Feature/cypress test auth (#81)

* Updated API package reference

---------

Co-authored-by: FrostyApeOne <Farshad.DASHTI@EDUCATION.GOV.UK>

Author: FrostyApeOne

src/DfE.ExternalApplications.Application/DfE.ExternalApplications.Application.csproj

@@ -8,7 +8,7 @@
 
   <ItemGroup>
     <PackageReference Include="GovUK.Dfe.CoreLibs.Notifications" Version="0.1.5" />
-    <PackageReference Include="GovUK.Dfe.ExternalApplications.Api.Client" Version="0.1.28" />
+    <PackageReference Include="GovUK.Dfe.ExternalApplications.Api.Client" Version="0.1.29" />
     <PackageReference Include="Microsoft.AspNetCore.Http.Features" Version="2.3.0" />
     <PackageReference Include="Microsoft.AspNetCore.Mvc.Abstractions" Version="2.3.0" />
   </ItemGroup>

src/DfE.ExternalApplications.Web/Authentication/TestAuthenticationHandler.cs

@@ -3,6 +3,7 @@
 using System.Security.Claims;
 using System.Text.Encodings.Web;
 using System.Diagnostics.CodeAnalysis;
+using DfE.ExternalApplications.Web.Services;
 
 namespace DfE.ExternalApplications.Web.Authentication;
 
@@ -11,6 +12,8 @@ public class TestAuthenticationHandler : AuthenticationHandler<TestAuthenticatio
 {
     public const string SchemeName = "TestAuthentication";
 
+    private readonly ICypressAuthenticationService _cypressAuthService;
+    
     private static class SessionKeys
     {
         public const string Email = "TestAuth:Email";
@@ -27,13 +30,21 @@ public TestAuthenticationHandler(
         IOptionsMonitor<TestAuthenticationSchemeOptions> options,
         ILoggerFactory logger,
         UrlEncoder encoder,
-        ISystemClock clock)
+        ISystemClock clock,
+        ICypressAuthenticationService cypressAuthService)
         : base(options, logger, encoder, clock)
     {
+        _cypressAuthService = cypressAuthService;
     }
 
     protected override Task<AuthenticateResult> HandleAuthenticateAsync()
     {
+        // Check if test authentication should be enabled (either globally or via Cypress)
+        if (!_cypressAuthService.ShouldEnableTestAuthentication(Context))
+        {
+            return Task.FromResult(AuthenticateResult.NoResult());
+        }
+
         var requestPath = Context.Request.Path;
 
 

src/DfE.ExternalApplications.Web/Pages/TestLogin.cshtml.cs

@@ -13,8 +13,10 @@ namespace DfE.ExternalApplications.Web.Pages;
 [AllowAnonymous]
 public class TestLoginModel : PageModel
 {
+    private readonly IConfiguration _configuration;
     private readonly TestAuthenticationOptions _testAuthOptions;
     private readonly ITestAuthenticationService _testAuthenticationService;
+    private readonly ICypressAuthenticationService _cypressAuthService;
 
     [BindProperty]
     public InputModel Input { get; set; } = new();
@@ -25,17 +27,21 @@ public class TestLoginModel : PageModel
     public string? ErrorMessage { get; set; }
 
     public TestLoginModel(
+        IConfiguration configuration,
         IOptions<TestAuthenticationOptions> testAuthOptions,
-        ITestAuthenticationService testAuthenticationService)
+        ITestAuthenticationService testAuthenticationService,
+        ICypressAuthenticationService cypressAuthService)
     {
+        _configuration = configuration;
         _testAuthOptions = testAuthOptions.Value;
         _testAuthenticationService = testAuthenticationService;
+        _cypressAuthService = cypressAuthService;
     }
 
     public IActionResult OnGet()
     {
-        // Only allow access if test authentication is enabled
-        if (!_testAuthOptions.Enabled)
+        // Allow access if test authentication is enabled OR Cypress toggle is enabled
+        if (!_cypressAuthService.ShouldEnableTestAuthentication(HttpContext))
         {
             return NotFound();
         }
@@ -45,8 +51,8 @@ public IActionResult OnGet()
 
     public async Task<IActionResult> OnPostAsync()
     {
-        // Only allow access if test authentication is enabled
-        if (!_testAuthOptions.Enabled)
+        // Allow access if test authentication is enabled OR Cypress toggle is enabled
+        if (!_cypressAuthService.ShouldEnableTestAuthentication(HttpContext))
         {
             return NotFound();
         }

src/DfE.ExternalApplications.Web/Program.cs

@@ -27,6 +27,7 @@
 using System.Diagnostics.CodeAnalysis;
 using GovUK.Dfe.CoreLibs.Security.TokenRefresh.Extensions;
 using System.IO.Compression;
+using Microsoft.AspNetCore.Authentication;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -61,6 +62,9 @@
     options.ValueCountLimit = 1000; // Allow more form values
 });
 
+// Check if Cypress toggle is allowed (for shared dev/test environments)
+var allowCypressToggle = configuration.GetValue<bool>("CypressAuthentication:AllowToggle");
+
 builder.Services.AddRazorPages(options =>
 {
     options.Conventions.ConfigureFilter(new ExternalApiPageExceptionFilter());
@@ -69,8 +73,8 @@
     options.Conventions.AllowAnonymousToPage("/Index");
     options.Conventions.AllowAnonymousToPage("/Logout");
 
-    // Allow anonymous access to test login page when test auth is enabled
-    if (isTestAuthEnabled)
+    // Allow anonymous access to test login page when test auth is enabled OR Cypress toggle is allowed
+    if (isTestAuthEnabled || allowCypressToggle)
     {
         options.Conventions.AllowAnonymousToPage("/TestLogin");
         options.Conventions.AllowAnonymousToPage("/TestLogout");
@@ -88,6 +92,10 @@
 
 builder.Services.AddHttpContextAccessor();
 
+// Register Cypress authentication services using CoreLibs pattern
+builder.Services.AddScoped<ICustomRequestChecker, ExternalAppsCypressRequestChecker>();
+builder.Services.AddScoped<ICypressAuthenticationService, CypressAuthenticationService>();
+
 // Add confirmation interceptor filter globally for all MVC actions
 builder.Services.Configure<Microsoft.AspNetCore.Mvc.MvcOptions>(options =>
 {
@@ -112,32 +120,17 @@
 
 builder.Services.Configure<TokenRefreshSettings>(configuration.GetSection("TokenRefresh"));
 
-// Configure authentication based on test mode
-if (isTestAuthEnabled)
-{
-    builder.Services.AddAuthentication(options =>
-    {
-        options.DefaultScheme = TestAuthenticationHandler.SchemeName;
-        options.DefaultChallengeScheme = TestAuthenticationHandler.SchemeName;
-        options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
-        options.DefaultSignOutScheme = CookieAuthenticationDefaults.AuthenticationScheme;
-    })
+// Register both schemes once, and use a dynamic scheme provider to pick per-request
+builder.Services
+    .AddAuthentication()
     .AddCookie()
+    .AddCustomOpenIdConnect(configuration, sectionName: "DfESignIn")
     .AddScheme<TestAuthenticationSchemeOptions, TestAuthenticationHandler>(
-        TestAuthenticationHandler.SchemeName, 
+        TestAuthenticationHandler.SchemeName,
         options => { });
-}
-else
-{
-    builder.Services.AddAuthentication(options =>
-    {
-        options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
-        options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
-        options.DefaultSignOutScheme = OpenIdConnectDefaults.AuthenticationScheme;
-    })
-    .AddCookie()
-    .AddCustomOpenIdConnect(configuration, sectionName: "DfESignIn");
-}
+
+// Replace default scheme provider with dynamic provider
+builder.Services.AddSingleton<IAuthenticationSchemeProvider, DynamicAuthenticationSchemeProvider>();
 
 builder.Services
     .AddApplicationAuthorization(
@@ -161,18 +154,10 @@
 
 builder.Services.AddExternalApplicationsApiClients(configuration);
 
-// Register authentication strategies in consuming app (Clean Architecture)
-// These were moved out of the library to remove coupling
-if (isTestAuthEnabled)
-{
-    // Register TestAuthenticationStrategy when test auth is enabled
-    builder.Services.AddScoped<IAuthenticationSchemeStrategy, TestAuthenticationStrategy>();
-}
-else
-{
-    // Register OidcAuthenticationStrategy when OIDC is enabled
-    builder.Services.AddScoped<IAuthenticationSchemeStrategy, OidcAuthenticationStrategy>();
-}
+// Register authentication strategies and composite selector (per-request)
+builder.Services.AddScoped<OidcAuthenticationStrategy>();
+builder.Services.AddScoped<TestAuthenticationStrategy>();
+builder.Services.AddScoped<IAuthenticationSchemeStrategy, CompositeAuthenticationSchemeStrategy>();
 
 builder.Services.AddGovUkFrontend(options => options.Rebrand = true);
 builder.Services.AddSingleton<IActionContextAccessor, ActionContextAccessor>();
@@ -206,10 +191,8 @@
 
 builder.Services.AddSingleton<ITemplateStore, ApiTemplateStore>();
 
- 
-
-// Add test token handler and services when test authentication is enabled
-if (isTestAuthEnabled)
+// Add test token handler and services when test authentication or Cypress is enabled
+if (isTestAuthEnabled || allowCypressToggle)
 {
     builder.Services.AddUserTokenService(configuration);
     builder.Services.AddScoped<ITestAuthenticationService, TestAuthenticationService>();
@@ -273,4 +256,4 @@
 
 
 [ExcludeFromCodeCoverage]
-public static partial class Program { }
+public static partial class Program { }

src/DfE.ExternalApplications.Web/Security/CompositeAuthenticationSchemeStrategy.cs

@@ -0,0 +1,60 @@
+using GovUK.Dfe.CoreLibs.Security.Configurations;
+using GovUK.Dfe.CoreLibs.Security.Interfaces;
+using GovUK.Dfe.ExternalApplications.Api.Client.Security;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Options;
+
+namespace DfE.ExternalApplications.Web.Security;
+
+/// <summary>
+/// Chooses the appropriate authentication strategy per-request.
+/// - TestAuth when globally enabled or the request is a valid Cypress request (and toggle allowed)
+/// - OIDC otherwise
+/// </summary>
+public class CompositeAuthenticationSchemeStrategy(
+    ILogger<CompositeAuthenticationSchemeStrategy> logger,
+    IHttpContextAccessor httpContextAccessor,
+    IOptions<TestAuthenticationOptions> testAuthOptions,
+    IConfiguration configuration,
+    OidcAuthenticationStrategy oidcStrategy,
+    TestAuthenticationStrategy testStrategy,
+    ICustomRequestChecker? requestChecker = null) : IAuthenticationSchemeStrategy
+{
+    private bool IsTestEnabled() => testAuthOptions.Value.Enabled;
+    private bool AllowToggle() => configuration.GetValue<bool>("CypressAuthentication:AllowToggle");
+
+    private bool IsCypressRequest()
+    {
+        var ctx = httpContextAccessor.HttpContext;
+        if (ctx == null || !AllowToggle()) return false;
+        // Request checker may be null in some DI graphs; treat as not Cypress in that case
+        return requestChecker != null && requestChecker.IsValidRequest(ctx);
+    }
+
+    private IAuthenticationSchemeStrategy Select()
+    {
+        if (IsTestEnabled() || IsCypressRequest())
+        {
+            return testStrategy;
+        }
+        return oidcStrategy;
+    }
+
+    public string SchemeName => Select().SchemeName;
+
+    public Task<TokenInfo> GetExternalIdpTokenAsync(HttpContext context)
+        => Select().GetExternalIdpTokenAsync(context);
+
+    public Task<bool> CanRefreshTokenAsync(HttpContext context)
+        => Select().CanRefreshTokenAsync(context);
+
+    public Task<bool> RefreshExternalIdpTokenAsync(HttpContext context)
+        => Select().RefreshExternalIdpTokenAsync(context);
+
+    public string? GetUserId(HttpContext context)
+        => Select().GetUserId(context);
+}
+
+

src/DfE.ExternalApplications.Web/Security/DynamicAuthenticationSchemeProvider.cs

@@ -0,0 +1,88 @@
+using DfE.ExternalApplications.Web.Authentication;
+using GovUK.Dfe.CoreLibs.Security.Configurations;
+using GovUK.Dfe.CoreLibs.Security.Interfaces;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Options;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace DfE.ExternalApplications.Web.Security;
+
+/// <summary>
+/// Selects the active authentication scheme per request.
+/// - If TestAuthentication.Enabled is true, uses Test scheme for all.
+/// - Else if AllowToggle is true AND request is from Cypress, uses Test scheme.
+/// - Otherwise uses OIDC (Cookies + OIDC challenge/sign-out).
+/// </summary>
+public class DynamicAuthenticationSchemeProvider(
+    IOptions<AuthenticationOptions> options,
+    IHttpContextAccessor httpContextAccessor,
+    IOptions<TestAuthenticationOptions> testAuthOptions,
+    IConfiguration configuration)
+    : AuthenticationSchemeProvider(options)
+{
+    private bool IsTestAuthGloballyEnabled()
+    {
+        return testAuthOptions.Value.Enabled;
+    }
+
+    private bool IsCypressToggleAllowed()
+    {
+        return configuration.GetValue<bool>("CypressAuthentication:AllowToggle");
+    }
+
+    private bool IsCypressRequest()
+    {
+        var httpContext = httpContextAccessor.HttpContext;
+        if (httpContext == null) return false;
+        if (!IsCypressToggleAllowed()) return false;
+        var checker = httpContext.RequestServices.GetService<ICustomRequestChecker>();
+        return checker != null && checker.IsValidRequest(httpContext);
+    }
+
+    public override Task<AuthenticationScheme?> GetDefaultAuthenticateSchemeAsync()
+    {
+        if (IsTestAuthGloballyEnabled() || IsCypressRequest())
+        {
+            return GetSchemeAsync(TestAuthenticationHandler.SchemeName);
+        }
+        return GetSchemeAsync(CookieAuthenticationDefaults.AuthenticationScheme);
+    }
+
+    public override Task<AuthenticationScheme?> GetDefaultChallengeSchemeAsync()
+    {
+        if (IsTestAuthGloballyEnabled() || IsCypressRequest())
+        {
+            return GetSchemeAsync(TestAuthenticationHandler.SchemeName);
+        }
+        return GetSchemeAsync(OpenIdConnectDefaults.AuthenticationScheme);
+    }
+
+    public override Task<AuthenticationScheme?> GetDefaultForbidSchemeAsync()
+    {
+        // Match challenge behaviour
+        return GetDefaultChallengeSchemeAsync();
+    }
+
+    public override Task<AuthenticationScheme?> GetDefaultSignInSchemeAsync()
+    {
+        // Always use Cookies for sign-in
+        return GetSchemeAsync(CookieAuthenticationDefaults.AuthenticationScheme);
+    }
+
+    public override Task<AuthenticationScheme?> GetDefaultSignOutSchemeAsync()
+    {
+        if (IsTestAuthGloballyEnabled() || IsCypressRequest())
+        {
+            // Test auth signs out cookies only
+            return GetSchemeAsync(CookieAuthenticationDefaults.AuthenticationScheme);
+        }
+        // OIDC sign-out triggers federated sign-out
+        return GetSchemeAsync(OpenIdConnectDefaults.AuthenticationScheme);
+    }
+}
+
+