Implement user storage consent

app/domains/flows.server.ts

@@ -27,6 +27,7 @@ export type Flow = {
   migration?: FlowMigration;
   flowTransitionConfig?: FlowTransitionConfig;
   stringReplacements?: (context: Context) => Replacements;
+  asyncFlowActions?: Record<string, (request: Request) => Promise<void>>;
 };
 
 export const flows = {

app/domains/fluggastrechte/formular/index.ts

@@ -3,6 +3,7 @@ import type { AllContextKeys } from "~/domains/common";
 import type { Flow } from "~/domains/flows.server";
 import type { ArrayConfigServer } from "~/services/array";
 import type { FlowTransitionConfig } from "~/services/flow/server/flowTransitionValidation";
+import { storeConsentFgrToS3Bucket } from "~/services/s3/storeConsentFgrToS3Bucket";
 import abgabeFlow from "./abgabe/flow.json";
 import type { FluggastrechtContext } from "./context";
 import { flugdatenDone } from "./flugdaten/doneFunctions";
@@ -46,6 +47,10 @@ const flowTransitionConfig: FlowTransitionConfig = {
   eligibleSourcePages: ["/ergebnis/erfolg"],
 };
 
+const asyncFlowActions = {
+  "/grundvoraussetzungen/datenverarbeitung": storeConsentFgrToS3Bucket,
+};
+
 export const fluggastrechtFlow = {
   flowType: "formFlow",
   migration: {
@@ -142,4 +147,5 @@ export const fluggastrechtFlow = {
   },
   guards: fluggastrechteGuards,
   flowTransitionConfig,
+  asyncFlowActions,
 } satisfies Flow;

app/routes/shared/formular.server.ts

@@ -20,6 +20,7 @@ import { buildFlowController } from "~/services/flow/server/buildFlowController"
 import {
   validateFlowTransition,
   getFlowTransitionConfig,
+  executeAsyncFlowActionByStepId,
 } from "~/services/flow/server/flowTransitionValidation";
 import { insertIndexesIntoPath } from "~/services/flow/stepIdConverter";
 import { navItemsFromStepStates } from "~/services/flowNavigation.server";
@@ -282,6 +283,8 @@ export const action = async ({ request }: ActionFunctionArgs) => {
     });
   }
 
+  await executeAsyncFlowActionByStepId(flows[flowId], stepId, request);
+
   const destination =
     flowController.getNext(stepId) ?? flowController.getInitial();
 

app/services/env/env.server.ts

@@ -15,6 +15,11 @@ type Config = {
   SAML_SP_METADATA_PATH: string;
   SAML_SP_SECRET_KEY_PATH: string;
   SAML_IDP_CERT?: string;
+  AWS_S3_REGION: string;
+  AWS_S3_ENDPOINT: string;
+  AWS_S3_DATA_CONSENT_FGR_ACCESS_KEY: string;
+  AWS_S3_DATA_CONSENT_FGR_SECRET_KEY: string;
+  AWS_S3_DATA_CONSENT_FGR_BUCKET_NAME: string;
 };
 
 let instance: Config | undefined = undefined;
@@ -47,6 +52,14 @@ export function config(): Config {
         process.env.SAML_SP_SECRET_KEY_PATH?.trim() ??
         path.join(process.cwd(), "data/saml/sp_privateKey.pem"),
       SAML_IDP_CERT: process.env.SAML_IDP_CERT?.trim(),
+      AWS_S3_REGION: process.env.AWS_S3_REGION?.trim() ?? "",
+      AWS_S3_ENDPOINT: process.env.AWS_S3_ENDPOINT?.trim() ?? "",
+      AWS_S3_DATA_CONSENT_FGR_ACCESS_KEY:
+        process.env.AWS_S3_DATA_CONSENT_FGR_ACCESS_KEY?.trim() ?? "",
+      AWS_S3_DATA_CONSENT_FGR_SECRET_KEY:
+        process.env.AWS_S3_DATA_CONSENT_FGR_SECRET_KEY?.trim() ?? "",
+      AWS_S3_DATA_CONSENT_FGR_BUCKET_NAME:
+        process.env.AWS_S3_DATA_CONSENT_FGR_BUCKET_NAME?.trim() ?? "",
     };
   }
 

app/services/flow/server/__test__/flowTransitionValidation.test.ts

@@ -0,0 +1,38 @@
+import type { Flow } from "~/domains/flows.server";
+import { executeAsyncFlowActionByStepId } from "../flowTransitionValidation";
+
+describe("flowTransitionValidation", () => {
+  describe("executeAsyncFlowActionByStepId", () => {
+    const mockRequest = new Request("http://localhost");
+    const mockAsyncFlowAction = vi.fn().mockResolvedValue(undefined);
+
+    it("should execute the async flow action for the given stepId", async () => {
+      const mockAsyncFlowAction = vi.fn().mockResolvedValue(undefined);
+      const mockFlow: Flow = {
+        asyncFlowActions: {
+          "test-step": mockAsyncFlowAction,
+        },
+      } as unknown as Flow;
+
+      await executeAsyncFlowActionByStepId(mockFlow, "test-step", mockRequest);
+
+      expect(mockAsyncFlowAction).toHaveBeenCalledWith(mockRequest);
+    });
+
+    it("should not execute the async flow action for the given another stepId", async () => {
+      const mockFlow: Flow = {
+        asyncFlowActions: {
+          "test-step": mockAsyncFlowAction,
+        },
+      } as unknown as Flow;
+
+      await executeAsyncFlowActionByStepId(
+        mockFlow,
+        "another-step",
+        mockRequest,
+      );
+
+      expect(mockAsyncFlowAction).not.toHaveBeenCalledWith(mockRequest);
+    });
+  });
+});

app/services/flow/server/flowTransitionValidation.ts

@@ -20,6 +20,24 @@ export function getFlowTransitionConfig(currentFlow: Flow) {
     : undefined;
 }
 
+function getAsyncFlowActions(currentFlow: Flow) {
+  return "asyncFlowActions" in currentFlow
+    ? currentFlow.asyncFlowActions
+    : undefined;
+}
+
+export async function executeAsyncFlowActionByStepId(
+  currentFlow: Flow,
+  stepId: string,
+  request: Request,
+) {
+  const asyncFlowActions = getAsyncFlowActions(currentFlow);
+
+  if (asyncFlowActions?.[stepId]) {
+    await asyncFlowActions[stepId](request);
+  }
+}
+
 export async function validateFlowTransition(
   flows: Record<FlowId, Flow>,
   cookieHeader: CookieHeader,

app/services/s3/__test__/createClientDataConsentFgr.test.ts

@@ -0,0 +1,46 @@
+import { S3Client } from "@aws-sdk/client-s3";
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { config } from "~/services/env/env.server";
+import { createClientDataConsentFgr } from "~/services/s3/createClientDataConsentFgr";
+
+vi.mock("@aws-sdk/client-s3", () => ({
+  S3Client: vi.fn(),
+}));
+
+vi.mock("~/services/env/env.server", () => ({
+  config: vi.fn(),
+}));
+
+describe("createClientDataConsentFgr", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("should create a new S3Client instance if not already created only once", () => {
+    const mockConfig = {
+      ...config(),
+      AWS_S3_DATA_CONSENT_FGR_ACCESS_KEY: "test-access-key",
+      AWS_S3_DATA_CONSENT_FGR_SECRET_KEY: "test-secret-key",
+      AWS_S3_REGION: "test-region",
+      AWS_S3_ENDPOINT: "test-endpoint",
+    };
+
+    vi.mocked(config).mockReturnValue(mockConfig);
+
+    const firstClient = createClientDataConsentFgr();
+
+    expect(S3Client).toHaveBeenCalledWith({
+      region: mockConfig.AWS_S3_REGION,
+      credentials: {
+        accessKeyId: mockConfig.AWS_S3_DATA_CONSENT_FGR_ACCESS_KEY,
+        secretAccessKey: mockConfig.AWS_S3_DATA_CONSENT_FGR_SECRET_KEY,
+      },
+      endpoint: mockConfig.AWS_S3_ENDPOINT,
+    });
+    expect(firstClient).toBeInstanceOf(S3Client);
+
+    const secondClient = createClientDataConsentFgr();
+    expect(S3Client).toHaveBeenCalledTimes(1);
+    expect(firstClient).toBe(secondClient);
+  });
+});

app/services/s3/__test__/storeConsentFgrToS3Bucket.test.ts

@@ -0,0 +1,96 @@
+import { PutObjectCommand, S3Client } from "@aws-sdk/client-s3";
+import { describe, it, expect, vi } from "vitest";
+import { config } from "~/services/env/env.server";
+import { sendSentryMessage } from "../../logging";
+import { getSessionIdByFlowId } from "../../session.server";
+import { createClientDataConsentFgr } from "../createClientDataConsentFgr";
+import { storeConsentFgrToS3Bucket } from "../storeConsentFgrToS3Bucket";
+
+vi.mock("@aws-sdk/client-s3", () => ({
+  PutObjectCommand: vi.fn(),
+}));
+
+vi.mock("../createClientDataConsentFgr", () => ({
+  createClientDataConsentFgr: vi.fn(),
+}));
+
+vi.mock("../../logging", () => ({
+  sendSentryMessage: vi.fn(),
+}));
+
+vi.mock("../../session.server", () => ({
+  getSessionIdByFlowId: vi.fn(),
+}));
+
+vi.mock("~/services/env/env.server", () => ({
+  config: vi.fn(),
+}));
+
+const mockS3Client = { send: vi.fn() } as unknown as S3Client;
+
+const mockRequest = new Request("http://localhost", {
+  headers: {
+    Cookie: "test-cookie",
+    "user-agent": "test-agent",
+  },
+});
+
+beforeEach(() => {
+  vi.clearAllMocks();
+  vi.useFakeTimers();
+});
+
+afterEach(() => {
+  vi.useRealTimers();
+});
+
+describe("storeConsentFgrToS3Bucket", () => {
+  it("should store consent data to S3 bucket", async () => {
+    const mockDate = new Date("2025-01-01");
+    vi.setSystemTime(mockDate);
+
+    const mockSessionId = "test-session-id";
+    const mockConfig = {
+      ...config(),
+      AWS_S3_DATA_CONSENT_FGR_BUCKET_NAME: "test-bucket",
+    };
+    vi.mocked(createClientDataConsentFgr).mockReturnValue(mockS3Client);
+    vi.mocked(getSessionIdByFlowId).mockResolvedValue(mockSessionId);
+    vi.mocked(config).mockReturnValue(mockConfig);
+    const mockBuffer = Buffer.from(
+      `${mockSessionId};${mockDate.getTime()};test-agent`,
+      "utf8",
+    );
+    const mockKey = "01-01-2025/test-session-id.csv";
+
+    await storeConsentFgrToS3Bucket(mockRequest);
+
+    expect(createClientDataConsentFgr).toHaveBeenCalled();
+    expect(getSessionIdByFlowId).toHaveBeenCalledWith(
+      "/fluggastrechte/formular",
+      "test-cookie",
+    );
+    expect(mockS3Client.send).toHaveBeenCalledWith(
+      new PutObjectCommand({
+        Bucket: mockConfig.AWS_S3_DATA_CONSENT_FGR_BUCKET_NAME,
+        Body: mockBuffer,
+        Key: mockKey,
+      }),
+    );
+  });
+
+  it("should send a Sentry message on error", async () => {
+    const mockError = new Error("Test error");
+
+    vi.mocked(createClientDataConsentFgr).mockImplementation(() => {
+      throw mockError;
+    });
+
+    await storeConsentFgrToS3Bucket(mockRequest);
+
+    expect(sendSentryMessage).toHaveBeenCalledWith(
+      `Error storing consent fgr data to S3 bucket: ${mockError.message}`,
+      "error",
+    );
+  });
+});

app/services/s3/createClientDataConsentFgr.ts

@@ -0,0 +1,21 @@
+import { S3Client } from "@aws-sdk/client-s3";
+import { config } from "~/services/env/env.server";
+
+let instance: S3Client | undefined = undefined;
+
+export const createClientDataConsentFgr = () => {
+  if (typeof instance === "undefined") {
+    const credentials = {
+      accessKeyId: config().AWS_S3_DATA_CONSENT_FGR_ACCESS_KEY,
+      secretAccessKey: config().AWS_S3_DATA_CONSENT_FGR_SECRET_KEY,
+    };
+
+    instance = new S3Client({
+      region: config().AWS_S3_REGION,
+      credentials,
+      endpoint: config().AWS_S3_ENDPOINT,
+    });
+  }
+
+  return instance;
+};

app/services/s3/storeConsentFgrToS3Bucket.ts

@@ -0,0 +1,51 @@
+import { PutObjectCommand } from "@aws-sdk/client-s3";
+import { config } from "~/services/env/env.server";
+import { today } from "~/util/date";
+import { createClientDataConsentFgr } from "./createClientDataConsentFgr";
+import { sendSentryMessage } from "../logging";
+import { getSessionIdByFlowId } from "../session.server";
+
+const createConsentDataBuffer = (sessionId: string, request: Request) => {
+  const userAgent = request.headers.get("user-agent");
+  return Buffer.from(`${sessionId};${Date.now()};${userAgent}`, "utf8");
+};
+
+const getFolderDate = () => {
+  return today()
+    .toLocaleDateString("de-DE", {
+      day: "2-digit",
+      month: "2-digit",
+      year: "numeric",
+    })
+    .replaceAll(".", "-");
+};
+
+export const storeConsentFgrToS3Bucket = async (request: Request) => {
+  try {
+    const s3Client = createClientDataConsentFgr();
+    const cookieHeader = request.headers.get("Cookie");
+    const sessionId = await getSessionIdByFlowId(
+      "/fluggastrechte/formular",
+      cookieHeader,
+    );
+
+    const buffer = createConsentDataBuffer(sessionId, request);
+    const key = `${getFolderDate()}/${sessionId}.csv`;
+
+    await s3Client.send(
+      new PutObjectCommand({
+        Bucket: config().AWS_S3_DATA_CONSENT_FGR_BUCKET_NAME,
+        Body: buffer,
+        Key: key,
+      }),
+    );
+  } catch (error) {
+    const errorDescription =
+      error instanceof Error ? error.message : "Unknown error";
+
+    sendSentryMessage(
+      `Error storing consent fgr data to S3 bucket: ${errorDescription}`,
+      "error",
+    );
+  }
+};

app/services/session.server/index.ts

@@ -76,6 +76,15 @@ export const updateSession = (session: Session, validatedData: Context) => {
   });
 };
 
+export const getSessionIdByFlowId = async (
+  flowId: FlowId,
+  cookieHeader: CookieHeader,
+) => {
+  const contextSession = getSessionManager(flowId);
+  const { id } = await contextSession.getSession(cookieHeader);
+  return id;
+};
+
 export type CookieHeader = string | null | undefined;
 export const mainSessionFromCookieHeader = async (cookieHeader: CookieHeader) =>
   getSessionManager("main").getSession(cookieHeader);

docker-compose.yml

@@ -37,3 +37,15 @@ services:
       --tls-cert-file /usr/local/etc/redis/redis-server.crt
       --tls-key-file /usr/local/etc/redis/redis-server.key
       --tls-auth-clients no
+
+  s3-bucket:
+    container_name: local-s3-bucket
+    image: localstack/localstack:s3-latest
+    environment:
+      - DEBUG=1
+    ports:
+      - "4566:4566"
+    volumes:
+      - "./init-s3-bucket.py:/etc/localstack/init/ready.d/init-s3-bucket.py"
+      - "${LOCALSTACK_VOLUME_DIR:-./volume}:/var/lib/localstack"
+      - "/var/run/docker.sock:/var/run/docker.sock"