AUT-3754: Make blocking code async

- nonce generation
- session ID generation

Both "inspired" by changes in ipv-core-front

@types/express/index.d.ts

@@ -7,5 +7,6 @@ declare namespace Express {
     t: TFunction;
     csrfToken?: () => string;
     log: pino.Logger;
+    generatedSessionId?: string;
   }
 }

package.json

@@ -100,6 +100,7 @@
     "qrcode": "^1.5.0",
     "redis": "^4.6.13",
     "uglify-js": "^3.14.5",
+    "uid-safe": "^2.1.5",
     "uuid": "^11.0.2",
     "xss": "^1.0.10",
     "xstate": "^4.26.1"
@@ -125,6 +126,7 @@
     "@types/sinon": "^17.0.3",
     "@types/sinon-chai": "^3.2.8",
     "@types/supertest": "^6.0.2",
+    "@types/uid-safe": "^2.1.5",
     "@typescript-eslint/eslint-plugin": "^8.13.0",
     "@typescript-eslint/parser": "^8.13.0",
     "chai": "^4.3.6",

src/app.ts

@@ -101,6 +101,8 @@ import { Server } from "node:http";
 import { getAnalyticsPropertiesMiddleware } from "./middleware/get-analytics-properties-middleware";
 import { ipvCallbackRouter } from "./components/ipv-callback/ipv-callback-routes";
 import { mfaResetWithIpvRouter } from "./components/mfa-reset-with-ipv/mfa-reset-with-ipv-routes";
+import { asyncHandler } from "./utils/async";
+import UID from "uid-safe";
 
 const APP_VIEWS = [
   path.join(__dirname, "components"),
@@ -185,7 +187,7 @@ async function createApp(): Promise<express.Application> {
 
   app.use("/public", express.static(path.join(__dirname, "public")));
   app.set("view engine", configureNunjucks(app, APP_VIEWS));
-  app.use(setLocalVarsMiddleware);
+  app.use(asyncHandler(setLocalVarsMiddleware));
   app.use(setGTM);
 
   await i18next
@@ -200,9 +202,24 @@ async function createApp(): Promise<express.Application> {
   app.use(i18nextMiddleware.handle(i18next));
   app.use(helmet(helmetConfiguration));
 
+  app.use(cookieParser());
+
+  const SESSION_COOKIE_NAME = "aps";
+  // Generate a new session ID asynchronously if no session cookie
+  // `express-session` does not support async session ID generation
+  // https://github.com/expressjs/session/issues/107
+  app.use(
+    asyncHandler(async (req, res, next) => {
+      if (!req.cookies?.[SESSION_COOKIE_NAME]) {
+        req.generatedSessionId = await UID(24);
+      }
+      next();
+    })
+  );
+
   app.use(
     session({
-      name: "aps",
+      name: SESSION_COOKIE_NAME,
       store: getSessionStore(await getRedisConfig()),
       saveUninitialized: false,
       secret: getSessionSecret(),
@@ -213,10 +230,15 @@ async function createApp(): Promise<express.Application> {
         getSessionExpiry(),
         getSessionSecret()
       ),
+      // Use the newly generated session ID, or fall back to the default behaviour
+      genid: (req) => {
+        const sessionId = req.generatedSessionId || UID.sync(24);
+        delete req.generatedSessionId;
+        return sessionId;
+      },
     })
   );
 
-  app.use(cookieParser());
   app.use(csurf({ cookie: getCSRFCookieOptions(isProduction) }));
 
   app.use(channelMiddleware);

src/middleware/set-local-vars-middleware.ts

@@ -7,13 +7,13 @@ import {
 } from "../config";
 import { generateNonce } from "../utils/strings";
 
-export function setLocalVarsMiddleware(
+export async function setLocalVarsMiddleware(
   req: Request,
   res: Response,
   next: NextFunction
-): void {
+): Promise<void> {
   res.locals.gtmId = getGtmId();
-  res.locals.scriptNonce = generateNonce();
+  res.locals.scriptNonce = await generateNonce();
   res.locals.accountManagementUrl = getAccountManagementUrl();
   res.locals.analyticsCookieDomain = getAnalyticsCookieDomain();
   res.locals.languageToggleEnabled = getLanguageToggleEnabled();

src/utils/strings.ts

@@ -1,4 +1,5 @@
 import { randomBytes } from "crypto";
+import { promisify } from "util";
 import xss from "xss";
 
 export function containsNumber(value: string): boolean {
@@ -13,8 +14,10 @@ export function redactPhoneNumber(value: string): string | undefined {
   return value ? value.trim().slice(value.length - 4) : undefined;
 }
 
-export function generateNonce(): string {
-  return randomBytes(16).toString("hex");
+const asyncRandomBytes = promisify(randomBytes);
+
+export async function generateNonce(): Promise<string> {
+  return (await asyncRandomBytes(16)).toString("hex");
 }
 
 export function sanitize(value: string): string {

yarn.lock

@@ -2084,6 +2084,11 @@
   resolved "https://registry.yarnpkg.com/@types/trusted-types/-/trusted-types-2.0.7.tgz#baccb07a970b91707df3a3e8ba6896c57ead2d11"
   integrity sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==
 
+"@types/uid-safe@^2.1.5":
+  version "2.1.5"
+  resolved "https://registry.yarnpkg.com/@types/uid-safe/-/uid-safe-2.1.5.tgz#32b27c6f1a9022a29762cf7c4350891dd7b154e2"
+  integrity sha512-RwEfbxqXKEay2b5p8QQVllfnMbVPUZChiKKZ2M6+OSRRmvr4HTCCUZTWhr/QlmrMnNE0ViNBBbP1+5plF9OGRw==
+
 "@types/uuid@^9.0.1":
   version "9.0.8"
   resolved "https://registry.yarnpkg.com/@types/uuid/-/uuid-9.0.8.tgz#7545ba4fc3c003d6c756f651f3bf163d8f0f29ba"
@@ -6591,7 +6596,7 @@ uglify-js@^3.14.5:
   resolved "https://registry.yarnpkg.com/uglify-js/-/uglify-js-3.19.3.tgz#82315e9bbc6f2b25888858acd1fff8441035b77f"
   integrity sha512-v3Xu+yuwBXisp6QYTcH4UbH+xYJXqnq2m/LtQVWKWzYc1iehYnLixoQDN9FH6/j9/oybfd6W9Ghwkl8+UMKTKQ==
 
-[email protected], uid-safe@~2.1.5:
+[email protected], uid-safe@^2.1.5, uid-safe@~2.1.5:
   version "2.1.5"
   resolved "https://registry.npmjs.org/uid-safe/-/uid-safe-2.1.5.tgz"
   integrity sha512-KPHm4VL5dDXKz01UuEd88Df+KzynaohSL9fBh096KWAxSKZQDI2uBrVqtvRM4rwrIrRRKsdLNML/lnaaVSRioA==