[HOTE-1082] feat: create-session-login-lambda

database/schema_diagram.puml

@@ -97,6 +97,7 @@ entity "session" as session {
   identity_proofing_level : varchar(10)
   email : varchar(320)
   email_verified : boolean
+  phone_number: varchar(20)
   phone_number_verified : boolean
   birth_date : date
   nhs_number : varchar(10)

lambdas/goose-migrator-lambda/migrations/000018_add_phone_number_to_session.sql

@@ -0,0 +1,8 @@
+-- +goose Up
+ALTER TABLE session
+ADD COLUMN IF NOT EXISTS phone_number varchar(20) NOT NULL;
+
+
+-- +goose Down
+ALTER TABLE session
+DROP COLUMN IF EXISTS phone_number;

lambdas/src/lib/db/db-retry.ts

@@ -42,6 +42,11 @@ const TRANSIENT_NETWORK_ERROR_CODES = new Set([
 // Source: https://www.postgresql.org/docs/current/errcodes-appendix.html
 const TRANSIENT_POSTGRES_ERROR_CODES = new Set(["57P01", "57P02", "57P03"]);
 
+// Note: unique-violation conflicts (for example PostgreSQL 23505) are intentionally not treated
+// as retryable here. The generic retry layer cannot distinguish a replay of the same successful
+// write after a transient connection failure from a genuine duplicate-key conflict. Session create
+// recovery for that case is deferred to a dedicated follow-up change.
+
 const TRANSIENT_ERROR_PATTERNS = [
   /cannot connect now/i,
   /connection terminated unexpectedly/i,

lambdas/src/lib/db/session-db-client.test.ts

@@ -37,6 +37,7 @@ function buildCreateSessionInput(overrides: Partial<CreateSessionInput> = {}): C
       identityProofingLevel: "P9",
       email: "jane@example.com",
       emailVerified: true,
+      phoneNumber: "+447700900123",
       phoneNumberVerified: false,
       birthDate: "1990-01-01",
       nhsNumber: "1234567890",
@@ -64,6 +65,7 @@ function buildSessionRow(overrides: Record<string, unknown> = {}): Record<string
     identity_proofing_level: session.userInfo.identityProofingLevel,
     email: session.userInfo.email,
     email_verified: session.userInfo.emailVerified,
+    phone_number: session.userInfo.phoneNumber,
     phone_number_verified: session.userInfo.phoneNumberVerified,
     birth_date: session.userInfo.birthDate,
     nhs_number: session.userInfo.nhsNumber,
@@ -123,6 +125,7 @@ describe("SessionDbClient", () => {
           session.userInfo.identityProofingLevel,
           session.userInfo.email,
           session.userInfo.emailVerified,
+          session.userInfo.phoneNumber,
           session.userInfo.phoneNumberVerified,
           session.userInfo.birthDate,
           session.userInfo.nhsNumber,
@@ -134,8 +137,8 @@ describe("SessionDbClient", () => {
       );
 
       const [query] = mockDbClient.query.mock.calls[0];
-      expect(query).toContain("$13::date");
-      expect(query).toContain("ON CONFLICT (session_id) DO UPDATE");
+      expect(query).toContain("$14::date");
+      expect(query).not.toContain("ON CONFLICT (session_id) DO UPDATE");
     });
 
     it("should retry transient insert failures", async () => {
@@ -224,6 +227,7 @@ describe("SessionDbClient", () => {
             identity_proofing_level: "P5",
             email: "jo@example.com",
             email_verified: false,
+            phone_number: "+447700900124",
             phone_number_verified: true,
             birth_date: "1985-05-05",
             nhs_number: "9999999999",
@@ -244,6 +248,7 @@ describe("SessionDbClient", () => {
         identityProofingLevel: "P5",
         email: "jo@example.com",
         emailVerified: false,
+        phoneNumber: "+447700900124",
         phoneNumberVerified: true,
         birthDate: "1985-05-05",
         nhsNumber: "9999999999",

lambdas/src/lib/db/session-db-client.ts

@@ -23,6 +23,7 @@ interface SessionRow {
   identity_proofing_level: string;
   email: string;
   email_verified: boolean;
+  phone_number: string;
   phone_number_verified: boolean;
   birth_date: string;
   nhs_number: string;
@@ -61,6 +62,7 @@ const SESSION_COLUMNS = `
       identity_proofing_level,
       email,
       email_verified,
+      phone_number,
       phone_number_verified,
       birth_date,
       nhs_number,
@@ -90,6 +92,7 @@ export class SessionDbClient {
         identity_proofing_level,
         email,
         email_verified,
+        phone_number,
         phone_number_verified,
         birth_date,
         nhs_number,
@@ -111,15 +114,19 @@ export class SessionDbClient {
         $10,
         $11,
         $12,
-        $13::date,
-        $14,
+        $13,
+        $14::date,
         $15,
-        $16::timestamptz,
+        $16,
         $17::timestamptz,
-        $18::timestamptz
+        $18::timestamptz,
+        $19::timestamptz
       )
-      ON CONFLICT (session_id) DO UPDATE
-      SET session_id = EXCLUDED.session_id
+      -- Intentionally use a plain INSERT here.
+      -- We do not use ON CONFLICT ... DO UPDATE for session creation because a true
+      -- session_id or refresh_token_id collision must never overwrite another user's session.
+      -- A future ticket will add safe recovery for ambiguous duplicate-key failures that can
+      -- happen after a transient connection error during session creation.
       RETURNING ${SESSION_COLUMNS};
     `;
 
@@ -135,6 +142,7 @@ export class SessionDbClient {
       session.userInfo.identityProofingLevel,
       session.userInfo.email,
       session.userInfo.emailVerified,
+      session.userInfo.phoneNumber,
       session.userInfo.phoneNumberVerified,
       session.userInfo.birthDate,
       session.userInfo.nhsNumber,
@@ -290,6 +298,7 @@ export class SessionDbClient {
         identityProofingLevel: row.identity_proofing_level,
         email: row.email,
         emailVerified: row.email_verified,
+        phoneNumber: row.phone_number,
         phoneNumberVerified: row.phone_number_verified,
         birthDate: row.birth_date,
         nhsNumber: row.nhs_number,

lambdas/src/lib/login/nhs-login-client.test.ts

@@ -11,7 +11,7 @@ import * as testUserMapping from "./test-user-mapping";
 function createUserInfo(
   overrides: Partial<INhsUserInfoResponseModel> = {},
 ): INhsUserInfoResponseModel {
-  return {
+  const defaults: INhsUserInfoResponseModel = {
     iss: "https://issuer.example",
     aud: "hometest",
     sub: "user-123",
@@ -20,12 +20,17 @@ function createUserInfo(
     identity_proofing_level: "P9",
     email: "test.user@example.com",
     email_verified: "true",
+    phone_number: "+447700900123",
     phone_number_verified: "true",
     birthdate: "1990-01-01",
     nhs_number: "9999999999",
     gp_registration_details: {
       gp_ods_code: "A12345",
     },
+  };
+
+  return {
+    ...defaults,
     ...overrides,
   };
 }

lambdas/src/lib/login/nhs-login-service.test.ts

@@ -12,7 +12,7 @@ import {
 function createUserInfo(
   overrides: Partial<INhsUserInfoResponseModel> = {},
 ): INhsUserInfoResponseModel {
-  return {
+  const defaults: INhsUserInfoResponseModel = {
     iss: "https://issuer.example",
     aud: "hometest",
     sub: "user-123",
@@ -21,10 +21,15 @@ function createUserInfo(
     identity_proofing_level: "P9",
     email: "test.user@example.com",
     email_verified: "true",
+    phone_number: "+447700900123",
     phone_number_verified: "true",
     birthdate: "1990-01-01",
     nhs_number: "9999999999",
     gp_registration_details: { gp_ods_code: "A12345" },
+  };
+
+  return {
+    ...defaults,
     ...overrides,
   };
 }
@@ -49,6 +54,7 @@ function verificationSuccess(sub: string): NhsTokenVerificationResult {
     payload: {
       sub,
       iss: "https://issuer.example",
+      aud: "hometest",
       iat: 1234567890,
       exp: 1234571490,
     } as JwtPayload,
@@ -108,6 +114,8 @@ describe("NhsLoginService.executeCallback", () => {
         nhsAccessToken: "nhs-access-token",
         nhsRefreshToken: "nhs-refresh-token",
         idTokenSubject: "user-123",
+        idTokenIssuer: "https://issuer.example",
+        idTokenAudience: "hometest",
       },
     });
   });
@@ -276,6 +284,8 @@ describe("NhsLoginService.executeCallback", () => {
         nhsAccessToken: "nhs-access-token",
         nhsRefreshToken: undefined,
         idTokenSubject: "user-123",
+        idTokenIssuer: "https://issuer.example",
+        idTokenAudience: "hometest",
       },
     });
   });

lambdas/src/lib/login/nhs-login-service.ts

@@ -8,6 +8,8 @@ export interface INhsLoginResult {
   nhsAccessToken: string;
   nhsRefreshToken?: string;
   idTokenSubject: string;
+  idTokenIssuer?: string;
+  idTokenAudience?: string | string[];
 }
 
 export type NhsLoginErrorCode =
@@ -107,6 +109,8 @@ export class NhsLoginService implements INhsLoginService {
         nhsAccessToken: tokenResponse.access_token,
         nhsRefreshToken: this.normalizeRefreshToken(tokenResponse.refresh_token),
         idTokenSubject,
+        idTokenIssuer: idTokenResult.payload.iss,
+        idTokenAudience: idTokenResult.payload.aud,
       },
     };
   }

lambdas/src/lib/login/test-user-mapping.test.ts

@@ -4,7 +4,7 @@ import { enrichUserInfoWithTestFirstName } from "./test-user-mapping";
 function createUserInfo(
   overrides: Partial<INhsUserInfoResponseModel> = {},
 ): INhsUserInfoResponseModel {
-  return {
+  const defaults: INhsUserInfoResponseModel = {
     iss: "https://issuer.example",
     aud: "hometest",
     sub: "user-123",
@@ -13,12 +13,17 @@ function createUserInfo(
     identity_proofing_level: "P9",
     email: "test.user@example.com",
     email_verified: "true",
+    phone_number: "+447700900123",
     phone_number_verified: "true",
     birthdate: "1990-01-01",
     nhs_number: "9999999999",
     gp_registration_details: {
       gp_ods_code: "A12345",
     },
+  };
+
+  return {
+    ...defaults,
     ...overrides,
   };
 }

lambdas/src/lib/models/nhs-login/nhs-login-user-info-response-model.ts

@@ -7,6 +7,7 @@ export interface INhsUserInfoResponseModel {
   identity_proofing_level: string;
   email: string;
   email_verified: string;
+  phone_number: string;
   phone_number_verified: string;
   birthdate: string;
   nhs_number: string;

lambdas/src/lib/models/session/session.test.ts

@@ -8,7 +8,7 @@ import {
 function createNhsUserInfo(
   overrides: Partial<INhsUserInfoResponseModel> = {},
 ): INhsUserInfoResponseModel {
-  return {
+  const defaults: INhsUserInfoResponseModel = {
     iss: "https://issuer.example",
     aud: "hometest",
     sub: "user-123",
@@ -17,12 +17,17 @@ function createNhsUserInfo(
     identity_proofing_level: "P9",
     email: "test.user@example.com",
     email_verified: "true",
+    phone_number: "+447700900123",
     phone_number_verified: "false",
     birthdate: "1990-01-01",
     nhs_number: "9999999999",
     gp_registration_details: {
       gp_ods_code: "A12345",
     },
+  };
+
+  return {
+    ...defaults,
     ...overrides,
   };
 }
@@ -37,6 +42,7 @@ function createSessionUserInfo(overrides: Partial<ISessionUserInfo> = {}): ISess
     identityProofingLevel: "P9",
     email: "test.user@example.com",
     emailVerified: true,
+    phoneNumber: "+447700900123",
     phoneNumberVerified: false,
     birthDate: "1990-01-01",
     nhsNumber: "9999999999",
@@ -60,6 +66,7 @@ describe("mapNhsUserInfoToSessionUserInfo", () => {
       identityProofingLevel: "P9",
       email: "test.user@example.com",
       emailVerified: true,
+      phoneNumber: "+447700900123",
       phoneNumberVerified: false,
       birthDate: "1990-01-01",
       nhsNumber: "9999999999",
@@ -91,6 +98,7 @@ describe("mapSessionUserInfoToNhsUserInfo", () => {
       identity_proofing_level: "P9",
       email: "test.user@example.com",
       email_verified: "true",
+      phone_number: "+447700900123",
       phone_number_verified: "false",
       birthdate: "1990-01-01",
       nhs_number: "9999999999",

lambdas/src/lib/models/session/session.ts

@@ -9,6 +9,7 @@ export interface ISessionUserInfo {
   identityProofingLevel: string;
   email: string;
   emailVerified: boolean;
+  phoneNumber: string;
   phoneNumberVerified: boolean;
   birthDate: string;
   nhsNumber: string;
@@ -43,6 +44,7 @@ export function mapNhsUserInfoToSessionUserInfo(
     identityProofingLevel: userInfo.identity_proofing_level,
     email: userInfo.email,
     emailVerified: parseVerificationFlag(userInfo.email_verified),
+    phoneNumber: userInfo.phone_number,
     phoneNumberVerified: parseVerificationFlag(userInfo.phone_number_verified),
     birthDate: userInfo.birthdate,
     nhsNumber: userInfo.nhs_number,
@@ -62,6 +64,7 @@ export function mapSessionUserInfoToNhsUserInfo(
     identity_proofing_level: userInfo.identityProofingLevel,
     email: userInfo.email,
     email_verified: toVerificationFlag(userInfo.emailVerified),
+    phone_number: userInfo.phoneNumber,
     phone_number_verified: toVerificationFlag(userInfo.phoneNumberVerified),
     birthdate: userInfo.birthDate,
     nhs_number: userInfo.nhsNumber,

lambdas/src/login-lambda/login-service.test.ts

@@ -1,12 +1,12 @@
-import { LoginService } from "./login-service";
-import { type ITokenService } from "../lib/login/token-service";
 import { type INhsLoginClient } from "../lib/login/nhs-login-client";
+import { type ITokenService } from "../lib/login/token-service";
 import { type INhsUserInfoResponseModel } from "../lib/models/nhs-login/nhs-login-user-info-response-model";
+import { LoginService } from "./login-service";
 
 function createUserInfo(
   overrides: Partial<INhsUserInfoResponseModel> = {},
 ): INhsUserInfoResponseModel {
-  return {
+  const defaults: INhsUserInfoResponseModel = {
     iss: "https://issuer.example",
     aud: "hometest",
     sub: "user-123",
@@ -15,12 +15,17 @@ function createUserInfo(
     identity_proofing_level: "P9",
     email: "test.user@example.com",
     email_verified: "true",
+    phone_number: "+447700900123",
     phone_number_verified: "true",
     birthdate: "1990-01-01",
     nhs_number: "9999999999",
     gp_registration_details: {
       gp_ods_code: "A12345",
     },
+  };
+
+  return {
+    ...defaults,
     ...overrides,
   };
 }