@opengovsg/mockpass 4.3.2 → 4.3.4

package/.github/workflows/publish.yml

@@ -0,0 +1,46 @@
+name: Publish
+
+on:
+  release:
+    types: [created]
+
+jobs:
+  publish-npm:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 'lts/*'
+          cache: 'npm'
+          cache-dependency-path: '**/package-lock.json'
+          registry-url: https://registry.npmjs.org/
+      - run: npm ci
+      - run: npm publish --access public
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+  publish-docker:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 'lts/*'
+          cache: 'npm'
+          cache-dependency-path: '**/package-lock.json'
+          registry-url: https://registry.npmjs.org/
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USER }}
+          password: ${{ secrets.DOCKER_PASS }}
+      - run: echo TAGNAME=`echo ${{ github.ref_name }} | sed 's/v//'` >> ${GITHUB_ENV}
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          tags: |
+            opengovsg/mockpass:latest
+            opengovsg/mockpass:${{ env.TAGNAME }}

package/README.md

@@ -90,7 +90,7 @@ succeed, using other NRICs will result in an error. See the list of personas in
 
 | Configuration item | Explanation |
 |---|---|
-| Client certificate | **Overview:** When client makes any request, what certificate is used to verify the request signature, and what certificate is used to encrypt the data payload. <br> **Default:** static certificate/key `static/certs/(server.crt|key.pub)` are used. <br> **How to configure:** Set the env var `SERVICE_PROVIDER_PUB_KEY` to the path to a public key PEM file, and `SERVICE_PROVIDER_CERT_PATH` to the path to a certificate PEM file. (A certificate PEM file can also be provided to `SERVICE_PROVIDER_PUB_KEY`, despite the env var name.) |
+| Client certificate | **Overview:** When client makes any request, what certificate is used to verify the request signature, and what certificate is used to encrypt the data payload. <br> **Default:** static certificate/key `static/certs/(server.crt\|key.pub)` are used. <br> **How to configure:** Set the env var `SERVICE_PROVIDER_PUB_KEY` to the path to a public key PEM file, and `SERVICE_PROVIDER_CERT_PATH` to the path to a certificate PEM file. (A certificate PEM file can also be provided to `SERVICE_PROVIDER_PUB_KEY`, despite the env var name.) |
 | Client secret | **Overview:** When client makes a Token request, whether MockPass verifies the request signature. <br> **Default:** Disabled. <br> **How to configure:** Enable for all requests by setting the env var `SERVICE_PROVIDER_MYINFO_SECRET` to some non-blank string. Provide this value to your application as well. |
 | Payload encryption | **Overview:** When client makes a Person or Person-Basic request, whether MockPass encrypts the data payload. When client makes a Person request, whether MockPass verifies the request signature. <br> **Default:** Disabled. <br> **How to configure:** Enable for all requests by setting the env var `ENCRYPT_MYINFO` to `true`. |
 

package/eslint.config.mjs

@@ -0,0 +1,24 @@
+import globals from "globals";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import js from "@eslint/js";
+import { FlatCompat } from "@eslint/eslintrc";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const compat = new FlatCompat({
+    baseDirectory: __dirname,
+    recommendedConfig: js.configs.recommended,
+    allConfig: js.configs.all
+});
+
+export default [...compat.extends("eslint:recommended", "plugin:prettier/recommended"), {
+    languageOptions: {
+        globals: {
+            ...globals.node,
+        },
+
+        ecmaVersion: 2020,
+        sourceType: "commonjs",
+    },
+}];

package/lib/assertions.js

@@ -64,6 +64,9 @@ const oidc = {
     { nric: 'F1612358R', uuid: '45669f5c-e9ac-43c6-bcd2-9c3757f1fa1c' },
     { nric: 'F1612354N', uuid: 'c38ddb2d-9e5d-45c2-bb70-8ccb54fc8320' },
     { nric: 'F1612357U', uuid: 'f904a2b1-4b61-47e2-bdad-e2d606325e20' },
+    { nric: 'Y4581892I', uuid: 'acf8edda-bfdf-45fc-b140-a6ec6955d857' },
+    { nric: 'Y7654321K', uuid: '9916f054-488e-4894-8299-412e46d89e67' },
+    { nric: 'Y1234567P', uuid: '0fdcc18f-840b-4b35-80ee-44094a6cc66f' },
     ...Object.keys(myinfo.v3.personas).map((nric) => ({
       nric,
       uuid: myinfo.v3.personas[nric].uuid.value,
@@ -135,8 +138,20 @@ const oidc = {
       nonce,
       accessToken = crypto.randomBytes(15).toString('hex'),
     ) => {
-      const sub = `s=${nric},u=${uuid}`
-
+      let sub
+      const sfa = {
+        Y4581892I: { fid: 'G730Z-H5P96', coi: 'DE', RP: 'CORPPASS' },
+        Y7654321K: { fid: '123456789', coi: 'CN', RP: 'IRAS' },
+        Y1234567P: { fid: 'G730Z-H5P96', coi: 'MY', RP: 'CORPPASS' },
+      }
+      if (nric.startsWith('Y')) {
+        const sfaAccount = sfa[nric]
+          ? sfa[nric]
+          : { fid: 'G730Z-H5P96', coi: 'DE', RP: 'CORPPASS' }
+        sub = `s=${nric},fid=${sfaAccount.fid},coi=${sfaAccount.coi},u=${uuid}`
+      } else {
+        sub = `s=${nric},u=${uuid}`
+      }
       const accessTokenHash = hashToken(accessToken)
 
       const refreshToken = crypto.randomBytes(20).toString('hex')

package/lib/express/myinfo/consent.js

@@ -20,13 +20,7 @@ const CONSENT_TEMPLATE = fs.readFileSync(
 const authorizations = {}
 
 const authorize = (redirectTo) => (req, res) => {
-  const {
-    client_id, // eslint-disable-line camelcase
-    redirect_uri, // eslint-disable-line camelcase
-    attributes,
-    purpose,
-    state,
-  } = req.query
+  const { client_id, redirect_uri, attributes, purpose, state } = req.query
   const relayStateParams = qs.stringify({
     client_id,
     redirect_uri,

package/lib/express/myinfo/controllers.js

@@ -50,7 +50,7 @@ module.exports =
       const encryptedAndSignedPersona = await new jose.CompactEncrypt(
         Buffer.from(sign),
       )
-        .setProtectedHeader({ alg: 'RSA-OAEP', enc: 'A128CBC-HS256' })
+        .setProtectedHeader({ alg: 'RSA-OAEP', enc: 'A256GCM' })
         .encrypt(publicKey)
       return encryptedAndSignedPersona
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opengovsg/mockpass",
-  "version": "4.3.2",
+  "version": "4.3.4",
   "description": "A mock SingPass/CorpPass server for dev purposes",
   "main": "app.js",
   "bin": {
@@ -53,11 +53,14 @@
     "@commitlint/cli": "^19.1.0",
     "@commitlint/config-conventional": "^19.0.3",
     "@commitlint/travis-cli": "^19.0.3",
+    "@eslint/eslintrc": "^3.1.0",
+    "@eslint/js": "^9.8.0",
     "commitizen": "^4.2.4",
     "cz-conventional-changelog": "^3.2.0",
-    "eslint": "^8.0.0",
+    "eslint": "^9.8.0",
     "eslint-config-prettier": "^9.1.0",
     "eslint-plugin-prettier": "^4.0.0",
+    "globals": "^15.9.0",
     "husky": "^9.0.11",
     "lint-staged": "^15.2.2",
     "nodemon": "^3.0.1",

package/.github/workflows/npmpublish.yml

@@ -1,24 +0,0 @@
-# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
-# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
-
-name: Node.js Package
-
-on:
-  release:
-    types: [created]
-
-jobs:
-  publish-npm:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
-        with:
-          node-version: 'lts/*'
-          cache: 'npm'
-          cache-dependency-path: '**/package-lock.json'
-          registry-url: https://registry.npmjs.org/
-      - run: npm ci
-      - run: npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}