@opengovsg/mockpass 3.0.1 → 3.0.3

package/lib/crypto/myinfo-signature.js

@@ -1,4 +1,5 @@
 const _ = require('lodash')
+const qs = require('node:querystring')
 
 const pki = function pki(authHeader, req, context = {}) {
   const authHeaderFieldPairs = _(authHeader)
@@ -6,67 +7,39 @@ const pki = function pki(authHeader, req, context = {}) {
     .split(',')
     .map((v) => v.replace('=', '~').split('~'))
 
-  const authHeaderFields = _(authHeaderFieldPairs)
-    .fromPairs()
-    .mapKeys((_v, k) => _.camelCase(k))
-    .value()
+  const authHeaderFields = Object.fromEntries(authHeaderFieldPairs)
 
   const url = `${req.protocol}://${req.get('host')}${req.baseUrl}${req.path}`
 
-  const { clientSecret, redirectURI } = context
-
-  const {
-    method: httpMethod,
-    query: { attributes, sp_esvcId },
-  } = req
-
-  const { code } = req.body || {}
-
-  const {
-    signature,
-    appId,
-    appId: clientId,
-    nonce,
-    timestamp,
-  } = authHeaderFields
-  return {
-    signature,
-    baseString: req.path.endsWith('/token')
-      ? httpMethod.toUpperCase() +
-        '&' +
-        url +
-        '&app_id=' +
-        appId +
-        '&client_id=' +
-        clientId +
-        '&client_secret=' +
-        clientSecret +
-        '&code=' +
-        code +
-        '&grant_type=authorization_code' +
-        '&nonce=' +
-        nonce +
-        '&redirect_uri=' +
-        redirectURI +
-        '&signature_method=RS256' +
-        '&timestamp=' +
-        timestamp
-      : httpMethod.toUpperCase() +
-        '&' +
-        url +
-        '&app_id=' +
-        appId +
-        '&attributes=' +
-        attributes +
-        '&client_id=' +
-        clientId +
-        '&nonce=' +
-        nonce +
-        '&signature_method=RS256' +
-        (req.path.includes('/person-basic') ? '&sp_esvcId=' + sp_esvcId : '') +
-        '&timestamp=' +
-        timestamp,
-  }
+  const { method: httpMethod, query, body } = req
+
+  const { signature, app_id, nonce, timestamp } = authHeaderFields
+
+  const params = Object.assign(
+    {},
+    query,
+    body,
+    {
+      nonce,
+      app_id,
+      signature_method: 'RS256',
+      timestamp,
+    },
+    context.client_secret && context.redirect_uri ? context : {},
+  )
+
+  const sortedParams = Object.fromEntries(
+    Object.entries(params).sort(([k1], [k2]) => k1.localeCompare(k2)),
+  )
+
+  const baseString =
+    httpMethod.toUpperCase() +
+    '&' +
+    url +
+    '&' +
+    qs.unescape(qs.stringify(sortedParams))
+
+  return { signature, baseString }
 }
 
 module.exports = { pki }

package/lib/express/myinfo/controllers.js

@@ -132,14 +132,14 @@ module.exports =
         type: 'application/x-www-form-urlencoded',
       }),
       (req, res) => {
-        const [tokenTemplate, redirectURI] =
+        const [tokenTemplate, redirect_uri] =
           consent.authorizations[req.body.code]
         const [, authHeader] = (req.get('Authorization') || '').split(' ')
 
         const { signature, baseString } = MYINFO_SECRET
           ? myInfoSignature(authHeader, req, {
-              clientSecret: MYINFO_SECRET,
-              redirectURI,
+              client_secret: MYINFO_SECRET,
+              redirect_uri,
             })
           : {}
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opengovsg/mockpass",
-  "version": "3.0.1",
+  "version": "3.0.3",
   "description": "A mock SingPass/CorpPass server for dev purposes",
   "main": "index.js",
   "bin": {
@@ -36,7 +36,6 @@
     "node": ">=8.0.0"
   },
   "dependencies": {
-    "@xmldom/xmldom": "^0.8.0",
     "base-64": "^1.0.0",
     "cookie-parser": "^1.4.3",
     "dotenv": "^16.0.0",