Enable and config authentication as default

app/plugins/auth.plugin.js

@@ -50,6 +50,9 @@ const AuthPlugin = {
         return AuthService.go(session.userId)
       }
     })
+    // NOTE: This defaults Hapi to authenticate all routes. If a route, for example `/status`, does not require
+    // authentication `options.auth: false` should be set in the route's config.
+    server.auth.default('session')
   }
 }
 

app/routes/assets.routes.js

@@ -6,6 +6,12 @@ const routes = [
     path: '/assets/all.js',
     handler: {
       file: 'node_modules/govuk-frontend/govuk/all.js'
+    },
+    options: {
+      app: {
+        plainOutput: true
+      },
+      auth: false
     }
   }, {
     method: 'GET',
@@ -18,6 +24,12 @@ const routes = [
           'node_modules/govuk-frontend/govuk/assets'
         ]
       }
+    },
+    options: {
+      app: {
+        plainOutput: true
+      },
+      auth: false
     }
   }
 ]

app/routes/bill-runs.routes.js

@@ -8,10 +8,15 @@ const routes = [
     path: '/bill-runs',
     handler: BillRunsController.create,
     options: {
-      description: 'Used to create a bill run',
       app: {
         plainOutput: true
-      }
+      },
+      auth: {
+        access: {
+          scope: ['billing']
+        }
+      },
+      description: 'Used to create a bill run'
     }
   }
 ]

app/routes/billing-accounts.routes.js

@@ -8,10 +8,15 @@ const routes = [
     path: '/billing-accounts/{invoiceAccountId}/change-address',
     handler: BillingAccountsController.changeAddress,
     options: {
-      description: 'Used updating a billing account with a new address',
       app: {
         plainOutput: true
-      }
+      },
+      auth: {
+        access: {
+          scope: ['manage_billing_accounts']
+        }
+      },
+      description: 'Used updating a billing account with a new address'
     }
   }
 ]

app/routes/charge-elements.routes.js

@@ -8,10 +8,11 @@ const routes = [
     path: '/charge-elements/time-limited',
     handler: ChargeElementsController.timeLimited,
     options: {
-      description: 'Puts a licence into workflow when a charge element has a `timeLimitedEndDate` which is < 50 days away',
       app: {
         plainOutput: true
-      }
+      },
+      auth: false,
+      description: 'Puts a licence into workflow when a charge element has a `timeLimitedEndDate` which is < 50 days away'
     }
   }
 ]

app/routes/check.routes.js

@@ -8,11 +8,12 @@ const routes = [
     path: '/check/two-part/{naldRegionId}/{format?}',
     handler: CheckController.twoPart,
     options: {
-      description: 'Used by the delivery team to check the SROC 2PT billing logic',
       app: {
         excludeFromProd: true,
         plainOutput: true
-      }
+      },
+      auth: false,
+      description: 'Used by the delivery team to check the SROC 2PT billing logic'
     }
   }
 ]

app/routes/data.routes.js

@@ -8,44 +8,51 @@ const routes = [
     path: '/data/export',
     handler: DataController.exportDb,
     options: {
-      description: 'Used to export the database and upload the file to our AWS S3 bucket',
       app: {
         excludeFromProd: true,
         plainOutput: true
-      }
+      },
+      auth: false,
+      description: 'Used to export the database and upload the file to our AWS S3 bucket'
     }
   },
   {
     method: 'GET',
     path: '/data/mock/{type}/{id}',
     handler: DataController.mockData,
     options: {
-      description: 'Used to generate mock data',
-      app: { excludeFromProd: true }
+      app: {
+        excludeFromProd: true,
+        plainOutput: true
+      },
+      auth: false,
+      description: 'Used to generate mock data'
     }
   },
   {
     method: 'POST',
     path: '/data/seed',
     handler: DataController.seed,
     options: {
-      description: 'Used to seed test data in the database',
       app: {
         excludeFromProd: true,
         plainOutput: true
-      }
+      },
+      auth: false,
+      description: 'Used to seed test data in the database'
     }
   },
   {
     method: 'POST',
     path: '/data/tear-down',
     handler: DataController.tearDown,
     options: {
-      description: 'Used to remove the acceptance test data from the database',
       app: {
         excludeFromProd: true,
         plainOutput: true
-      }
+      },
+      auth: false,
+      description: 'Used to remove the acceptance test data from the database'
     }
   }
 ]

app/routes/health.routes.js

@@ -8,6 +8,10 @@ const routes = [
     path: '/health/airbrake',
     handler: HealthController.airbrake,
     options: {
+      app: {
+        plainOutput: true
+      },
+      auth: false,
       description: 'Used by the delivery team to confirm error logging is working correctly in an environment. ' +
         'NOTE. We expect this endpoint to return a 500'
     }
@@ -17,6 +21,10 @@ const routes = [
     path: '/health/database',
     handler: HealthController.database,
     options: {
+      app: {
+        plainOutput: true
+      },
+      auth: false,
       description: 'Used by the delivery team to confirm we can connect to the database. It also returns us some ' +
         'useful stats about each table.'
     }
@@ -26,6 +34,7 @@ const routes = [
     path: '/health/info',
     handler: HealthController.info,
     options: {
+      auth: false,
       description: 'Used by the delivery team to confirm we can connect to our other apps and services. It also ' +
       'returns us the version and commit hash for each one.'
     }

app/routes/root.routes.js

@@ -8,26 +8,34 @@ const routes = [
     path: '/',
     handler: RootController.index,
     options: {
-      auth: false
+      app: {
+        plainOutput: true
+      },
+      auth: false,
+      description: 'Returns the same response as /status'
     }
   },
   {
     method: 'GET',
     path: '/robots.txt',
     handler: {
       file: 'app/public/static/robots.txt'
+    },
+    options: {
+      auth: false,
+      description: 'Needed to support requests proxied from the legacy UI through to this app'
     }
   },
   {
     method: 'GET',
     path: '/status',
     handler: RootController.index,
     options: {
-      auth: false,
-      description: 'Used by the AWS load balancers to confirm the service is running',
       app: {
         plainOutput: true
-      }
+      },
+      auth: false,
+      description: 'Used by the AWS load balancers to confirm the service is running'
     }
   }
 ]

test/controllers/bill-runs.controller.test.js

@@ -27,6 +27,10 @@ describe('Bill Runs controller', () => {
         scheme,
         region: '07ae7f3a-2677-4102-b352-cc006828948c',
         user: 'test.user@defra.gov.uk'
+      },
+      auth: {
+        strategy: 'session',
+        credentials: { scope: ['billing'] }
       }
     }
   }

test/controllers/billing-accounts.controller.test.js

@@ -47,7 +47,11 @@ describe('Billing Accounts controller', () => {
     beforeEach(() => {
       options = {
         method: 'POST',
-        url: '/billing-accounts/7fa2f044-b29e-483a-99b6-e16db0db0f58/change-address'
+        url: '/billing-accounts/7fa2f044-b29e-483a-99b6-e16db0db0f58/change-address',
+        auth: {
+          strategy: 'session',
+          credentials: { scope: ['manage_billing_accounts'] }
+        }
       }
     })
 

test/plugins/error-pages.plugin.test.js

@@ -42,6 +42,9 @@ describe('Error Pages plugin', () => {
         path: '/error-pages',
         handler: function (_request, _h) {
           return Boom.badRequest('Things go boom')
+        },
+        options: {
+          auth: false
         }
       }
     })
@@ -66,7 +69,7 @@ describe('Error Pages plugin', () => {
 
       describe('and the route is configured for plain output (do not redirect to error page)', () => {
         beforeEach(async () => {
-          testRoute.options = { app: { plainOutput: true } }
+          testRoute.options.app = { plainOutput: true }
           server.route(testRoute)
 
           Sinon.stub(ErrorPagesService, 'go').returns({ stopResponse: false, statusCode: 400 })
@@ -106,6 +109,9 @@ describe('Error Pages plugin', () => {
         path: '/error-pages',
         handler: function (_request, h) {
           return h.response({ hello: 'world' }).code(200)
+        },
+        options: {
+          auth: false
         }
       }
     })
@@ -127,7 +133,7 @@ describe('Error Pages plugin', () => {
 
     describe('and the route is configured for plain output (do not redirect to error page)', () => {
       beforeEach(async () => {
-        testRoute.options = { app: { plainOutput: true } }
+        testRoute.options.app = { plainOutput: true }
         server.route(testRoute)
 
         Sinon.stub(ErrorPagesService, 'go').returns({ stopResponse: false, statusCode: 200 })