@opengovsg/mockpass 4.0.7 → 4.0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -5,7 +5,7 @@ const path = require('path')
|
|
|
5
5
|
const express = require('express')
|
|
6
6
|
const { pick, partition } = require('lodash')
|
|
7
7
|
|
|
8
|
-
const jose = require('
|
|
8
|
+
const jose = require('jose')
|
|
9
9
|
const jwt = require('jsonwebtoken')
|
|
10
10
|
|
|
11
11
|
const assertions = require('../../assertions')
|
|
@@ -31,16 +31,27 @@ module.exports =
|
|
|
31
31
|
}
|
|
32
32
|
|
|
33
33
|
const encryptPersona = async (persona) => {
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
34
|
+
/*
|
|
35
|
+
* We sign and encrypt the persona. It's important to note that although a signature is
|
|
36
|
+
* usually derived from the payload hash and is thus much smaller than the payload itself,
|
|
37
|
+
* we're specifically contructeding a JWT, which contains the original payload.
|
|
38
|
+
*
|
|
39
|
+
* We then construct a JWE and provide two headers specifying the encryption algorithms used.
|
|
40
|
+
* You can read about them here: https://www.rfc-editor.org/rfc/inline-errata/rfc7518.html
|
|
41
|
+
*
|
|
42
|
+
* These values weren't picked arbitrarily; they were the defaults used by a library we
|
|
43
|
+
* formerly used: node-jose. We opted to continue using them for backwards compatibility.
|
|
44
|
+
*/
|
|
45
|
+
const privateKey = await jose.importPKCS8(MOCKPASS_PRIVATE_KEY.toString())
|
|
46
|
+
const sign = await new jose.SignJWT(persona)
|
|
47
|
+
.setProtectedHeader({ alg: 'RS256' })
|
|
48
|
+
.sign(privateKey)
|
|
49
|
+
const publicKey = await jose.importX509(serviceProvider.cert.toString())
|
|
50
|
+
const encryptedAndSignedPersona = await new jose.CompactEncrypt(
|
|
51
|
+
Buffer.from(sign),
|
|
41
52
|
)
|
|
42
|
-
.
|
|
43
|
-
.
|
|
53
|
+
.setProtectedHeader({ alg: 'RSA-OAEP', enc: 'A128CBC-HS256' })
|
|
54
|
+
.encrypt(publicKey)
|
|
44
55
|
return encryptedAndSignedPersona
|
|
45
56
|
}
|
|
46
57
|
|
|
@@ -142,7 +153,6 @@ module.exports =
|
|
|
142
153
|
redirect_uri,
|
|
143
154
|
})
|
|
144
155
|
: {}
|
|
145
|
-
|
|
146
156
|
if (!tokenTemplate) {
|
|
147
157
|
res.status(400).send({
|
|
148
158
|
code: 400,
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@opengovsg/mockpass",
|
|
3
|
-
"version": "4.0.
|
|
3
|
+
"version": "4.0.8",
|
|
4
4
|
"description": "A mock SingPass/CorpPass server for dev purposes",
|
|
5
5
|
"main": "index.js",
|
|
6
6
|
"bin": {
|
|
@@ -41,6 +41,7 @@
|
|
|
41
41
|
"dotenv": "^16.0.0",
|
|
42
42
|
"expiry-map": "^2.0.0",
|
|
43
43
|
"express": "^4.16.3",
|
|
44
|
+
"jose": "^4.14.4",
|
|
44
45
|
"jsonwebtoken": "^9.0.0",
|
|
45
46
|
"lodash": "^4.17.11",
|
|
46
47
|
"morgan": "^1.9.1",
|