US-NOTIFY-COMPLY 50: Verify Nonce For Invite

[xlorepdarkhelm]

A note to PR reviewers: it may be helpful to review our code review documentation to know what to keep in mind while reviewing pull requests.

Description

Makes nonce opertions for login.gov work for invites as well as the logins now. (admin side)

Issue

https://github.com/GSA/us-notify-compliance/issues/50

Security Considerations

This improves the security for logins through login.gov.

NOTE

Do not merge until GSA/notifications-api#1365 is also ready.

[ccostino]

Thanks, @xlorepdarkhelm! This looks mostly good to me too and I appreciate the small refactoring to pull some of that token generation into its own method! Are there tests that could go along with that to make sure we have proper coverage of that code or are they already present? They might be and may just have to shift to cover the new method, but I wanted to double check.

I do see that CodeQL flagged a thing that's not necessarily a part of your PR directly, but since it appeared here, let's see if we can also resolve it as well, and/or dismiss it if it's truly not an issue. Thanks!

[xlorepdarkhelm]

Thanks, @xlorepdarkhelm! This looks mostly good to me too and I appreciate the small refactoring to pull some of that token generation into its own method! Are there tests that could go along with that to make sure we have proper coverage of that code or are they already present? They might be and may just have to shift to cover the new method, but I wanted to double check.

I haven't gotten the tests set up yet, there are a couple that need changes, and yeah, need something to validate the id token unpacking.

I do see that CodeQL flagged a thing that's not necessarily a part of your PR directly, but since it appeared here, let's see if we can also resolve it as well, and/or dismiss it if it's truly not an issue. Thanks!

yeah, I'll get that cleared up.

[terrazoon]

Similar comments to Carlo, which Cliff already said he'd resolve. So, approved based on that resolution.