@opengovsg/mockpass 4.0.10 → 4.0.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/express/oidc/v2-ndi.js +59 -23
- package/package.json +2 -2
|
@@ -59,47 +59,80 @@ const id_token_encryption_alg_values_supported = {
|
|
|
59
59
|
corpPass: corppass_id_token_encryption_alg_values_supported,
|
|
60
60
|
}
|
|
61
61
|
|
|
62
|
-
function
|
|
62
|
+
function findEcdhEsEncryptionKey(jwks, crv, algs) {
|
|
63
63
|
let encryptionKey = jwks.keys.find(
|
|
64
64
|
(item) =>
|
|
65
65
|
item.use === 'enc' &&
|
|
66
66
|
item.kty === 'EC' &&
|
|
67
|
-
item.crv ===
|
|
68
|
-
(item.alg
|
|
67
|
+
item.crv === crv &&
|
|
68
|
+
(!item.alg ||
|
|
69
|
+
(item.alg === 'ECDH-ES+A256KW' &&
|
|
70
|
+
algs.some((alg) => alg === item.alg))),
|
|
69
71
|
)
|
|
70
72
|
if (encryptionKey) {
|
|
71
|
-
return {
|
|
73
|
+
return {
|
|
74
|
+
...encryptionKey,
|
|
75
|
+
...(!encryptionKey.alg ? { alg: 'ECDH-ES+A256KW' } : {}),
|
|
76
|
+
}
|
|
77
|
+
}
|
|
78
|
+
encryptionKey = jwks.keys.find(
|
|
79
|
+
(item) =>
|
|
80
|
+
item.use === 'enc' &&
|
|
81
|
+
item.kty === 'EC' &&
|
|
82
|
+
item.crv === crv &&
|
|
83
|
+
(!item.alg ||
|
|
84
|
+
(item.alg === 'ECDH-ES+A192KW' &&
|
|
85
|
+
algs.some((alg) => alg === item.alg))),
|
|
86
|
+
)
|
|
87
|
+
if (encryptionKey) {
|
|
88
|
+
return {
|
|
89
|
+
...encryptionKey,
|
|
90
|
+
...(!encryptionKey.alg ? { alg: 'ECDH-ES+A256KW' } : {}),
|
|
91
|
+
}
|
|
92
|
+
}
|
|
93
|
+
encryptionKey = jwks.keys.find(
|
|
94
|
+
(item) =>
|
|
95
|
+
item.use === 'enc' &&
|
|
96
|
+
item.kty === 'EC' &&
|
|
97
|
+
item.crv === crv &&
|
|
98
|
+
(!item.alg ||
|
|
99
|
+
(item.alg === 'ECDH-ES+A128KW' &&
|
|
100
|
+
algs.some((alg) => alg === item.alg))),
|
|
101
|
+
)
|
|
102
|
+
if (encryptionKey) {
|
|
103
|
+
return {
|
|
104
|
+
...encryptionKey,
|
|
105
|
+
...(!encryptionKey.alg ? { alg: 'ECDH-ES+A256KW' } : {}),
|
|
106
|
+
}
|
|
107
|
+
}
|
|
108
|
+
return null
|
|
109
|
+
}
|
|
110
|
+
|
|
111
|
+
function findEncryptionKey(jwks, algs) {
|
|
112
|
+
let encryptionKey = findEcdhEsEncryptionKey(jwks, 'P-521', algs)
|
|
113
|
+
if (encryptionKey) {
|
|
114
|
+
return encryptionKey
|
|
72
115
|
}
|
|
73
116
|
if (!encryptionKey) {
|
|
74
|
-
encryptionKey = jwks
|
|
75
|
-
(item) =>
|
|
76
|
-
item.use === 'enc' &&
|
|
77
|
-
item.kty === 'EC' &&
|
|
78
|
-
item.crv === 'P-384' &&
|
|
79
|
-
(item.alg === 'ECDH-ES+A192KW' || !item.alg),
|
|
80
|
-
)
|
|
117
|
+
encryptionKey = findEcdhEsEncryptionKey(jwks, 'P-384', algs)
|
|
81
118
|
}
|
|
82
119
|
if (encryptionKey) {
|
|
83
|
-
return
|
|
120
|
+
return encryptionKey
|
|
84
121
|
}
|
|
85
122
|
if (!encryptionKey) {
|
|
86
|
-
encryptionKey = jwks
|
|
87
|
-
(item) =>
|
|
88
|
-
item.use === 'enc' &&
|
|
89
|
-
item.kty === 'EC' &&
|
|
90
|
-
item.crv === 'P-256' &&
|
|
91
|
-
(item.alg === 'ECDH-ES+A128KW' || !item.alg),
|
|
92
|
-
)
|
|
123
|
+
encryptionKey = findEcdhEsEncryptionKey(jwks, 'P-256', algs)
|
|
93
124
|
}
|
|
94
125
|
if (encryptionKey) {
|
|
95
|
-
return
|
|
126
|
+
return encryptionKey
|
|
96
127
|
}
|
|
97
128
|
if (!encryptionKey) {
|
|
98
129
|
encryptionKey = jwks.keys.find(
|
|
99
130
|
(item) =>
|
|
100
131
|
item.use === 'enc' &&
|
|
101
132
|
item.kty === 'RSA' &&
|
|
102
|
-
(item.alg
|
|
133
|
+
(!item.alg ||
|
|
134
|
+
(item.alg === 'RSA-OAEP-256' &&
|
|
135
|
+
algs.some((alg) => alg === item.alg))),
|
|
103
136
|
)
|
|
104
137
|
}
|
|
105
138
|
if (encryptionKey) {
|
|
@@ -432,7 +465,7 @@ function config(app, { showLoginPage }) {
|
|
|
432
465
|
const signedProtectedHeader = {
|
|
433
466
|
alg: 'ES256',
|
|
434
467
|
typ: 'JWT',
|
|
435
|
-
kid:
|
|
468
|
+
kid: aspSigningKey.kid,
|
|
436
469
|
}
|
|
437
470
|
const signedIdToken = await new jose.CompactSign(
|
|
438
471
|
new TextEncoder().encode(JSON.stringify(idTokenClaims)),
|
|
@@ -441,7 +474,10 @@ function config(app, { showLoginPage }) {
|
|
|
441
474
|
.sign(signingKey)
|
|
442
475
|
|
|
443
476
|
// Step 4: Encrypt ID token with RP encryption key
|
|
444
|
-
const rpEncryptionKey = findEncryptionKey(
|
|
477
|
+
const rpEncryptionKey = findEncryptionKey(
|
|
478
|
+
rpKeysetJson,
|
|
479
|
+
id_token_encryption_alg_values_supported[idp],
|
|
480
|
+
)
|
|
445
481
|
if (!rpEncryptionKey) {
|
|
446
482
|
console.error('No suitable encryption key found', rpKeysetJson.keys)
|
|
447
483
|
return res.status(400).send({
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@opengovsg/mockpass",
|
|
3
|
-
"version": "4.0.
|
|
3
|
+
"version": "4.0.11",
|
|
4
4
|
"description": "A mock SingPass/CorpPass server for dev purposes",
|
|
5
5
|
"main": "index.js",
|
|
6
6
|
"bin": {
|
|
@@ -59,7 +59,7 @@
|
|
|
59
59
|
"eslint-config-prettier": "^8.3.0",
|
|
60
60
|
"eslint-plugin-prettier": "^4.0.0",
|
|
61
61
|
"husky": "^8.0.1",
|
|
62
|
-
"lint-staged": "^
|
|
62
|
+
"lint-staged": "^14.0.1",
|
|
63
63
|
"nodemon": "^3.0.1",
|
|
64
64
|
"pinst": "^3.0.0",
|
|
65
65
|
"prettier": "^2.0.5"
|