From d27f03c789b8aa13f40469e4fef510dc936d9350 Mon Sep 17 00:00:00 2001
From: BenjaminWCO <benjamin.woolley@digital.cabinet-office.gov.uk>
Date: Thu, 24 Oct 2024 17:00:27 +0100
Subject: [PATCH] ATO-983: Set InternalCommonSubjectIdentifier in AuthSession

---
 .../frontendapi/helpers/SessionHelper.java    | 21 +++++++------
 .../lambda/CheckUserExistsHandler.java        | 31 ++++++++++++++++---
 .../frontendapi/lambda/LoginHandler.java      | 16 +++++-----
 .../frontendapi/lambda/SignUpHandler.java     | 10 +++---
 .../frontendapi/lambda/VerifyCodeHandler.java |  7 +++--
 .../lambda/VerifyMfaCodeHandler.java          |  7 +++--
 .../lambda/CheckUserExistsHandlerTest.java    | 28 +++++++++++++++++
 .../api/CheckUserExistsIntegrationTest.java   |  4 +++
 .../shared/entity/AuthSessionItem.java        | 19 ++++++++++--
 9 files changed, 110 insertions(+), 33 deletions(-)

diff --git a/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/helpers/SessionHelper.java b/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/helpers/SessionHelper.java
index dfe1b013fb..b40a4fbb03 100644
--- a/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/helpers/SessionHelper.java
+++ b/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/helpers/SessionHelper.java
@@ -3,9 +3,10 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import uk.gov.di.authentication.frontendapi.lambda.VerifyMfaCodeHandler;
-import uk.gov.di.authentication.shared.entity.Session;
+import uk.gov.di.authentication.shared.entity.AuthSessionItem;
 import uk.gov.di.authentication.shared.entity.UserProfile;
 import uk.gov.di.authentication.shared.helpers.ClientSubjectHelper;
+import uk.gov.di.authentication.shared.services.AuthSessionService;
 import uk.gov.di.authentication.shared.services.AuthenticationService;
 import uk.gov.di.authentication.shared.services.ConfigurationService;
 import uk.gov.di.authentication.shared.services.SessionService;
@@ -16,16 +17,18 @@ public class SessionHelper {
 
     public static void updateSessionWithSubject(
             UserContext userContext,
-            AuthenticationService authenticationService,
-            ConfigurationService configurationService,
+            AuthSessionItem authSession,
             SessionService sessionService,
-            Session session) {
+            AuthSessionService authSessionService,
+            AuthenticationService authenticationService,
+            ConfigurationService configurationService) {
         LOG.info("Calculating internal common subject identifier");
+        var session = userContext.getSession();
         UserProfile userProfile =
                 userContext.getUserProfile().isPresent()
                         ? userContext.getUserProfile().get()
                         : authenticationService.getUserProfileByEmail(session.getEmailAddress());
-        var internalCommonSubjectIdentifier =
+        var internalCommonSubjectId =
                 session.getInternalCommonSubjectIdentifier() != null
                         ? session.getInternalCommonSubjectIdentifier()
                         : ClientSubjectHelper.getSubjectWithSectorIdentifier(
@@ -34,9 +37,9 @@ public static void updateSessionWithSubject(
                                         authenticationService)
                                 .getValue();
         LOG.info("Setting internal common subject identifier in user session");
-        sessionService.storeOrUpdateSession(
-                userContext
-                        .getSession()
-                        .setInternalCommonSubjectIdentifier(internalCommonSubjectIdentifier));
+        session.setInternalCommonSubjectIdentifier(internalCommonSubjectId);
+        sessionService.storeOrUpdateSession(session);
+        authSession.setInternalCommonSubjectId(internalCommonSubjectId);
+        authSessionService.updateSession(authSession);
     }
 }
diff --git a/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/CheckUserExistsHandler.java b/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/CheckUserExistsHandler.java
index 92948b6edd..b05803a297 100644
--- a/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/CheckUserExistsHandler.java
+++ b/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/CheckUserExistsHandler.java
@@ -12,6 +12,7 @@
 import uk.gov.di.authentication.frontendapi.entity.CheckUserExistsResponse;
 import uk.gov.di.authentication.frontendapi.entity.LockoutInformation;
 import uk.gov.di.authentication.shared.domain.AuditableEvent;
+import uk.gov.di.authentication.shared.entity.AuthSessionItem;
 import uk.gov.di.authentication.shared.entity.ErrorResponse;
 import uk.gov.di.authentication.shared.entity.JourneyType;
 import uk.gov.di.authentication.shared.entity.MFAMethodType;
@@ -22,6 +23,7 @@
 import uk.gov.di.authentication.shared.lambda.BaseFrontendHandler;
 import uk.gov.di.authentication.shared.serialization.Json.JsonException;
 import uk.gov.di.authentication.shared.services.AuditService;
+import uk.gov.di.authentication.shared.services.AuthSessionService;
 import uk.gov.di.authentication.shared.services.AuthenticationService;
 import uk.gov.di.authentication.shared.services.ClientService;
 import uk.gov.di.authentication.shared.services.ClientSessionService;
@@ -50,10 +52,12 @@ public class CheckUserExistsHandler extends BaseFrontendHandler<CheckUserExistsR
 
     private final AuditService auditService;
     private final CodeStorageService codeStorageService;
+    private final AuthSessionService authSessionService;
 
     public CheckUserExistsHandler(
             ConfigurationService configurationService,
             SessionService sessionService,
+            AuthSessionService authSessionService,
             ClientSessionService clientSessionService,
             ClientService clientService,
             AuthenticationService authenticationService,
@@ -68,6 +72,7 @@ public CheckUserExistsHandler(
                 authenticationService);
         this.auditService = auditService;
         this.codeStorageService = codeStorageService;
+        this.authSessionService = authSessionService;
     }
 
     public CheckUserExistsHandler() {
@@ -78,6 +83,7 @@ public CheckUserExistsHandler(ConfigurationService configurationService) {
         super(CheckUserExistsRequest.class, configurationService);
         this.auditService = new AuditService(configurationService);
         this.codeStorageService = new CodeStorageService(configurationService);
+        this.authSessionService = new AuthSessionService(configurationService);
     }
 
     public CheckUserExistsHandler(
@@ -85,6 +91,7 @@ public CheckUserExistsHandler(
         super(CheckUserExistsRequest.class, configurationService, redis);
         this.auditService = new AuditService(configurationService);
         this.codeStorageService = new CodeStorageService(configurationService, redis);
+        this.authSessionService = new AuthSessionService(configurationService);
     }
 
     @Override
@@ -150,6 +157,17 @@ public APIGatewayProxyResponseEvent handleRequestWithUserContext(
             AuditableEvent auditableEvent;
             var rpPairwiseId = AuditService.UNKNOWN;
             var userMfaDetail = new UserMfaDetail();
+            var session = userContext.getSession();
+
+            var optionalAuthSession =
+                    authSessionService.getSessionFromRequestHeaders(input.getHeaders());
+
+            if (optionalAuthSession.isEmpty()) {
+                return generateApiGatewayProxyErrorResponse(400, ErrorResponse.ERROR_1000);
+            }
+
+            AuthSessionItem authSession = optionalAuthSession.get();
+
             if (userExists) {
                 auditableEvent = FrontendAuditableEvent.AUTH_CHECK_USER_KNOWN_EMAIL;
                 rpPairwiseId =
@@ -159,7 +177,7 @@ public APIGatewayProxyResponseEvent handleRequestWithUserContext(
                                         authenticationService,
                                         configurationService.getInternalSectorUri())
                                 .getValue();
-                var internalPairwiseId =
+                var internalCommonSubjectId =
                         ClientSubjectHelper.getSubjectWithSectorIdentifier(
                                         userProfile.get(),
                                         configurationService.getInternalSectorUri(),
@@ -167,8 +185,9 @@ public APIGatewayProxyResponseEvent handleRequestWithUserContext(
                                 .getValue();
 
                 LOG.info("Setting internal common subject identifier in user session");
-                userContext.getSession().setInternalCommonSubjectIdentifier(internalPairwiseId);
 
+                session.setInternalCommonSubjectIdentifier(internalCommonSubjectId);
+                authSession.setInternalCommonSubjectId(internalCommonSubjectId);
                 var isPhoneNumberVerified = userProfile.get().isPhoneNumberVerified();
                 var userCredentials =
                         authenticationService.getUserCredentialsFromEmail(emailAddress);
@@ -178,9 +197,10 @@ public APIGatewayProxyResponseEvent handleRequestWithUserContext(
                                 userCredentials,
                                 userProfile.get().getPhoneNumber(),
                                 isPhoneNumberVerified);
-                auditContext = auditContext.withSubjectId(internalPairwiseId);
+                auditContext = auditContext.withSubjectId(internalCommonSubjectId);
             } else {
-                userContext.getSession().setInternalCommonSubjectIdentifier(null);
+                session.setInternalCommonSubjectIdentifier(null);
+                authSession.setInternalCommonSubjectId(null);
                 auditableEvent = FrontendAuditableEvent.AUTH_CHECK_USER_NO_ACCOUNT_WITH_EMAIL;
             }
 
@@ -212,7 +232,8 @@ public APIGatewayProxyResponseEvent handleRequestWithUserContext(
                             userMfaDetail.getMfaMethodType(),
                             getLastDigitsOfPhoneNumber(userMfaDetail),
                             lockoutInformation);
-            sessionService.storeOrUpdateSession(userContext.getSession());
+            sessionService.storeOrUpdateSession(session);
+            authSessionService.updateSession(authSession);
 
             LOG.info("Successfully processed request");
 
diff --git a/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/LoginHandler.java b/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/LoginHandler.java
index 45f2dc1064..6b25ad8886 100644
--- a/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/LoginHandler.java
+++ b/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/LoginHandler.java
@@ -199,8 +199,8 @@ public APIGatewayProxyResponseEvent handleRequestWithUserContext(
         UserCredentials userCredentials = userContext.getUserCredentials().get();
         auditContext = auditContext.withPhoneNumber(userProfile.getPhoneNumber());
 
-        var internalCommonSubjectIdentifier = getInternalCommonSubjectIdentifier(userProfile);
-        auditContext = auditContext.withUserId(internalCommonSubjectIdentifier);
+        var internalCommonSubjectId = getInternalCommonSubjectId(userProfile);
+        auditContext = auditContext.withUserId(internalCommonSubjectId);
 
         if (isReauthJourneyWithFlagsEnabled(isReauthJourney)) {
             var reauthCounts =
@@ -271,7 +271,7 @@ public APIGatewayProxyResponseEvent handleRequestWithUserContext(
         return handleValidCredentials(
                 request,
                 userContext,
-                internalCommonSubjectIdentifier,
+                internalCommonSubjectId,
                 userCredentials,
                 userProfile,
                 auditContext,
@@ -308,7 +308,9 @@ private APIGatewayProxyResponseEvent handleValidCredentials(
                         .setInternalCommonSubjectIdentifier(internalCommonSubjectIdentifier));
 
         authSessionService.updateSession(
-                authSessionItem.withAccountState(AuthSessionItem.AccountState.EXISTING));
+                authSessionItem
+                        .withAccountState(AuthSessionItem.AccountState.EXISTING)
+                        .withInternalCommonSubjectId(internalCommonSubjectIdentifier));
 
         var userMfaDetail =
                 getUserMFADetail(
@@ -451,13 +453,13 @@ private int retrieveIncorrectPasswordCount(String email, boolean isReauthJourney
                 : codeStorageService.getIncorrectPasswordCount(email);
     }
 
-    private String getInternalCommonSubjectIdentifier(UserProfile userProfile) {
-        var internalCommonSubjectIdentifier =
+    private String getInternalCommonSubjectId(UserProfile userProfile) {
+        var internalCommonSubjectId =
                 ClientSubjectHelper.getSubjectWithSectorIdentifier(
                         userProfile,
                         configurationService.getInternalSectorUri(),
                         authenticationService);
-        return internalCommonSubjectIdentifier.getValue();
+        return internalCommonSubjectId.getValue();
     }
 
     private boolean isTermsAndConditionsAccepted(UserContext userContext, UserProfile userProfile) {
diff --git a/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/SignUpHandler.java b/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/SignUpHandler.java
index 006e7a6b37..09ac73a50d 100644
--- a/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/SignUpHandler.java
+++ b/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/SignUpHandler.java
@@ -147,12 +147,12 @@ public APIGatewayProxyResponseEvent handleRequestWithUserContext(
                                     LocalDateTime.now(ZoneId.of("UTC")).toString()));
 
             LOG.info("Calculating internal common subject identifier");
-            var internalCommonSubjectIdentifier =
+            var internalCommonSubjectId =
                     ClientSubjectHelper.getSubjectWithSectorIdentifier(
                             user.getUserProfile(),
                             configurationService.getInternalSectorUri(),
                             authenticationService);
-            auditContext = auditContext.withSubjectId(internalCommonSubjectIdentifier.getValue());
+            auditContext = auditContext.withSubjectId(internalCommonSubjectId.getValue());
 
             LOG.info("Calculating RP pairwise identifier");
             var rpPairwiseId =
@@ -181,10 +181,12 @@ public APIGatewayProxyResponseEvent handleRequestWithUserContext(
                             .getSession()
                             .setEmailAddress(request.getEmail())
                             .setInternalCommonSubjectIdentifier(
-                                    internalCommonSubjectIdentifier.getValue()));
+                                    internalCommonSubjectId.getValue()));
 
             authSessionService.updateSession(
-                    authSessionItem.withAccountState(AuthSessionItem.AccountState.NEW));
+                    authSessionItem
+                            .withAccountState(AuthSessionItem.AccountState.NEW)
+                            .withInternalCommonSubjectId(internalCommonSubjectId.getValue()));
             LOG.info("Successfully processed request");
             return generateApiGatewayProxyResponse(200, "");
         } else {
diff --git a/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/VerifyCodeHandler.java b/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/VerifyCodeHandler.java
index f521545fb3..0b9a08920a 100644
--- a/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/VerifyCodeHandler.java
+++ b/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/VerifyCodeHandler.java
@@ -235,10 +235,11 @@ public APIGatewayProxyResponseEvent handleRequestWithUserContext(
             if (codeRequestType.equals(CodeRequestType.PW_RESET_MFA_SMS)) {
                 SessionHelper.updateSessionWithSubject(
                         userContext,
-                        authenticationService,
-                        configurationService,
+                        authSession.get(),
                         sessionService,
-                        session);
+                        authSessionService,
+                        authenticationService,
+                        configurationService);
             }
 
             processSuccessfulCodeRequest(
diff --git a/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/VerifyMfaCodeHandler.java b/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/VerifyMfaCodeHandler.java
index a7c891f6c8..3f0f1433f3 100644
--- a/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/VerifyMfaCodeHandler.java
+++ b/frontend-api/src/main/java/uk/gov/di/authentication/frontendapi/lambda/VerifyMfaCodeHandler.java
@@ -309,10 +309,11 @@ private APIGatewayProxyResponseEvent verifyCode(
         if (JourneyType.PASSWORD_RESET_MFA.equals(codeRequest.getJourneyType())) {
             SessionHelper.updateSessionWithSubject(
                     userContext,
-                    authenticationService,
-                    configurationService,
+                    authSession,
                     sessionService,
-                    session);
+                    authSessionService,
+                    authenticationService,
+                    configurationService);
         }
 
         var errorResponseMaybe = mfaCodeProcessor.validateCode();
diff --git a/frontend-api/src/test/java/uk/gov/di/authentication/frontendapi/lambda/CheckUserExistsHandlerTest.java b/frontend-api/src/test/java/uk/gov/di/authentication/frontendapi/lambda/CheckUserExistsHandlerTest.java
index 83515fdbb3..b45ff00b89 100644
--- a/frontend-api/src/test/java/uk/gov/di/authentication/frontendapi/lambda/CheckUserExistsHandlerTest.java
+++ b/frontend-api/src/test/java/uk/gov/di/authentication/frontendapi/lambda/CheckUserExistsHandlerTest.java
@@ -19,6 +19,7 @@
 import uk.gov.di.authentication.frontendapi.domain.FrontendAuditableEvent;
 import uk.gov.di.authentication.frontendapi.entity.CheckUserExistsResponse;
 import uk.gov.di.authentication.frontendapi.helpers.CommonTestVariables;
+import uk.gov.di.authentication.shared.entity.AuthSessionItem;
 import uk.gov.di.authentication.shared.entity.ClientRegistry;
 import uk.gov.di.authentication.shared.entity.ClientSession;
 import uk.gov.di.authentication.shared.entity.ErrorResponse;
@@ -34,6 +35,7 @@
 import uk.gov.di.authentication.shared.helpers.NowHelper;
 import uk.gov.di.authentication.shared.serialization.Json;
 import uk.gov.di.authentication.shared.services.AuditService;
+import uk.gov.di.authentication.shared.services.AuthSessionService;
 import uk.gov.di.authentication.shared.services.AuthenticationService;
 import uk.gov.di.authentication.shared.services.ClientService;
 import uk.gov.di.authentication.shared.services.ClientSessionService;
@@ -87,6 +89,7 @@ class CheckUserExistsHandlerTest {
     private final AuthenticationService authenticationService = mock(AuthenticationService.class);
     private final AuditService auditService = mock(AuditService.class);
     private final SessionService sessionService = mock(SessionService.class);
+    private final AuthSessionService authSessionService = mock(AuthSessionService.class);
     private final ConfigurationService configurationService = mock(ConfigurationService.class);
     private final ClientSessionService clientSessionService = mock(ClientSessionService.class);
     private final ClientService clientService = mock(ClientService.class);
@@ -94,6 +97,7 @@ class CheckUserExistsHandlerTest {
     private CheckUserExistsHandler handler;
     private static final Json objectMapper = SerializationService.getInstance();
     private final Session session = mock(Session.class);
+    private final AuthSessionItem authSession = mock(AuthSessionItem.class);
     private static final String CLIENT_ID = "test-client-id";
     private static final String CLIENT_NAME = "test-client-name";
     private static final Subject SUBJECT = new Subject();
@@ -135,6 +139,7 @@ void setup() {
                 new CheckUserExistsHandler(
                         configurationService,
                         sessionService,
+                        authSessionService,
                         clientSessionService,
                         clientService,
                         authenticationService,
@@ -148,6 +153,7 @@ class WhenUserExists {
         @BeforeEach
         void setup() {
             usingValidSession();
+            authSessionExists();
             var userProfile =
                     generateUserProfile().withPhoneNumber(CommonTestVariables.UK_MOBILE_NUMBER);
             setupUserProfileAndClient(Optional.of(userProfile));
@@ -286,6 +292,7 @@ void shouldReturn400AndSaveEmailInUserSessionIfUserAccountIsLocked() {
     @Test
     void shouldReturn200IfUserDoesNotExist() throws Json.JsonException {
         usingValidSession();
+        authSessionExists();
 
         setupUserProfileAndClient(Optional.empty());
 
@@ -342,11 +349,32 @@ void shouldReturn400IfEmailAddressIsInvalid() {
                         AUDIT_CONTEXT.withEmail("joe.bloggs"));
     }
 
+    @Test
+    void shouldReturn400IfAuthSessionExpired() {
+        usingValidSession();
+        authSessionMissing();
+        setupClient();
+
+        var result = handler.handleRequest(userExistsRequest(EMAIL_ADDRESS), context);
+
+        assertThat(result, hasStatus(400));
+        assertThat(result, hasJsonBody(ErrorResponse.ERROR_1000));
+    }
+
     private void usingValidSession() {
         when(sessionService.getSessionFromRequestHeaders(anyMap()))
                 .thenReturn(Optional.of(session));
     }
 
+    private void authSessionExists() {
+        when(authSessionService.getSessionFromRequestHeaders(any()))
+                .thenReturn(Optional.of(authSession));
+    }
+
+    private void authSessionMissing() {
+        when(authSessionService.getSessionFromRequestHeaders(any())).thenReturn(Optional.empty());
+    }
+
     private UserProfile generateUserProfile() {
         return new UserProfile()
                 .withEmail(EMAIL_ADDRESS)
diff --git a/integration-tests/src/test/java/uk/gov/di/authentication/api/CheckUserExistsIntegrationTest.java b/integration-tests/src/test/java/uk/gov/di/authentication/api/CheckUserExistsIntegrationTest.java
index 55ac9ddd92..5567596114 100644
--- a/integration-tests/src/test/java/uk/gov/di/authentication/api/CheckUserExistsIntegrationTest.java
+++ b/integration-tests/src/test/java/uk/gov/di/authentication/api/CheckUserExistsIntegrationTest.java
@@ -62,6 +62,7 @@ void shouldCallUserExistsEndpointAndReturnAuthenticationRequestStateWhenUserExis
             MFAMethodType mfaMethodType) throws JsonException {
         var emailAddress = "joe.bloggs+1@digital.cabinet-office.gov.uk";
         var sessionId = redis.createSession();
+        authSessionStore.addSession(Optional.empty(), sessionId);
         var clientSessionId = IdGenerator.generate();
         userStore.signUp(emailAddress, "password-1");
 
@@ -106,6 +107,7 @@ void shouldCallUserExistsEndpointAndReturnLockoutInformationForAuthAppMfa()
         var emailAddress = "joe.bloggs+1@digital.cabinet-office.gov.uk";
 
         String sessionId = redis.createUnauthenticatedSessionWithEmail(emailAddress);
+        authSessionStore.addSession(Optional.empty(), sessionId);
         var codeRequestType =
                 CodeRequestType.getCodeRequestType(MFAMethodType.AUTH_APP, JourneyType.SIGN_IN);
 
@@ -151,6 +153,7 @@ void shouldCallUserExistsEndpointAndReturnUserNotFoundStateWhenUserDoesNotExist(
             throws JsonException {
         String emailAddress = "joe.bloggs+2@digital.cabinet-office.gov.uk";
         String sessionId = redis.createSession();
+        authSessionStore.addSession(Optional.empty(), sessionId);
         var clientSessionId = IdGenerator.generate();
         setUpClientSession(emailAddress, clientSessionId, CLIENT_ID, CLIENT_NAME, REDIRECT_URI);
         BaseFrontendRequest request = new CheckUserExistsRequest(emailAddress);
@@ -178,6 +181,7 @@ void shouldCallUserExistsEndpointAndReturnErrorResponse1045WhenUserAccountIsLock
             throws JsonException {
         String emailAddress = "joe.bloggs+2@digital.cabinet-office.gov.uk";
         String sessionId = redis.createUnauthenticatedSessionWithEmail(emailAddress);
+        authSessionStore.addSession(Optional.empty(), sessionId);
         redis.blockMfaCodesForEmail(
                 emailAddress,
                 CodeStorageService.PASSWORD_BLOCKED_KEY_PREFIX + JourneyType.PASSWORD_RESET);
diff --git a/shared/src/main/java/uk/gov/di/authentication/shared/entity/AuthSessionItem.java b/shared/src/main/java/uk/gov/di/authentication/shared/entity/AuthSessionItem.java
index d5f86652de..af392cd5a4 100644
--- a/shared/src/main/java/uk/gov/di/authentication/shared/entity/AuthSessionItem.java
+++ b/shared/src/main/java/uk/gov/di/authentication/shared/entity/AuthSessionItem.java
@@ -10,6 +10,8 @@ public class AuthSessionItem {
     public static final String ATTRIBUTE_SESSION_ID = "SessionId";
     public static final String ATTRIBUTE_IS_NEW_ACCOUNT = "isNewAccount";
     public static final String ATTRIBUTE_CURRENT_CREDENTIAL_STRENGTH = "currentCredentialStrength";
+    public static final String ATTRIBUTE_VERIFIED_MFA_METHOD_TYPE = "VerifiedMfaMethodType";
+    public static final String ATTRIBUTE_INTERNAL_COMMON_SUBJECT_ID = "InternalCommonSubjectId";
 
     public enum AccountState {
         NEW,
@@ -18,13 +20,12 @@ public enum AccountState {
         UNKNOWN
     }
 
-    public static final String ATTRIBUTE_VERIFIED_MFA_METHOD_TYPE = "VerifiedMfaMethodType";
-
     private String sessionId;
     private String verifiedMfaMethodType;
     private long timeToLive;
     private AccountState isNewAccount;
     private CredentialTrustLevel currentCredentialStrength;
+    private String internalCommonSubjectId;
 
     public AuthSessionItem() {}
 
@@ -57,6 +58,20 @@ public AuthSessionItem withVerifiedMfaMethodType(String verifiedMfaMethodType) {
         return this;
     }
 
+    @DynamoDbAttribute(ATTRIBUTE_INTERNAL_COMMON_SUBJECT_ID)
+    public String getInternalCommonSubjectId() {
+        return internalCommonSubjectId;
+    }
+
+    public void setInternalCommonSubjectId(String internalCommonSubjectId) {
+        this.internalCommonSubjectId = internalCommonSubjectId;
+    }
+
+    public AuthSessionItem withInternalCommonSubjectId(String internalCommonSubjectId) {
+        this.internalCommonSubjectId = internalCommonSubjectId;
+        return this;
+    }
+
     @DynamoDbAttribute("ttl")
     public long getTimeToLive() {
         return timeToLive;