py       | 43 +++++++++++++------
 2 files changed, 35 insertions(+), 17 deletions(-)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index dae7c9eba..4d4b4a9e6 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -13,11 +13,14 @@
 
 
 @ensure_environment_variables(
-    names = ["OIDC_CALLBACK_URL"]
+    names=["OIDC_CALLBACK_URL"]
 )
 def lambda_handler(event, context):
-    body = json.loads(event["body"])
-    token = body["logout_token"]
+    try:
+        token = event["body"]["logout_token"]
+    except KeyError as e:
+        return ApiGatewayResponse(400, f"An error occurred due to missing key: {str(e)}",
+                                  "POST").create_api_gateway_response()
     return logout_handler(token)
 
 
diff --git a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
index 03650dbe5..90ff19563 100644
--- a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
+++ b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
@@ -33,23 +33,38 @@ def test_returns_500_when_env_vars_not_set():
     assert actual == expected
 
 
-# def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(mocker, mock_oidc_service, monkeypatch):
-#     monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
-#     mock_token = "mock_token"
-#     mock_session_id = "mock_session_id"
-#     mock_decoded_token = {"sid": mock_session_id}
-#     mock_oidc_service.return_value = mock_decoded_token
-#     mock_dynamo_service = mocker.patch(
-#         "handlers.back_channel_logout_handler.remove_session_from_dynamo_db"
-#     )
+def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(mocker, mock_oidc_service, monkeypatch,
+                                                                             context):
+    monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
+    mock_token = "mock_token"
+    mock_session_id = "mock_session_id"
+    mock_decoded_token = {"sid": mock_session_id}
+    mock_oidc_service.return_value = mock_decoded_token
+    mock_dynamo_service = mocker.patch(
+        "handlers.back_channel_logout_handler.remove_session_from_dynamo_db"
+    )
 
-#     expected = ApiGatewayResponse(200, "", "POST").create_api_gateway_response()
+    expected = ApiGatewayResponse(200, "", "POST").create_api_gateway_response()
 
-#     actual = lambda_handler(build_event_from_token(mock_token), None)
+    actual = lambda_handler(build_event_from_token(mock_token), context)
 
-#     assert expected == actual
-#     mock_oidc_service.asset_called_with(mock_token)
-#     mock_dynamo_service.assert_called_with(mock_session_id)
+    assert expected == actual
+    mock_oidc_service.asset_called_with(mock_token)
+    mock_dynamo_service.assert_called_with(mock_session_id)
+
+
+def test_back_channel_logout_handler_missing_jwt_returns_400(mocker, mock_oidc_service, monkeypatch,
+                                                             context):
+    monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
+    mock_token = "mock_token"
+    event = build_event_from_token(mock_token)
+    del(event["body"]["logout_token"])
+    expected = ApiGatewayResponse(400, "An error occurred due to missing key: 'logout_token'",
+                                  "POST").create_api_gateway_response()
+
+    actual = lambda_handler(event, context)
+
+    assert expected == actual
 
 
 # def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mock_oidc_service, monkeypatch):

From 1a85a70dbdae001312a11ed58f2efdfd09b5c87e Mon Sep 17 00:00:00 2001
From: AlexHerbertNHS <alexandra.herbert1@nhs.net>
Date: Thu, 19 Oct 2023 16:29:27 +0100
Subject: [PATCH 25/32] PRMDR-168

All tests uncommented and passing
---
 .../test_back_channel_logout_handler.py       | 84 +++++++++----------
 1 file changed, 42 insertions(+), 42 deletions(-)

diff --git a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
index 90ff19563..296fb3f2c 100644
--- a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
+++ b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
@@ -67,61 +67,61 @@ def test_back_channel_logout_handler_missing_jwt_returns_400(mocker, mock_oidc_s
     assert expected == actual
 
 
-# def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mock_oidc_service, monkeypatch):
-#     monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
-#     mock_token = "mock_token"
-#     mock_session_id = "mock_session_id"
-#     mock_decoded_token = {"not_an_sid": mock_session_id}
-#     mock_oidc_service.return_value = mock_decoded_token
+def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mock_oidc_service, monkeypatch):
+    monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
+    mock_token = "mock_token"
+    mock_session_id = "mock_session_id"
+    mock_decoded_token = {"not_an_sid": mock_session_id}
+    mock_oidc_service.return_value = mock_decoded_token
 
-#     expected = ApiGatewayResponse(
-#         400, """{ "error":"No sid field in decoded token"}""", "POST"
-#     ).create_api_gateway_response()
+    expected = ApiGatewayResponse(
+        400, """{ "error":"No sid field in decoded token"}""", "POST"
+    ).create_api_gateway_response()
 
-#     actual = lambda_handler(build_event_from_token(mock_token), None)
+    actual = lambda_handler(build_event_from_token(mock_token), None)
 
-#     assert expected == actual
-#     mock_oidc_service.asset_called_with(mock_token)
+    assert expected == actual
+    mock_oidc_service.asset_called_with(mock_token)
 
 
-# def test_back_channel_logout_handler_invalid_jwt_returns_400(mock_oidc_service, monkeypatch):
-#     monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
-#     mock_token = "mock_token"
-#     mock_session_id = "mock_session_id"
-#     mock_oidc_service.side_effect = AuthorisationException
+def test_back_channel_logout_handler_invalid_jwt_returns_400(mock_oidc_service, monkeypatch):
+    monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
+    mock_token = "mock_token"
+    mock_session_id = "mock_session_id"
+    mock_oidc_service.side_effect = AuthorisationException
 
-#     expected = ApiGatewayResponse(
-#         400, """{ "error":"JWT was invalid"}""", "POST"
-#     ).create_api_gateway_response()
+    expected = ApiGatewayResponse(
+        400, """{ "error":"JWT was invalid"}""", "POST"
+    ).create_api_gateway_response()
 
-#     actual = lambda_handler(build_event_from_token(mock_token), None)
+    actual = lambda_handler(build_event_from_token(mock_token), None)
 
-#     assert expected == actual
-#     mock_oidc_service.asset_called_with(mock_token)
+    assert expected == actual
+    mock_oidc_service.asset_called_with(mock_token)
 
 
-# def test_back_channel_logout_handler_boto_error_returns_400(mocker, mock_oidc_service, monkeypatch):
-#     monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
-#     mock_token = "mock_token"
-#     mock_session_id = "mock_session_id"
-#     mock_decoded_token = {"sid": mock_session_id}
-#     mock_oidc_service.return_value = mock_decoded_token
-#     mock_dynamo_service = mocker.patch(
-#         "handlers.back_channel_logout_handler.remove_session_from_dynamo_db",
-#         side_effect=ClientError(
-#             {"Error": {"Code": "500", "Message": "mocked error"}}, "test"
-#         ),
-#     )
+def test_back_channel_logout_handler_boto_error_returns_400(mocker, mock_oidc_service, monkeypatch):
+    monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
+    mock_token = "mock_token"
+    mock_session_id = "mock_session_id"
+    mock_decoded_token = {"sid": mock_session_id}
+    mock_oidc_service.return_value = mock_decoded_token
+    mock_dynamo_service = mocker.patch(
+        "handlers.back_channel_logout_handler.remove_session_from_dynamo_db",
+        side_effect=ClientError(
+            {"Error": {"Code": "500", "Message": "mocked error"}}, "test"
+        ),
+    )
 
-#     expected = ApiGatewayResponse(
-#         400, """{ "error":"Internal error logging user out"}""", "POST"
-#     ).create_api_gateway_response()
+    expected = ApiGatewayResponse(
+        400, """{ "error":"Internal error logging user out"}""", "POST"
+    ).create_api_gateway_response()
 
-#     actual = lambda_handler(build_event_from_token(mock_token), None)
+    actual = lambda_handler(build_event_from_token(mock_token), None)
 
-#     assert expected == actual
-#     mock_oidc_service.asset_called_with(mock_token)
-#     mock_dynamo_service.assert_called_with(mock_session_id)
+    assert expected == actual
+    mock_oidc_service.asset_called_with(mock_token)
+    mock_dynamo_service.assert_called_with(mock_session_id)
 
 
 def build_event_from_token(token: str) -> dict:

From 1f8cab17acde20c5b77b3d0c11e0c7240cf156c8 Mon Sep 17 00:00:00 2001
From: AlexHerbertNHS <alexandra.herbert1@nhs.net>
Date: Thu, 19 Oct 2023 16:31:12 +0100
Subject: [PATCH 26/32] PRMDR-168

Removing unused imports and variable
---
 .../tests/unit/handlers/test_back_channel_logout_handler.py   | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
index 296fb3f2c..f2a095b7c 100644
--- a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
+++ b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
@@ -1,11 +1,8 @@
-import json
 from botocore.exceptions import ClientError
 import pytest
 from handlers.back_channel_logout_handler import lambda_handler
 from services.oidc_service import OidcService
 from utils.exceptions import AuthorisationException
-from tests.unit.helpers.ssm_responses import \
-    MOCK_SINGLE_SECURE_STRING_PARAMETER_RESPONSE
 from utils.lambda_response import ApiGatewayResponse
 
 
@@ -87,7 +84,6 @@ def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mock_oid
 def test_back_channel_logout_handler_invalid_jwt_returns_400(mock_oidc_service, monkeypatch):
     monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
     mock_token = "mock_token"
-    mock_session_id = "mock_session_id"
     mock_oidc_service.side_effect = AuthorisationException
 
     expected = ApiGatewayResponse(

From e61a571f57bcd9ebb7377e13cf89e71a935e1724 Mon Sep 17 00:00:00 2001
From: AlexHerbertNHS <alexandra.herbert1@nhs.net>
Date: Thu, 19 Oct 2023 16:40:33 +0100
Subject: [PATCH 27/32] PRMDR-168

Adding debug line for testing
---
 lambdas/handlers/back_channel_logout_handler.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index 4d4b4a9e6..d280445cc 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -16,6 +16,7 @@
     names=["OIDC_CALLBACK_URL"]
 )
 def lambda_handler(event, context):
+    logger.info(f"event = {event}")
     try:
         token = event["body"]["logout_token"]
     except KeyError as e:

From 0cd1cc8b484171524e544c42e34ba932987b0efd Mon Sep 17 00:00:00 2001
From: AlexHerbertNHS <alexandra.herbert1@nhs.net>
Date: Thu, 19 Oct 2023 16:52:56 +0100
Subject: [PATCH 28/32] PRMDR-168

Fix for event loading using JSON
---
 lambdas/handlers/back_channel_logout_handler.py       |  3 ++-
 .../unit/handlers/test_back_channel_logout_handler.py | 11 ++++++++---
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index d280445cc..10f28c133 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -18,7 +18,8 @@
 def lambda_handler(event, context):
     logger.info(f"event = {event}")
     try:
-        token = event["body"]["logout_token"]
+        body = json.loads(event["body"])
+        token = body["logout_token"]
     except KeyError as e:
         return ApiGatewayResponse(400, f"An error occurred due to missing key: {str(e)}",
                                   "POST").create_api_gateway_response()
diff --git a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
index f2a095b7c..b58bc2100 100644
--- a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
+++ b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
@@ -1,3 +1,5 @@
+import json
+
 from botocore.exceptions import ClientError
 import pytest
 from handlers.back_channel_logout_handler import lambda_handler
@@ -54,8 +56,10 @@ def test_back_channel_logout_handler_missing_jwt_returns_400(mocker, mock_oidc_s
                                                              context):
     monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
     mock_token = "mock_token"
-    event = build_event_from_token(mock_token)
-    del(event["body"]["logout_token"])
+    event = {
+        "httpMethod": "POST",
+        "body": "{}"
+    }
     expected = ApiGatewayResponse(400, "An error occurred due to missing key: 'logout_token'",
                                   "POST").create_api_gateway_response()
 
@@ -121,7 +125,8 @@ def test_back_channel_logout_handler_boto_error_returns_400(mocker, mock_oidc_se
 
 
 def build_event_from_token(token: str) -> dict:
+    body_string = {"logout_token": token}
     return {
         "httpMethod": "POST",
-        "body": {"logout_token": token}
+        "body": json.dumps(body_string)
     }

From e1906bbbe83dd1de5b9e850b1b31d218d60fdea6 Mon Sep 17 00:00:00 2001
From: AlexHerbertNHS <alexandra.herbert1@nhs.net>
Date: Fri, 20 Oct 2023 09:13:50 +0100
Subject: [PATCH 29/32] PRMDR-168

Adding _package and it's files to .gitignore
---
 .gitignore | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 234a2f94e..f69a6754d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -96,4 +96,5 @@ node_modules/
 .idea/
 .vscode/
 
-lambdas/tests/unit/helpers/data/pdf/tmp
\ No newline at end of file
+lambdas/tests/unit/helpers/data/pdf/tmp
+/lambdas/package_/

From cc6485c4eb6a25a7facf0613d95b24964bdc7f49 Mon Sep 17 00:00:00 2001
From: AlexHerbertNHS <alexandra.herbert1@nhs.net>
Date: Fri, 20 Oct 2023 10:03:10 +0100
Subject: [PATCH 30/32] PRMDR-168

ensuring AUTH_DYNAMODB_NAME variable exists before processing
---
 lambdas/handlers/back_channel_logout_handler.py             | 2 +-
 .../tests/unit/handlers/test_back_channel_logout_handler.py | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index 10f28c133..0a1f7f332 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -13,7 +13,7 @@
 
 
 @ensure_environment_variables(
-    names=["OIDC_CALLBACK_URL"]
+    names=["OIDC_CALLBACK_URL", "AUTH_DYNAMODB_NAME"]
 )
 def lambda_handler(event, context):
     logger.info(f"event = {event}")
diff --git a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
index b58bc2100..0f8b86446 100644
--- a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
+++ b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
@@ -35,6 +35,7 @@ def test_returns_500_when_env_vars_not_set():
 def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(mocker, mock_oidc_service, monkeypatch,
                                                                              context):
     monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
+    monkeypatch.setenv("AUTH_DYNAMODB_NAME", "mock_dynamo_name")
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
     mock_decoded_token = {"sid": mock_session_id}
@@ -55,7 +56,7 @@ def test_back_channel_logout_handler_valid_jwt_returns_200_if_session_exists(moc
 def test_back_channel_logout_handler_missing_jwt_returns_400(mocker, mock_oidc_service, monkeypatch,
                                                              context):
     monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
-    mock_token = "mock_token"
+    monkeypatch.setenv("AUTH_DYNAMODB_NAME", "mock_dynamo_name")
     event = {
         "httpMethod": "POST",
         "body": "{}"
@@ -70,6 +71,7 @@ def test_back_channel_logout_handler_missing_jwt_returns_400(mocker, mock_oidc_s
 
 def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mock_oidc_service, monkeypatch):
     monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
+    monkeypatch.setenv("AUTH_DYNAMODB_NAME", "mock_dynamo_name")
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
     mock_decoded_token = {"not_an_sid": mock_session_id}
@@ -87,6 +89,7 @@ def test_back_channel_logout_handler_jwt_without_session_id_returns_400(mock_oid
 
 def test_back_channel_logout_handler_invalid_jwt_returns_400(mock_oidc_service, monkeypatch):
     monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
+    monkeypatch.setenv("AUTH_DYNAMODB_NAME", "mock_dynamo_name")
     mock_token = "mock_token"
     mock_oidc_service.side_effect = AuthorisationException
 
@@ -102,6 +105,7 @@ def test_back_channel_logout_handler_invalid_jwt_returns_400(mock_oidc_service,
 
 def test_back_channel_logout_handler_boto_error_returns_400(mocker, mock_oidc_service, monkeypatch):
     monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
+    monkeypatch.setenv("AUTH_DYNAMODB_NAME", "mock_dynamo_name")
     mock_token = "mock_token"
     mock_session_id = "mock_session_id"
     mock_decoded_token = {"sid": mock_session_id}

From 99c98ac6fde8b7d9083308eddb695362dac8cbd7 Mon Sep 17 00:00:00 2001
From: AlexHerbertNHS <alexandra.herbert1@nhs.net>
Date: Fri, 20 Oct 2023 10:04:24 +0100
Subject: [PATCH 31/32] PRMDR-168

Changing internal eror code to 500 from 400
---
 lambdas/handlers/back_channel_logout_handler.py               | 2 +-
 .../tests/unit/handlers/test_back_channel_logout_handler.py   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/lambdas/handlers/back_channel_logout_handler.py b/lambdas/handlers/back_channel_logout_handler.py
index 0a1f7f332..bfa6504f7 100644
--- a/lambdas/handlers/back_channel_logout_handler.py
+++ b/lambdas/handlers/back_channel_logout_handler.py
@@ -37,7 +37,7 @@ def logout_handler(token):
     except ClientError as e:
         logger.error(f"Error logging out user: {e}")
         return ApiGatewayResponse(
-            400, """{ "error":"Internal error logging user out"}""", "POST"
+            500, """{ "error":"Internal error logging user out"}""", "POST"
         ).create_api_gateway_response()
     except AuthorisationException as e:
         logger.error(f"error while decoding JWT: {e}")
diff --git a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
index 0f8b86446..912f82b4d 100644
--- a/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
+++ b/lambdas/tests/unit/handlers/test_back_channel_logout_handler.py
@@ -103,7 +103,7 @@ def test_back_channel_logout_handler_invalid_jwt_returns_400(mock_oidc_service,
     mock_oidc_service.asset_called_with(mock_token)
 
 
-def test_back_channel_logout_handler_boto_error_returns_400(mocker, mock_oidc_service, monkeypatch):
+def test_back_channel_logout_handler_boto_error_returns_500(mocker, mock_oidc_service, monkeypatch):
     monkeypatch.setenv("OIDC_CALLBACK_URL", "mock_url")
     monkeypatch.setenv("AUTH_DYNAMODB_NAME", "mock_dynamo_name")
     mock_token = "mock_token"
@@ -118,7 +118,7 @@ def test_back_channel_logout_handler_boto_error_returns_400(mocker, mock_oidc_se
     )
 
     expected = ApiGatewayResponse(
-        400, """{ "error":"Internal error logging user out"}""", "POST"
+        500, """{ "error":"Internal error logging user out"}""", "POST"
     ).create_api_gateway_response()
 
     actual = lambda_handler(build_event_from_token(mock_token), None)

From 8df53f508efc59ebc427e73b71433e456d9c09e6 Mon Sep 17 00:00:00 2001
From: AlexHerbertNHS <alexandra.herbert1@nhs.net>
Date: Fri, 20 Oct 2023 11:03:02 +0100
Subject: [PATCH 32/32] PRMDR-168

Fix for deploying as a part of pull request
---
 .github/workflows/lambdas-dev-to-main-ci.yml | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/lambdas-dev-to-main-ci.yml b/.github/workflows/lambdas-dev-to-main-ci.yml
index f8fcb1654..d1e786b0b 100644
--- a/.github/workflows/lambdas-dev-to-main-ci.yml
+++ b/.github/workflows/lambdas-dev-to-main-ci.yml
@@ -36,6 +36,7 @@ jobs:
       logout_changed: ${{steps.filter.outputs.logout}}
       lloyd_george_stitch_changed: ${{steps.filter.outputs.lloyd_george_stitch}}
       bulk_upload_metadata_changed: ${{steps.filter.outputs.bulk_upload_metadata}}
+      back_channel_logout_changed: ${{steps.filter.outputs.back_channel_logout}}
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -73,6 +74,8 @@ jobs:
               - 'lambdas/handlers/lloyd_george_record_stitch_handler.py'
             bulk_upload_metadata:
               - 'lambdas/handlers/bulk_upload_metadata_handler.py'
+            back_channel_logout:
+              - 'lambdas/handlers/back_channel_logout_handler.py'
 
   python_lambdas_test:
     runs-on: ubuntu-latest
@@ -582,7 +585,15 @@ jobs:
   python_deploy_back_channel_logout_lambda:
     runs-on: ubuntu-latest
     environment: development
-    needs: ["python_lambdas_test"]
+    needs: ["python_lambdas_test", "identify_changed_functions"]
+    if: |
+      (github.ref == 'refs/heads/main') 
+        && (needs.identify_changed_functions.outputs.utils_changed == 'true'
+          || needs.identify_changed_functions.outputs.enums_changed == 'true'
+          || needs.identify_changed_functions.outputs.services_changed == 'true' 
+          || needs.identify_changed_functions.outputs.models_changed == 'true' 
+          || needs.identify_changed_functions.outputs.back_channel_logout_changed == 'true'
+          )
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -615,5 +626,5 @@ jobs:
         uses: appleboy/lambda-action@master
         with:
           aws_region: ${{ vars.AWS_REGION }}
-          function_name: ${{ github.event.inputs.sandboxWorkspace}}_BackChannelLogoutHandler
+          function_name: ${{ vars.BUILD_ENV}}_BackChannelLogoutHandler
           zip_file: package_lambdas_back_channel_logout_handler.zip