Merge pull request #1311 from numerique-gouv/douglasduteil/feat-remove-null-and-empty-field-in-claim

rdubigny · web-flow · commit 74a2102b6dab · 2025-06-27T14:11:19.000+02:00
🐛 fix: remove null and empty field in claim
diff --git a/cypress/e2e/signin_from_proconnect_federation_client/fixtures.sql b/cypress/e2e/signin_from_proconnect_federation_client/fixtures.sql
@@ -2,8 +2,8 @@ INSERT INTO users
   (id, email, email_verified, email_verified_at, encrypted_password, created_at, updated_at, given_name, family_name,
    phone_number, job)
 VALUES
-  (1, 'unused1@yopmail.com', true, CURRENT_TIMESTAMP, '$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, 'Jean', 'Jean', '0123456789', 'Sbire'),
-  (2, 'unused2@yopmail.com', true, CURRENT_TIMESTAMP, '$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, 'Jean', 'Jean', '0123456789', 'Sbire');
+  (1, 'unused1@yopmail.com', true, CURRENT_TIMESTAMP, '$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, 'Jean', 'Jack', '0123456789', 'Sbire'),
+  (2, 'unused2@yopmail.com', true, CURRENT_TIMESTAMP, '$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, 'Jean', 'Luck', '', 'Sbire');
 
 
 INSERT INTO organizations
diff --git a/cypress/e2e/signin_from_proconnect_federation_client/index.cy.ts b/cypress/e2e/signin_from_proconnect_federation_client/index.cy.ts
@@ -1,30 +1,37 @@
 //
 
-describe("sign-in from proconnect federation client", () => {
-  it("should seed the database once", function () {
-    cy.seed();
-  });
+it("should seed the database once", function () {
+  cy.seed();
+});
 
+describe("sign-in from proconnect federation client", () => {
   it("should sign-in", () => {
     cy.visit("http://localhost:4001");
-    cy.get("button.proconnect-button").click();
+    cy.contains("S’identifier avec ProConnect").click();
 
-    cy.get('[name="password"]').type("password123");
-    cy.get('[action="/users/sign-in"]  [type="submit"]')
-      .contains("S’identifier")
-      .click();
+    cy.contains("Renseignez votre mot de passe").click();
+    cy.focused().type("password123");
+    cy.contains("S’identifier").click();
 
+    cy.title().should("equal", "proconnect-federation-client - ProConnect");
     cy.contains("proconnect-federation-client");
-    cy.contains("unused1@yopmail.com");
-    cy.contains("21340126800130");
+
+    cy.contains('"given_name": "Jean"');
+    cy.contains('"usual_name": "Jack"');
+    cy.contains('"email": "unused1@yopmail.com"');
+    cy.contains('"siret": "21340126800130"');
+    cy.contains('"phone_number": "0123456789"');
+    cy.contains('"phone_number_verified": false');
+    cy.contains('"is_service_public": true');
+    cy.contains('"is_public_service": true');
   });
 
   it("should not prompt for password if a session is already opened", () => {
     cy.visit("/");
     cy.login("unused1@yopmail.com");
 
     cy.visit("http://localhost:4001");
-    cy.get("button.proconnect-button").click();
+    cy.contains("S’identifier avec ProConnect").click();
 
     cy.contains("proconnect-federation-client");
     cy.contains("unused1@yopmail.com");
@@ -35,7 +42,7 @@ describe("sign-in from proconnect federation client", () => {
     cy.login("unused2@yopmail.com");
 
     cy.visit("http://localhost:4001");
-    cy.get("button.proconnect-button").click();
+    cy.contains("S’identifier avec ProConnect").click();
 
     cy.get('[name="password"]').type("password123");
     cy.get('[action="/users/sign-in"]  [type="submit"]')
@@ -48,7 +55,7 @@ describe("sign-in from proconnect federation client", () => {
 
   it("should go back to the Federation client when hitting the change email button", () => {
     cy.visit("http://localhost:4001");
-    cy.get("button.proconnect-button").click();
+    cy.contains("S’identifier avec ProConnect").click();
 
     cy.get("#change-email-address").click();
 
@@ -75,5 +82,35 @@ describe("sign-in with a client requiring 2fa identity", () => {
         },
       },
     }));
+    cy.contains("Connexion personnalisée").click({ force: true });
+  });
+});
+
+describe("sign-in partial user info", () => {
+  beforeEach(() => {
+    cy.visit("http://localhost:4001");
+    cy.updateCustomParams((customParams) => ({
+      ...customParams,
+      login_hint: "unused2@yopmail.com",
+    }));
+    cy.contains("Connexion personnalisée").click({ force: true });
+
+    cy.contains("Renseignez votre mot de passe").click();
+    cy.focused().type("password123");
+    cy.contains("S’identifier").click();
+  });
+
+  it("should sign-in without passing a phone_number", () => {
+    cy.title().should("equal", "proconnect-federation-client - ProConnect");
+    cy.contains("proconnect-federation-client");
+
+    cy.contains('"given_name": "Jean"');
+    cy.contains('"usual_name": "Luck"');
+    cy.contains('"email": "unused2@yopmail.com"');
+    cy.contains('"siret": "21340126800130"');
+    cy.contains('"phone_number": ""').should("not.exist");
+    cy.contains('"phone_number_verified": false');
+    cy.contains('"is_service_public": true');
+    cy.contains('"is_public_service": true');
   });
 });
diff --git a/cypress/e2e/signin_from_standard_client/index.cy.ts b/cypress/e2e/signin_from_standard_client/index.cy.ts
@@ -7,68 +7,88 @@ describe("sign-in from standard client", () => {
 
   it("should sign-in without org selection when having only one organization", function () {
     cy.visit("http://localhost:4000");
-    cy.get("button.proconnect-button").click();
+    cy.contains("S’identifier avec ProConnect").click();
 
+    cy.title().should("include", "S'inscrire ou se connecter - ");
     cy.login("unused1@yopmail.com");
 
+    cy.title().should("equal", "standard-client - ProConnect");
     cy.contains("standard-client");
-    cy.contains("unused1@yopmail.com");
-    cy.contains("Commune de lamalou-les-bains - Mairie");
+    cy.contains('"email": "unused1@yopmail.com"');
+    cy.contains('"label": "Commune de lamalou-les-bains - Mairie"');
 
     // then it should prompt for organization
-    cy.get("button#select-organization").click();
+    cy.contains("button", "Changer d’organisation").click();
+
+    cy.title().should("include", "Choisir une organisation - ");
     cy.contains("Votre organisation de rattachement");
-    cy.get(".fr-grid-row .fr-col-12:first-child .fr-tile__link").click();
+    cy.getByLabel(
+      "Commune de lamalou-les-bains - Mairie (choisir cette organisation)",
+    ).click();
+
+    cy.title().should("equal", "standard-client - ProConnect");
     cy.contains("standard-client");
-    cy.contains("Commune de lamalou-les-bains - Mairie");
+    cy.contains('"label": "Commune de lamalou-les-bains - Mairie"');
 
     // then it should update userinfo
-    cy.contains("Jean Un");
-    cy.get("button#update-userinfo").click();
+    cy.contains('"family_name": "Jean Un"');
+    cy.contains("button", "Mettre à jour mes informations").click();
+
+    cy.title().should("include", "Renseigner votre identité - ");
     cy.contains("Renseigner son identité");
-    cy.get('[name="family_name"]').type("Moustaki");
-    cy.get('[type="submit"]').click();
+    cy.contains("Nom").click();
+    cy.focused().clear().type("Moustaki");
+    cy.contains("Valider").click();
+
+    cy.title().should("equal", "standard-client - ProConnect");
     cy.contains("standard-client");
-    cy.contains("Moustaki");
+    cy.contains('"family_name": "Moustaki"');
   });
 
   it("should sign-in with org selection when having two organization", function () {
     cy.visit("http://localhost:4000");
-    cy.get("button.proconnect-button").click();
+    cy.contains("S’identifier avec ProConnect").click();
 
+    cy.title().should("include", "S'inscrire ou se connecter - ");
     cy.login("unused2@yopmail.com");
 
-    cy.get(".fr-grid-row .fr-col-12:first-child .fr-tile__link").contains(
-      "Commune de lamalou-les-bains - Mairie",
-    );
-    cy.get(".fr-grid-row .fr-col-12:last-child .fr-tile__link").contains(
-      "Commune de clamart - Mairie",
+    cy.title().should("include", "Choisir une organisation - ");
+    cy.getByLabel(
+      "Commune de lamalou-les-bains - Mairie (choisir cette organisation)",
     );
 
-    cy.get(".fr-grid-row .fr-col-12:last-child .fr-tile__link").click();
+    cy.getByLabel(
+      "Commune de clamart - Mairie (choisir cette organisation)",
+    ).click();
 
+    cy.title().should("equal", "standard-client - ProConnect");
     cy.contains("standard-client");
-    cy.contains("unused2@yopmail.com");
-    cy.contains("Commune de clamart - Mairie");
+    cy.contains('"email": "unused2@yopmail.com"');
+    cy.contains('"label": "Commune de clamart - Mairie"');
 
     // then it should prompt for organization
-    cy.get("button#select-organization").click();
+    cy.contains("button", "Changer d’organisation").click();
+    cy.title().should("include", "Choisir une organisation - ");
     cy.contains("Votre organisation de rattachement");
-    cy.get(".fr-grid-row .fr-col-12:first-child .fr-tile__link").click();
+    cy.getByLabel(
+      "Commune de lamalou-les-bains - Mairie (choisir cette organisation)",
+    ).click();
 
+    cy.title().should("equal", "standard-client - ProConnect");
     cy.contains("standard-client");
-    cy.contains("Commune de lamalou-les-bains - Mairie");
+    cy.contains('"email": "unused2@yopmail.com"');
+    cy.contains('"label": "Commune de lamalou-les-bains - Mairie"');
   });
 
   it("should not prompt for password if a session is already opened", () => {
     cy.visit("/");
+    cy.title().should("include", "S'inscrire ou se connecter - ");
     cy.login("unused1@yopmail.com");
 
     cy.visit("http://localhost:4000");
-    cy.get("button.proconnect-button").click();
-
+    cy.contains("S’identifier avec ProConnect").click();
     cy.contains("standard-client");
-    cy.contains("unused1@yopmail.com");
+    cy.contains('"email": "unused1@yopmail.com"');
   });
 
   it("should bypass consent prompt", () => {
@@ -79,6 +99,7 @@ describe("sign-in from standard client", () => {
     }));
     cy.get("button#custom-connection").click({ force: true });
 
+    cy.title().should("include", "S'inscrire ou se connecter - ");
     cy.login("unused1@yopmail.com");
     cy.contains("standard-client");
   });
@@ -96,6 +117,7 @@ describe("sign-in from standard client", () => {
     }));
     cy.get("button#custom-connection").click({ force: true });
 
+    cy.title().should("include", "S'inscrire ou se connecter - ");
     cy.login("unused1@yopmail.com");
     cy.contains("standard-client");
   });
diff --git a/packages/identite/src/types/claims.ts b/packages/identite/src/types/claims.ts
@@ -0,0 +1,21 @@
+//
+
+import { z } from "zod";
+
+//
+
+export const UserClaimsSchema = z.object({
+  email_verified: z.boolean(),
+  email: z.string(),
+  family_name: z.string().optional(),
+  given_name: z.string().optional(),
+  job: z.string().optional(),
+  phone_number_verified: z.boolean(),
+  phone_number: z.string().optional(),
+  sub: z.string(),
+  uid: z.string(),
+  updated_at: z.date(),
+  usual_name: z.string().optional(),
+});
+
+export type UserClaims = z.output<typeof UserClaimsSchema>;
diff --git a/packages/identite/src/types/index.ts b/packages/identite/src/types/index.ts
@@ -1,5 +1,6 @@
 //
 
+export * from "./claims.js";
 export * from "./contexts.js";
 export * from "./dirigeant.js";
 export * from "./email-domain.js";
diff --git a/src/services/oidc-account-adapter.ts b/src/services/oidc-account-adapter.ts
@@ -1,6 +1,12 @@
+//
+
+import {
+  UserClaimsSchema,
+  type UserClaims,
+} from "@gouvfr-lasuite/proconnect.identite/types";
 import * as Sentry from "@sentry/node";
 import { to } from "await-to-js";
-import { isEmpty } from "lodash-es";
+import { isEmpty, omitBy } from "lodash-es";
 import type { FindAccount } from "oidc-provider";
 import { findByUserId as getUsersOrganizations } from "../repositories/organization/getters";
 import { getSelectedOrganizationId } from "../repositories/redis/selected-organization";
@@ -30,19 +36,29 @@ export const findAccount: FindAccount = async (_ctx, sub) => {
         job,
       } = user;
 
-      const personalClaims = {
-        sub: id.toString(), // it is essential to always return a sub claim
-        uid: id.toString(), // for ProConnect Federation use only
-        email,
+      const userClaims = {
         email_verified,
-        updated_at,
-        given_name,
+        email,
         family_name,
-        usual_name: family_name, // for ProConnect Federation use only
-        phone_number,
-        phone_number_verified: false,
+        given_name,
         job,
+        phone_number_verified: false,
+        phone_number,
+        sub: id.toString(), // it is essential to always return a sub claim
+        uid: id.toString(), // for ProConnect Federation use only
+        updated_at,
+        usual_name: family_name,
       };
+      const personalClaims: UserClaims = UserClaimsSchema.parse(
+        omitBy(
+          userClaims,
+          (value) =>
+            // NOTE(douglasduteil): a Claim SHOULD NOT be present with a null or empty string value
+            // \see https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
+            value === null || value === "",
+        ),
+      );
+
       const organizations = await getUsersOrganizations(id);
       if (mustReturnOneOrganizationInPayload(scope)) {
         const [selectedOrganizationIdErr, selectedOrganizationId] = await to(
