[DCMAW-10830] update session state in /async/biometricToken

[chris-cooksley-gds]

​DCMAW-10830

What changed

• Introduces new updateSession method on the DynamoDB adapter.
  • This method is defined as part of a generic SessionRegistry interface.
  • It expects an UpdateSessionOperation, and uses the methods on that object to get the appropriate update/condition expressions for the UpdateItemCommand to DynamoDB. This isolates the logic for different types of update, facilitating testing and keeping the adapter logic simple.
  • It logs the attempt/success of the call to DynamoDB at debug level, as per the new pattern.
  • It logs conditional check failures separately to other failures, to help us identify when a session doesn't exist or is in the wrong state.
• Defines a BiometricTokenIssued update operation. It requires the session in question to exist, to (implicitly) not have expired, and to be in the ASYNC_AUTH_SESSION_CREATED state. It updates the state to ASYNC_BIOMETRIC_TOKEN_ISSUED and adds the passed document type and opaque ID.
• Updates handler to generate opaque ID and update the session using the above pattern. Conditional check failures elicit an unauthorized response, server errors elicit a server error response.
• Adds necessary permission to update session to the Lambda execution role
• Updates API tests for /async/biometricToken happy path, as the sessionId of a valid, current session is now required.

Why did it change

• Our user session follows a forward-only state machine. Updating the session state - in tandem with conditional checks made on the current session state - ensures that the user's document type and opaque ID are 'locked in' and cannot be changed on subsequent requests.

Evidence

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud