ATO-1321: Handle null internalCommonSubectId

We've noticed during previous work[1] that sometimes a user can end up at arbitrary points in a journey where specific fields on their session are not defined through, This commit intends to handle that more gracefully by checking the null-ness of the internalCommon subjectId before using it as a key to query AuthUserInfo. [1]-#5730
govuk-one-login · Feb 4, 2025 · 5a266cf · 5a266cf
1 parent d8577b0
commit 5a266cf
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/...pi/src/main/java/uk/gov/di/authentication/ipv/lambda/IdentityProgressFrontendHandler.java b/...pi/src/main/java/uk/gov/di/authentication/ipv/lambda/IdentityProgressFrontendHandler.java
@@ -102,6 +102,11 @@ public APIGatewayProxyResponseEvent handleRequestWithUserSession(
             }
 
             UserInfo userInfo;
+
+            if (Objects.isNull(internalCommonSubjectIdentifier)) {
+                LOG.warn("InternalCommonSubjectId is null on orch session");
+                return generateApiGatewayProxyErrorResponse(400, ErrorResponse.ERROR_1000);
+            }
             try {
                 Optional<UserInfo> userInfoFromStorage =
                         userInfoStorageService.getAuthenticationUserInfo(

diff --git a/...rc/test/java/uk/gov/di/authentication/ipv/lambda/IdentityProgressFrontendHandlerTest.java b/...rc/test/java/uk/gov/di/authentication/ipv/lambda/IdentityProgressFrontendHandlerTest.java
@@ -143,6 +143,23 @@ void shouldReturnErrorIfOrchSessionIsNotFound() throws Json.JsonException {
         verifyNoInteractions(cloudwatchMetricsService, auditService);
     }
 
+    @Test
+    void shouldReturnErrorWhenInternalCommonSubjectIdIsNullOnOrchSession()
+            throws Json.JsonException {
+        when(sessionService.getSession(anyString())).thenReturn(Optional.of(session));
+        when(orchSessionService.getSession(anyString()))
+                .thenReturn(
+                        Optional.of(
+                                new OrchSessionItem(SESSION_ID).withInternalCommonSubjectId(null)));
+        when(clientSessionService.getClientSession(any()))
+                .thenReturn(Optional.of(getClientSession()));
+        var result = handler.handleRequest(event, context);
+
+        assertThat(result, hasStatus(400));
+        assertThat(result, hasBody(objectMapper.writeValueAsString(ErrorResponse.ERROR_1000)));
+        verifyNoInteractions(cloudwatchMetricsService, auditService);
+    }
+
     @Test
     void shouldReturnCOMPLETEDStatusWhenIdentityCredentialIsPresent() throws Json.JsonException {
         usingValidSession();