@opengovsg/mockpass 4.0.12 → 4.3.2

package/.github/workflows/npmpublish.yml

@@ -11,10 +11,12 @@ jobs:
   publish-npm:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v1
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v3
         with:
-          node-version: 12
+          node-version: 'lts/*'
+          cache: 'npm'
+          cache-dependency-path: '**/package-lock.json'
           registry-url: https://registry.npmjs.org/
       - run: npm ci
       - run: npm publish --access public

package/.husky/install.mjs

@@ -0,0 +1,6 @@
+// Skip Husky install in production and CI
+if (process.env.NODE_ENV === 'production' || process.env.CI === 'true') {
+  process.exit(0)
+}
+const husky = (await import('husky')).default
+console.log(husky())

package/.husky/pre-commit

@@ -1,4 +1 @@
-#!/bin/sh
-. "$(dirname "$0")/_/husky.sh"
-
 npx lint-staged

package/.husky/pre-push

@@ -1,4 +1 @@
-#!/bin/sh
-. "$(dirname "$0")/_/husky.sh"
-
 npx commitlint --from origin/main --to HEAD --verbose

package/Dockerfile

@@ -4,6 +4,8 @@ WORKDIR /usr/src/mockpass
 
 COPY package* ./
 
+COPY ./.husky ./.husky
+
 RUN npm ci
 
 COPY . ./

package/README.md

@@ -84,7 +84,7 @@ Configure your application (or MockPass) with certificates/keys:
 MockPass accepts any value for `client_id`, `redirect_uri` and `sp_esvcId`.
 The `client_secret` value will be checked if configured, see below.
 
-Only the profiles (NRICs) that have entries in Mockpass' static dataset will
+Only the profiles (NRICs) that have entries in Mockpass' personas dataset will
 succeed, using other NRICs will result in an error. See the list of personas in
 [static/myinfo/v3.json](static/myinfo/v3.json).
 
@@ -119,10 +119,19 @@ Configure your application (or MockPass) with certificates/keys:
 
 MockPass accepts any value for `client_id`, `client_secret` and `redirect_uri`.
 
-Only the profiles (NRICs) that have entries in Mockpass' static dataset will
+Only the profiles (NRICs) that have entries in Mockpass' personas dataset will
 succeed, using other NRICs will result in an error. See the list of personas in 
 [static/myinfo/v3.json](static/myinfo/v3.json).
 
+If the Public Officer Employment Details data item is requested, the 
+`pocdex.public_officer_details` scope data is sourced from the
+`publicofficerdetails` data key (where present) on personas.
+Most personas do not have this data key configured, and will result in a `"NA"`
+response instead of an stringified array. As these personas are not identified
+in the login page dropdown, please check the personas dataset linked above to
+identify them.
+The `pocdex.number_of_employments` scope is not supported.
+
 | Configuration item | Explanation |
 |---|---|
 | Client certificate | **Overview:** When client makes any request, what certificate is used to verify the request signature, and what certificate is used to encrypt the data payload. <br> **Default:** static key `static/certs/key.pub` is used. <br> **How to configure:** Set the env var `SERVICE_PROVIDER_PUB_KEY` to the path to a public key PEM file. (A certificate PEM file can also be provided, despite the env var name.) |
@@ -159,6 +168,7 @@ Common configuration:
 | Configuration item | Explanation |
 |---|---|
 | Port number | **Overview:** What port number MockPass will listen for HTTP requests on. <br> **Default:** 5156. <br> **How to configure:** Set the env var `MOCKPASS_PORT` or `PORT` to some port number. |
+| Stateless Mode | **Overview:** Enable for environments where the state of the process is not guaranteed, such as in serverless contexts. <br> **Default:** not set. <br> **How to configure:** Set the env var `MOCKPASS_STATELESS` to `true` or `false`. |
 
 Run MockPass:
 

package/app.js

@@ -35,12 +35,15 @@ const cryptoConfig = {
     process.env.RESOLVE_ARTIFACT_REQUEST_SIGNED !== 'false',
 }
 
+const isStateless = process.env.MOCKPASS_STATELESS === 'true'
+
 const options = {
   serviceProvider,
   showLoginPage: (req) =>
     (req.header('X-Show-Login-Page') || process.env.SHOW_LOGIN_PAGE) === 'true',
   encryptMyInfo: process.env.ENCRYPT_MYINFO === 'true',
   cryptoConfig,
+  isStateless,
 }
 
 const app = express()
@@ -50,7 +53,7 @@ configOIDC(app, options)
 configOIDCv2(app, options)
 configSGID(app, options)
 
-configMyInfo.consent(app)
+configMyInfo.consent(app, options)
 configMyInfo.v3(app, options)
 
 app.enable('trust proxy')

package/lib/auth-code.js

@@ -4,14 +4,24 @@ const crypto = require('crypto')
 const AUTH_CODE_TIMEOUT = 5 * 60 * 1000
 const profileAndNonceStore = new ExpiryMap(AUTH_CODE_TIMEOUT)
 
-const generateAuthCode = ({ profile, scopes, nonce }) => {
-  const authCode = crypto.randomBytes(45).toString('base64')
+const generateAuthCode = (
+  { profile, scopes, nonce },
+  { isStateless = false },
+) => {
+  const authCode = isStateless
+    ? Buffer.from(JSON.stringify({ profile, scopes, nonce })).toString(
+        'base64url',
+      )
+    : crypto.randomBytes(45).toString('base64')
+
   profileAndNonceStore.set(authCode, { profile, scopes, nonce })
   return authCode
 }
 
-const lookUpByAuthCode = (authCode) => {
-  return profileAndNonceStore.get(authCode)
+const lookUpByAuthCode = (authCode, { isStateless = false }) => {
+  return isStateless
+    ? JSON.parse(Buffer.from(authCode, 'base64url').toString('utf-8'))
+    : profileAndNonceStore.get(authCode)
 }
 
 module.exports = { generateAuthCode, lookUpByAuthCode }

package/lib/express/myinfo/consent.js

@@ -47,13 +47,13 @@ const authorizeViaOIDC = authorize(
     `/singpass/authorize?client_id=MYINFO-CONSENTPLATFORM&redirect_uri=${MYINFO_ASSERT_ENDPOINT}&state=${state}`,
 )
 
-function config(app) {
+function config(app, { isStateless }) {
   app.get(MYINFO_ASSERT_ENDPOINT, (req, res) => {
     const rawArtifact = req.query.SAMLart || req.query.code
     const artifact = rawArtifact.replace(/ /g, '+')
     const state = req.query.RelayState || req.query.state
 
-    const profile = lookUpByAuthCode(artifact).profile
+    const profile = lookUpByAuthCode(artifact, { isStateless }).profile
     const myinfoVersion = 'v3'
 
     const { nric: id } = profile

package/lib/express/oidc/spcp.js

@@ -24,7 +24,7 @@ const signingPem = fs.readFileSync(
   path.resolve(__dirname, '../../../static/certs/spcp-key.pem'),
 )
 
-function config(app, { showLoginPage, serviceProvider }) {
+function config(app, { showLoginPage, serviceProvider, isStateless }) {
   for (const idp of ['singPass', 'corpPass']) {
     const profiles = assertions.oidc[idp]
     const defaultProfile =
@@ -34,7 +34,7 @@ function config(app, { showLoginPage, serviceProvider }) {
       const { redirect_uri: redirectURI, state, nonce } = req.query
       if (showLoginPage(req)) {
         const values = profiles.map((profile) => {
-          const authCode = generateAuthCode({ profile, nonce })
+          const authCode = generateAuthCode({ profile, nonce }, { isStateless })
           const assertURL = buildAssertURL(redirectURI, authCode, state)
           const id = idGenerator[idp](profile)
           return { id, assertURL }
@@ -53,7 +53,7 @@ function config(app, { showLoginPage, serviceProvider }) {
         res.send(response)
       } else {
         const profile = customProfileFromHeaders[idp](req) || defaultProfile
-        const authCode = generateAuthCode({ profile, nonce })
+        const authCode = generateAuthCode({ profile, nonce }, { isStateless })
         const assertURL = buildAssertURL(redirectURI, authCode, state)
         console.warn(
           `Redirecting login from ${req.query.client_id} to ${redirectURI}`,
@@ -72,7 +72,7 @@ function config(app, { showLoginPage, serviceProvider }) {
         profile.uen = uen
       }
 
-      const authCode = generateAuthCode({ profile, nonce })
+      const authCode = generateAuthCode({ profile, nonce }, { isStateless })
       const assertURL = buildAssertURL(redirectURI, authCode, state)
       res.redirect(assertURL)
     })
@@ -88,20 +88,32 @@ function config(app, { showLoginPage, serviceProvider }) {
           const { refresh_token: suppliedRefreshToken } = req.body
           console.warn(`Refreshing tokens with ${suppliedRefreshToken}`)
 
-          profile = profileStore.get(suppliedRefreshToken)
+          profile = isStateless
+            ? JSON.parse(
+                Buffer.from(suppliedRefreshToken, 'base64url').toString(
+                  'utf-8',
+                ),
+              )
+            : profileStore.get(suppliedRefreshToken)
         } else {
           const { code: authCode } = req.body
           console.warn(
             `Received auth code ${authCode} from ${aud} and ${req.body.redirect_uri}`,
           )
-          ;({ profile, nonce } = lookUpByAuthCode(authCode))
+          ;({ profile, nonce } = lookUpByAuthCode(authCode, { isStateless }))
         }
 
         const iss = `${req.protocol}://${req.get('host')}`
 
-        const { idTokenClaims, accessToken, refreshToken } =
-          await assertions.oidc.create[idp](profile, iss, aud, nonce)
+        const {
+          idTokenClaims,
+          accessToken,
+          refreshToken: generatedRefreshToken,
+        } = await assertions.oidc.create[idp](profile, iss, aud, nonce)
 
+        const refreshToken = isStateless
+          ? Buffer.from(JSON.stringify(profile)).toString('base64url')
+          : generatedRefreshToken
         profileStore.set(refreshToken, profile)
 
         const signingKey = await jose.JWK.asKey(signingPem, 'pem')

package/lib/express/oidc/v2-ndi.js

@@ -140,7 +140,7 @@ function findEncryptionKey(jwks, algs) {
   }
 }
 
-function config(app, { showLoginPage }) {
+function config(app, { showLoginPage, isStateless }) {
   for (const idp of ['singPass', 'corpPass']) {
     const profiles = assertions.oidc[idp]
     const defaultProfile =
@@ -196,7 +196,7 @@ function config(app, { showLoginPage }) {
       // Identical to OIDC v1
       if (showLoginPage(req)) {
         const values = profiles.map((profile) => {
-          const authCode = generateAuthCode({ profile, nonce })
+          const authCode = generateAuthCode({ profile, nonce }, { isStateless })
           const assertURL = buildAssertURL(redirectURI, authCode, state)
           const id = idGenerator[idp](profile)
           return { id, assertURL }
@@ -215,7 +215,7 @@ function config(app, { showLoginPage }) {
         res.send(response)
       } else {
         const profile = customProfileFromHeaders[idp](req) || defaultProfile
-        const authCode = generateAuthCode({ profile, nonce })
+        const authCode = generateAuthCode({ profile, nonce }, { isStateless })
         const assertURL = buildAssertURL(redirectURI, authCode, state)
         console.warn(
           `Redirecting login from ${req.query.client_id} to ${redirectURI}`,
@@ -234,7 +234,7 @@ function config(app, { showLoginPage }) {
         profile.uen = uen
       }
 
-      const authCode = generateAuthCode({ profile, nonce })
+      const authCode = generateAuthCode({ profile, nonce }, { isStateless })
       const assertURL = buildAssertURL(redirectURI, authCode, state)
       res.redirect(assertURL)
     })
@@ -434,7 +434,7 @@ function config(app, { showLoginPage }) {
         }
 
         // Step 1: Obtain profile for which the auth code requested data for
-        const { profile, nonce } = lookUpByAuthCode(authCode)
+        const { profile, nonce } = lookUpByAuthCode(authCode, { isStateless })
 
         // Step 2: Get ID token
         const aud = clientAssertionClaims['sub']

package/lib/express/sgid.js

@@ -30,7 +30,7 @@ const buildAssertURL = (redirectURI, authCode, state) =>
     authCode,
   )}&state=${encodeURIComponent(state)}`
 
-function config(app, { showLoginPage, serviceProvider }) {
+function config(app, { showLoginPage, serviceProvider, isStateless }) {
   const profiles = assertions.oidc.singPass
   const defaultProfile =
     profiles.find((p) => p.nric === process.env.MOCKPASS_NRIC) || profiles[0]
@@ -43,7 +43,10 @@ function config(app, { showLoginPage, serviceProvider }) {
       const values = profiles
         .filter((profile) => assertions.myinfo.v3.personas[profile.nric])
         .map((profile) => {
-          const authCode = generateAuthCode({ profile, scopes, nonce })
+          const authCode = generateAuthCode(
+            { profile, scopes, nonce },
+            { isStateless },
+          )
           const assertURL = buildAssertURL(redirectURI, authCode, state)
           const id = idGenerator.singPass(profile)
           return { id, assertURL }
@@ -52,7 +55,10 @@ function config(app, { showLoginPage, serviceProvider }) {
       res.send(response)
     } else {
       const profile = defaultProfile
-      const authCode = generateAuthCode({ profile, scopes, nonce })
+      const authCode = generateAuthCode(
+        { profile, scopes, nonce },
+        { isStateless },
+      )
       const assertURL = buildAssertURL(redirectURI, authCode, state)
       console.info(
         `Redirecting login from ${req.query.client_id} to ${assertURL}`,
@@ -74,7 +80,9 @@ function config(app, { showLoginPage, serviceProvider }) {
       )
 
       try {
-        const { profile, scopes, nonce } = lookUpByAuthCode(authCode)
+        const { profile, scopes, nonce } = lookUpByAuthCode(authCode, {
+          isStateless,
+        })
         console.info(
           `Profile ${JSON.stringify(profile)} with token scope ${scopes}`,
         )
@@ -120,7 +128,9 @@ function config(app, { showLoginPage, serviceProvider }) {
       req.headers.authorization || req.headers.Authorization
     ).replace('Bearer ', '')
     // eslint-disable-next-line no-unused-vars
-    const { profile, scopes, unused } = lookUpByAuthCode(authCode)
+    const { profile, scopes, unused } = lookUpByAuthCode(authCode, {
+      isStateless,
+    })
     const uuid = profile.uuid
     const nric = assertions.oidc.singPass.find((p) => p.uuid === uuid).nric
     const persona = assertions.myinfo.v3.personas[nric]
@@ -258,6 +268,10 @@ const formatVehicles = (vehicles) => {
   return vehicleObjects
 }
 
+const formatJsonStringify = (value) => {
+  return value == undefined ? 'NA' : JSON.stringify(value)
+}
+
 const defaultUndefinedToNA = (value) => {
   return value || 'NA'
 }
@@ -310,6 +324,8 @@ const sgIDScopeToMyInfoField = (persona, scope) => {
       return defaultUndefinedToNA(persona.marital?.desc)
     case 'myinfo.mobile_number_with_country_code':
       return formatMobileNumberWithPrefix(persona.mobileno)
+    case 'pocdex.public_officer_details':
+      return formatJsonStringify(persona.publicofficerdetails)
     default:
       return 'NA'
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opengovsg/mockpass",
-  "version": "4.0.12",
+  "version": "4.3.2",
   "description": "A mock SingPass/CorpPass server for dev purposes",
   "main": "app.js",
   "bin": {
@@ -12,7 +12,7 @@
     "cz": "git-cz",
     "lint": "eslint lib",
     "lint-fix": "eslint --fix lib",
-    "_postinstall": "husky install",
+    "prepare": "node .husky/install.mjs",
     "prepublishOnly": "pinst --disable",
     "postpublish": "pinst --enable"
   },
@@ -41,7 +41,7 @@
     "dotenv": "^16.0.0",
     "expiry-map": "^2.0.0",
     "express": "^4.16.3",
-    "jose": "^4.14.4",
+    "jose": "^5.2.3",
     "jsonwebtoken": "^9.0.0",
     "lodash": "^4.17.11",
     "morgan": "^1.9.1",
@@ -50,16 +50,16 @@
     "uuid": "^9.0.0"
   },
   "devDependencies": {
-    "@commitlint/cli": "^17.1.2",
-    "@commitlint/config-conventional": "^17.1.0",
-    "@commitlint/travis-cli": "^17.1.2",
+    "@commitlint/cli": "^19.1.0",
+    "@commitlint/config-conventional": "^19.0.3",
+    "@commitlint/travis-cli": "^19.0.3",
     "commitizen": "^4.2.4",
     "cz-conventional-changelog": "^3.2.0",
     "eslint": "^8.0.0",
-    "eslint-config-prettier": "^8.3.0",
+    "eslint-config-prettier": "^9.1.0",
     "eslint-plugin-prettier": "^4.0.0",
-    "husky": "^8.0.1",
-    "lint-staged": "^14.0.1",
+    "husky": "^9.0.11",
+    "lint-staged": "^15.2.2",
     "nodemon": "^3.0.1",
     "pinst": "^3.0.0",
     "prettier": "^2.0.5"

package/static/myinfo/v3.json

@@ -1203,7 +1203,16 @@
         "source": "1",
         "classification": "C",
         "desc": ""
-      }
+      },
+      "publicofficerdetails": [
+        {
+          "work_email": "lim_yong_xiang@was.gov.sg",
+          "agency_name": "Work Allocation Singapore",
+          "department_name": "Allocation Central",
+          "employment_type": "Fixed Term",
+          "employment_title": "Senior Software Engineer - LLv1 (Individual Contributor) (WAS)"
+        }
+      ]
     },
     "S9912370B": {
       "edulevel": {
@@ -1517,7 +1526,7 @@
         "code": "C",
         "source": "1",
         "classification": "C",
-        "desc": "Citizen"
+        "desc": "CITIZEN"
       },
       "cpfbalances": {
         "lastupdated": "2020-04-16",
@@ -2415,7 +2424,7 @@
         "code": "C",
         "source": "1",
         "classification": "C",
-        "desc": "Citizen"
+        "desc": "CITIZEN"
       },
       "cpfbalances": {
         "lastupdated": "2020-04-16",
@@ -7065,7 +7074,7 @@
         "code": "C",
         "source": "1",
         "classification": "C",
-        "desc": "Citizen"
+        "desc": "CITIZEN"
       },
       "cpfbalances": {
         "lastupdated": "2020-04-16",
@@ -8214,7 +8223,7 @@
         "code": "C",
         "source": "1",
         "classification": "C",
-        "desc": "Citizen"
+        "desc": "CITIZEN"
       },
       "cpfbalances": {
         "lastupdated": "2020-04-16",
@@ -9302,7 +9311,7 @@
         "code": "C",
         "source": "1",
         "classification": "C",
-        "desc": "Citizen"
+        "desc": "CITIZEN"
       },
       "cpfbalances": {
         "lastupdated": "2020-04-16",
@@ -10104,7 +10113,7 @@
         "code": "C",
         "source": "1",
         "classification": "C",
-        "desc": "Citizen"
+        "desc": "CITIZEN"
       },
       "cpfbalances": {
         "lastupdated": "2020-02-04",
@@ -12107,7 +12116,7 @@
         "code": "C",
         "source": "1",
         "classification": "C",
-        "desc": "Citizen"
+        "desc": "CITIZEN"
       },
       "cpfbalances": {
         "lastupdated": "2020-04-16",
@@ -13817,7 +13826,7 @@
         "code": "C",
         "source": "1",
         "classification": "C",
-        "desc": "Citizen"
+        "desc": "CITIZEN"
       },
       "cpfbalances": {
         "oa": {
@@ -14473,7 +14482,7 @@
         "code": "C",
         "source": "1",
         "classification": "C",
-        "desc": "Citizen"
+        "desc": "CITIZEN"
       },
       "cpfbalances": {
         "lastupdated": "2020-04-16",
@@ -15150,7 +15159,7 @@
         "code": "C",
         "source": "1",
         "classification": "C",
-        "desc": "Citizen"
+        "desc": "CITIZEN"
       },
       "cpfbalances": {
         "lastupdated": "2020-04-16",
@@ -16153,7 +16162,7 @@
         "code": "C",
         "source": "1",
         "classification": "C",
-        "desc": "Citizen"
+        "desc": "CITIZEN"
       },
       "cpfbalances": {
         "lastupdated": "2020-04-16",
@@ -19137,7 +19146,7 @@
         "code": "C",
         "source": "1",
         "classification": "C",
-        "desc": "Citizen"
+        "desc": "CITIZEN"
       },
       "cpfbalances": {
         "lastupdated": "2020-04-16",
@@ -24343,7 +24352,7 @@
         "code": "C",
         "source": "1",
         "classification": "C",
-        "desc": "Citizen"
+        "desc": "CITIZEN"
       },
       "cpfbalances": {
         "lastupdated": "2020-04-16",
@@ -26126,7 +26135,7 @@
         "code": "C",
         "source": "1",
         "classification": "C",
-        "desc": "Citizen"
+        "desc": "CITIZEN"
       },
       "cpfbalances": {
         "oa": {
@@ -26919,7 +26928,7 @@
         "code": "C",
         "source": "1",
         "classification": "C",
-        "desc": "Citizen"
+        "desc": "CITIZEN"
       },
       "cpfbalances": {
         "lastupdated": "2020-04-16",
@@ -27960,7 +27969,7 @@
         "code": "C",
         "source": "1",
         "classification": "C",
-        "desc": "Citizen"
+        "desc": "CITIZEN"
       },
       "cpfbalances": {
         "oa": {