[Spike] Skip start page, redirect users to ID

Redirects users to the location returned by the OmniAuth request phase call to the identity service. Checks that this redirect is a valid identity service URL. Renders the existing start page if Faraday encounters an error when making the call.
DFE-Digital · Dec 5, 2023 · 7f091fb · 7f091fb
1 parent 170a13c
commit 7f091fb
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 1 deletion.
diff --git a/app/controllers/qualifications/starts_controller.rb b/app/controllers/qualifications/starts_controller.rb
@@ -2,8 +2,41 @@ module Qualifications
   class StartsController < QualificationsInterfaceController
     skip_before_action :authenticate_user!
     skip_before_action :handle_expired_token!
+    around_action :skip_omniauth_request_validation_phase, only: :show
 
     def show
+      @identity_service_response = Faraday.post(identity_service_auth_url)
+      redirect_to_identity_service and return if redirect_present?
+    rescue Faraday::Error
+      render :show
+    end
+
+  private
+
+    # Check that the response headers contain a redirect to the identity service
+    def redirect_present?
+      @identity_service_response.status == 302 &&
+        @identity_service_response.headers["location"]&.starts_with?(ENV["IDENTITY_API_DOMAIN"])
+    end
+
+    def redirect_to_identity_service
+      redirect_to(@identity_service_response.headers["location"], allow_other_host: true)
+    end
+
+    def identity_service_auth_url
+      %(#{ENV["HOSTING_DOMAIN"]}/qualifications/users/auth/identity?trn_token=#{params[:trn_token]})
+    end
+
+    # OmniAuth will default to validating the request using CSRF protection
+    # which is necessary when the request is sent from a browser.
+    # In this case, the request is sent from an action with limited parameters
+    # so CSRF protection is not necessary.
+    def skip_omniauth_request_validation_phase
+      request_validation_phase = OmniAuth.config.request_validation_phase
+      OmniAuth.config.request_validation_phase = nil
+      yield
+    ensure
+      OmniAuth.config.request_validation_phase = request_validation_phase
     end
   end
 end
diff --git a/spec/rails_helper.rb b/spec/rails_helper.rb
@@ -14,7 +14,7 @@
 require "dfe/analytics/testing"
 require "dfe/analytics/rspec/matchers"
 
-WebMock.disable_net_connect!(allow_localhost: true)
+WebMock.disable_net_connect!(allow_localhost: true, allow: "http://qualifications.localhost")
 
 Capybara.register_driver(:cuprite) do |app|
   Capybara::Cuprite::Driver.new(app, timeout: 10, process_timeout: 30, window_size: [1200, 800])