Updated to enable cypress checker only if it is in the github actions

FrostyApeOne · FrostyApeOne · commit 8946fd7fc4de · 2025-10-22T17:53:39.000+01:00
diff --git a/src/DfE.ExternalApplications.Web/Security/DynamicAuthenticationSchemeProvider.cs b/src/DfE.ExternalApplications.Web/Security/DynamicAuthenticationSchemeProvider.cs
@@ -24,25 +24,36 @@ public class DynamicAuthenticationSchemeProvider(
     IConfiguration configuration)
     : AuthenticationSchemeProvider(options)
 {
-    // Cache the authentication mode decision per request to prevent infinite recursion
-    // If GetDefaultForbidSchemeAsync is called during a forbid flow, and it tries to check IsCypressRequest,
-    // which might trigger another auth check, we get a stack overflow
-    private const string AuthModeCacheKey = "__AuthMode_Cached__";
-
     private bool IsTestAuthGloballyEnabled()
     {
         return testAuthOptions.Value.Enabled;
     }
 
     private bool IsCypressToggleAllowed()
     {
-        return configuration.GetValue<bool>("CypressAuthentication:AllowToggle");
+        // Only allow Cypress toggle if BOTH conditions are met:
+        // 1. Configuration setting is true
+        // 2. Running in GitHub Actions (GITHUB_ACTIONS environment variable is set)
+        var configAllowsToggle = configuration.GetValue<bool>("CypressAuthentication:AllowToggle");
+        if (!configAllowsToggle)
+        {
+            return false;
+        }
+
+        var isGitHubActions = Environment.GetEnvironmentVariable("GITHUB_ACTIONS") == "true";
+        return isGitHubActions;
+    }
+
+    private bool IsCypressRequest()
+    {
+        var httpContext = httpContextAccessor.HttpContext;
+        if (httpContext == null) return false;
+        if (!IsCypressToggleAllowed()) return false;
+        
+        var checker = httpContext.RequestServices.GetService<ICustomRequestChecker>();
+        return checker != null && checker.IsValidRequest(httpContext);
     }
 
-    /// <summary>
-    /// Determines if the current request should use Test authentication.
-    /// This is cached per request to prevent infinite recursion during authentication flows.
-    /// </summary>
     private bool ShouldUseTestAuth()
     {
         // Always use test auth if globally enabled
@@ -51,38 +62,8 @@ private bool ShouldUseTestAuth()
             return true;
         }
 
-        var httpContext = httpContextAccessor.HttpContext;
-        if (httpContext == null)
-        {
-            return false;
-        }
-
-        // Check cache first to prevent re-entry during authentication flow
-        if (httpContext.Items.TryGetValue(AuthModeCacheKey, out var cachedMode))
-        {
-            return (bool)cachedMode!;
-        }
-
-        // Determine if this is a Cypress request (only if toggle is allowed)
-        bool isCypressRequest = false;
-        if (IsCypressToggleAllowed())
-        {
-            try
-            {
-                var checker = httpContext.RequestServices.GetService<ICustomRequestChecker>();
-                isCypressRequest = checker != null && checker.IsValidRequest(httpContext);
-            }
-            catch
-            {
-                // If we can't check (e.g., during service resolution or auth flow), default to false
-                // This prevents cascading failures during authentication
-                isCypressRequest = false;
-            }
-        }
-
-        // Cache the result for this request
-        httpContext.Items[AuthModeCacheKey] = isCypressRequest;
-        return isCypressRequest;
+        // Check if this is a Cypress request (only in GitHub Actions)
+        return IsCypressRequest();
     }
 
     public override Task<AuthenticationScheme?> GetDefaultAuthenticateSchemeAsync()
diff --git a/src/DfE.ExternalApplications.Web/Services/ExternalAppsCypressRequestChecker.cs b/src/DfE.ExternalApplications.Web/Services/ExternalAppsCypressRequestChecker.cs
@@ -43,6 +43,22 @@ public bool IsValidRequest(HttpContext httpContext)
     
     private bool ValidateRequestInternal(HttpContext httpContext)
     {
+        // Only enable Cypress auth in GitHub Actions environment
+        // This prevents the recursion issue from occurring in local/production environments
+        var isGitHubActions = Environment.GetEnvironmentVariable("GITHUB_ACTIONS") == "true";
+        if (!isGitHubActions)
+        {
+            try
+            {
+                logger.LogDebug("Cypress authentication disabled: Not running in GitHub Actions");
+            }
+            catch
+            {
+                // Silently ignore logging errors to prevent recursion
+            }
+            return false;
+        }
+
         var path = httpContext.Request.Path;
         var ipAddress = httpContext.Connection.RemoteIpAddress?.ToString() ?? "Unknown";
         
