Use hpagent with axios for Apple Pay Merchant Validation with proxy

With this change, we have update the Apple Pay Merchant Validation
implementation in order to use `hpagent` and `axios` in the presence of an
egress proxy, as it's the case on our AWS environments.

This is needed because we want to remove the use of `requestretry`, however
`axios` has a problem preventing it from working with an egress proxy[1].

For this reason, we need to use an HttpsProxyAgent with it.

We would want to use `https-proxy-agent`, however it has its own problem[2].

While we wait for these issues to be fixed, we can use `hpagent` which has
been tested and works well with an egress proxy.

Further information in the JIRA ticket[3].

[1]
axios/axios#4531

[2]
TooTallNate/proxy-agents#235

[3]
https://payments-platform.atlassian.net/browse/PP-12853

Co-authored-by: Jonathan Harden <[email protected]>
Co-authored-by: Dominic Belcher <[email protected]>
Co-authored-by: Marco Tranchino <[email protected]>

Author: 3 people

.secrets.baseline

@@ -75,6 +75,10 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -114,7 +118,7 @@
         "filename": "app/controllers/web-payments/apple-pay/merchant-validation.controller.js",
         "hashed_secret": "1348b145fa1a555461c1b790a2f66614781091e9",
         "is_verified": false,
-        "line_number": 20
+        "line_number": 19
       }
     ],
     "test/controllers/web-payments/apple-pay/normalise-apple-pay-payload.test.js": [
@@ -385,5 +389,5 @@
       }
     ]
   },
-  "generated_at": "2024-07-30T15:02:23Z"
+  "generated_at": "2024-08-09T08:40:47Z"
 }

app/controllers/web-payments/apple-pay/merchant-validation.controller.js

@@ -4,8 +4,7 @@ const request = require('requestretry') // to be removed once axios is in use
 const logger = require('../../../utils/logger')(__filename)
 const { getLoggingFields } = require('../../../utils/logging-fields-helper')
 const axios = require('axios')
-const https = require('https')
-const { HttpsProxyAgent } = require('https-proxy-agent')
+const { HttpsProxyAgent } = require('hpagent')
 const proxyUrl = process.env.HTTPS_PROXY
 const applePayMerchantValidationViaAxios = process.env.APPLE_PAY_MERCHANT_VALIDATION_VIA_AXIOS === 'true'
 
@@ -55,10 +54,13 @@ module.exports = async (req, res) => {
     return res.sendStatus(400)
   }
 
-  const httpsAgent = new https.Agent({
-    cert: merchantIdentityVars.cert,
-    key: merchantIdentityVars.key
-  });
+  const httpsAgent = new HttpsProxyAgent({
+      proxy: proxyUrl,
+      cert: merchantIdentityVars.cert,
+      key: merchantIdentityVars.key
+  })
+
+  const axiosInstance = axios.create({ httpsAgent, proxy: false });
 
   if (proxyUrl) {
     logger.info('Using proxy URL')
@@ -95,59 +97,42 @@ module.exports = async (req, res) => {
 
   if (applePayMerchantValidationViaAxios) {
     if (proxyUrl) {
-      logger.info('Generating Apple Pay session via axios and https proxy agent')
+      logger.info('Generating Apple Pay session via axios and https proxy agent (hpagent)')
 
       const data = {
-        cert: merchantIdentityVars.cert,
-        key: merchantIdentityVars.key,
         merchantIdentifier: merchantIdentityVars.merchantIdentifier,
         displayName: 'GOV.UK Pay',
         initiative: 'web',
         initiativeContext: process.env.APPLE_PAY_MERCHANT_DOMAIN
       }
 
-
-      const httpsProxyAgent = new HttpsProxyAgent(proxyUrl, {
-        cert: merchantIdentityVars.cert,
-        key: merchantIdentityVars.key
-      });
-
-      // const httpsAgent = new https.Agent({
-      //   proxy: httpsProxyAgent
-      // });
-
-      const axiosInstance = axios.create({
-        httpsAgent: httpsProxyAgent
-      });
-
-
       try {
         const response = await axiosInstance.post(url, data, { headers: { 'Content-Type': 'application/json; charset=utf-8' } })
 
-        logger.info('Apple Pay session successfully generated via axios and https proxy agent')
+        logger.info('Apple Pay session successfully generated via axios and https proxy agent (hpagent)')
         res.status(200).send(response.data)
       } catch (error) {
-        logger.info('Error generating Apple Pay session', {
+        logger.info('Error generating Apple Pay session with axios and https proxy agent (hpagent)', {
           ...getLoggingFields(req),
           error: error.message,
           status: error.response ? error.response.status : 'No status'
         })
-        logger.info('Apple Pay session via axios and https proxy agent failed', 'Apple Pay Error')
+        logger.info('Apple Pay session via axios and https proxy agent (hpagent) failed', 'Apple Pay Error')
         res.status(500).send('Apple Pay Error')
       }
     } else {
-      logger.info('Generating Apple Pay session via axios and https agent (local machine)')
+      logger.info('Generating Apple Pay session via axios and https proxy agent (hpagent) (NO PROXY)')
       try {
         const response = await axios(options)
 
-        logger.info('Apple Pay session successfully generated via axios and https agent')
+        logger.info('Apple Pay session successfully generated via axios and https proxy agent (hpagent) (NO PROXY)')
         res.status(200).send(response.data)
       } catch (error) {
-        logger.info('Error generating Apple Pay session', {
+        logger.info('Error generating Apple Pay session (NO PROXY)', {
           ...getLoggingFields(req),
           error: error.message
         })
-        logger.info('Apple Pay session via axios and https agent failed', 'Apple Pay Error')
+        logger.info('Apple Pay session via axios and https proxy agent (hpagent) with no proxy failed', 'Apple Pay Error')
         res.status(500).send('Apple Pay Error')
       }
     }

package-lock.json

@@ -87,7 +87,7 @@
     "gaap-analytics": "^3.1.0",
     "govuk-frontend": "^4.8.0",
     "helmet": "^7.1.0",
-    "https-proxy-agent": "^7.0.5",
+    "hpagent": "^1.2.0",
     "i18n": "0.15.x",
     "lodash": "4.17.x",
     "mailcheck": "^1.1.1",