@opengovsg/mockpass 4.4.3 → 4.5.1

package/README.md

@@ -21,7 +21,7 @@ Configure your application to point to the following endpoints:
 
 - http://localhost:5156/singpass/v2/.well-known/openid-configuration
 - http://localhost:5156/singpass/v2/.well-known/keys
-- http://localhost:5156/singpass/v2/authorize
+- http://localhost:5156/singpass/v2/auth
 - http://localhost:5156/singpass/v2/token
 
 Configure your application (or MockPass) with keys:
@@ -45,7 +45,7 @@ Configure your application to point to the following endpoints:
 
 - http://localhost:5156/corppass/v2/.well-known/openid-configuration
 - http://localhost:5156/corppass/v2/.well-known/keys
-- http://localhost:5156/corppass/v2/authorize
+- http://localhost:5156/corppass/v2/auth
 - http://localhost:5156/corppass/v2/token
 
 Configure your application (or MockPass) with keys:

package/lib/assertions.js

@@ -70,6 +70,7 @@ const oidc = {
     ...Object.keys(myinfo.v3.personas).map((nric) => ({
       nric,
       uuid: myinfo.v3.personas[nric].uuid.value,
+      claims: myinfo.v3.personas[nric],
     })),
   ],
   corpPass: [

package/lib/auth-code.js

@@ -5,16 +5,16 @@ const AUTH_CODE_TIMEOUT = 5 * 60 * 1000
 const profileAndNonceStore = new ExpiryMap(AUTH_CODE_TIMEOUT)
 
 const generateAuthCode = (
-  { profile, scopes, nonce },
+  { profile, scopes, nonce, clientId = '' },
   { isStateless = false },
 ) => {
   const authCode = isStateless
-    ? Buffer.from(JSON.stringify({ profile, scopes, nonce })).toString(
-        'base64url',
-      )
+    ? Buffer.from(
+        JSON.stringify({ profile, scopes, nonce, clientId }),
+      ).toString('base64url')
     : crypto.randomBytes(45).toString('base64')
 
-  profileAndNonceStore.set(authCode, { profile, scopes, nonce })
+  profileAndNonceStore.set(authCode, { profile, scopes, nonce, clientId })
   return authCode
 }
 

package/lib/express/oidc/v2-ndi.js

@@ -59,6 +59,17 @@ const id_token_encryption_alg_values_supported = {
   corpPass: corppass_id_token_encryption_alg_values_supported,
 }
 
+const singpass_userinfo_encryption_alg_values_supported = [
+  'ECDH-ES+A256KW',
+  'ECDH-ES+A192KW',
+  'ECDH-ES+A128KW',
+]
+
+const userinfo_encryption_alg_values_supported = {
+  singPass: singpass_userinfo_encryption_alg_values_supported,
+  // Corppass to be added in the future
+}
+
 function findEcdhEsEncryptionKey(jwks, crv, algs) {
   let encryptionKey = jwks.keys.find(
     (item) =>
@@ -146,9 +157,9 @@ function config(app, { showLoginPage, isStateless }) {
     const defaultProfile =
       profiles.find((p) => p.nric === process.env.MOCKPASS_NRIC) || profiles[0]
 
-    app.get(`/${idp.toLowerCase()}/v2/authorize`, (req, res) => {
+    app.get(`/${idp.toLowerCase()}/v2/auth`, (req, res) => {
       const {
-        scope,
+        scope: scopes,
         response_type,
         client_id,
         redirect_uri: redirectURI,
@@ -156,10 +167,19 @@ function config(app, { showLoginPage, isStateless }) {
         nonce,
       } = req.query
 
-      if (scope !== 'openid') {
+      if (typeof scopes !== 'string') {
         return res.status(400).send({
           error: 'invalid_scope',
-          error_description: `Unknown scope ${scope}`,
+          error_description: `Unknown scope ${scopes}`,
+        })
+      }
+
+      const scopeArr = scopes.split(' ')
+
+      if (!scopeArr.includes('openid')) {
+        return res.status(400).send({
+          error: 'invalid_request',
+          error_description: `Missing mandatory openid scope`,
         })
       }
       if (response_type !== 'code') {
@@ -196,7 +216,10 @@ function config(app, { showLoginPage, isStateless }) {
       // Identical to OIDC v1
       if (showLoginPage(req)) {
         const values = profiles.map((profile) => {
-          const authCode = generateAuthCode({ profile, nonce }, { isStateless })
+          const authCode = generateAuthCode(
+            { profile, scopes, nonce, clientId: client_id },
+            { isStateless },
+          )
           const assertURL = buildAssertURL(redirectURI, authCode, state)
           const id = idGenerator[idp](profile)
           return { id, assertURL }
@@ -204,7 +227,7 @@ function config(app, { showLoginPage, isStateless }) {
         const response = render(LOGIN_TEMPLATE, {
           values,
           customProfileConfig: {
-            endpoint: `/${idp.toLowerCase()}/v2/authorize/custom-profile`,
+            endpoint: `/${idp.toLowerCase()}/v2/auth/custom-profile`,
             showUuid: true,
             showUen: idp === 'corpPass',
             redirectURI,
@@ -215,7 +238,10 @@ function config(app, { showLoginPage, isStateless }) {
         res.send(response)
       } else {
         const profile = customProfileFromHeaders[idp](req) || defaultProfile
-        const authCode = generateAuthCode({ profile, nonce }, { isStateless })
+        const authCode = generateAuthCode(
+          { profile, scopes, nonce, clientId: client_id },
+          { isStateless },
+        )
         const assertURL = buildAssertURL(redirectURI, authCode, state)
         console.warn(
           `Redirecting login from ${req.query.client_id} to ${redirectURI}`,
@@ -224,7 +250,7 @@ function config(app, { showLoginPage, isStateless }) {
       }
     })
 
-    app.get(`/${idp.toLowerCase()}/v2/authorize/custom-profile`, (req, res) => {
+    app.get(`/${idp.toLowerCase()}/v2/auth/custom-profile`, (req, res) => {
       const { nric, uuid, uen, redirectURI, state, nonce } = req.query
 
       const profile = { nric, uuid }
@@ -299,50 +325,9 @@ function config(app, { showLoginPage, isStateless }) {
         }
 
         // Step 0: Get the RP keyset
-        const rpJwksEndpoint =
-          idp === 'singPass'
-            ? process.env.SP_RP_JWKS_ENDPOINT
-            : process.env.CP_RP_JWKS_ENDPOINT
-
-        let rpKeysetString
-
-        if (rpJwksEndpoint) {
-          try {
-            const rpKeysetResponse = await fetch(rpJwksEndpoint, {
-              method: 'GET',
-            })
-            rpKeysetString = await rpKeysetResponse.text()
-            if (!rpKeysetResponse.ok) {
-              throw new Error(rpKeysetString)
-            }
-          } catch (e) {
-            console.error(
-              'Failed to fetch RP JWKS from',
-              rpJwksEndpoint,
-              e.message,
-            )
-            return res.status(400).send({
-              error: 'invalid_client',
-              error_description: `Failed to fetch RP JWKS from specified endpoint: ${e.message}`,
-            })
-          }
-        } else {
-          // If the endpoint is not defined, default to the sample keyset we provided.
-          rpKeysetString = rpPublic
-        }
-
-        let rpKeysetJson
-        try {
-          rpKeysetJson = JSON.parse(rpKeysetString)
-        } catch (e) {
-          console.error('Unable to parse RP keyset', e.message)
-          return res.status(400).send({
-            error: 'invalid_client',
-            error_description: `Unable to parse RP keyset: ${e.message}`,
-          })
-        }
-
+        const rpKeysetJson = await fetchRpJwks({ idp, res })
         const rpKeyset = jose.createLocalJWKSet(rpKeysetJson)
+
         // Step 0.5: Verify client assertion with RP signing key
         let clientAssertionResult
         try {
@@ -426,7 +411,9 @@ function config(app, { showLoginPage, isStateless }) {
         }
 
         // Step 1: Obtain profile for which the auth code requested data for
-        const { profile, nonce } = lookUpByAuthCode(authCode, { isStateless })
+        const { profile, nonce } = lookUpByAuthCode(authCode, {
+          isStateless,
+        })
 
         // Step 2: Get ID token
         const aud = clientAssertionClaims['sub']
@@ -438,14 +425,11 @@ function config(app, { showLoginPage, isStateless }) {
 
         const { idTokenClaims, accessToken } = await assertions.oidc.create[
           idp
-        ](profile, iss, aud, nonce)
+        ](profile, iss, aud, nonce, authCode)
 
         // Step 3: Sign ID token with ASP signing key
         const aspKeyset = JSON.parse(aspSecret)
-        const aspSigningKey = aspKeyset.keys.find(
-          (item) =>
-            item.use === 'sig' && item.kty === 'EC' && item.crv === 'P-256',
-        )
+        const aspSigningKey = await getSigKey({ keySet: aspKeyset })
         if (!aspSigningKey) {
           console.error('No suitable signing key found', aspKeyset.keys)
           return res.status(400).send({
@@ -453,6 +437,7 @@ function config(app, { showLoginPage, isStateless }) {
             error_description: 'No suitable signing key found',
           })
         }
+
         const signingKey = await jose.importJWK(aspSigningKey, 'ES256')
         const signedProtectedHeader = {
           alg: 'ES256',
@@ -527,7 +512,7 @@ function config(app, { showLoginPage, isStateless }) {
         // Note: does not support backchannel auth
         const data = {
           issuer: baseUrl,
-          authorization_endpoint: `${baseUrl}/authorize`,
+          authorization_endpoint: `${baseUrl}/auth`,
           jwks_uri: `${baseUrl}/.well-known/keys`,
           response_types_supported: ['code'],
           scopes_supported: ['openid'],
@@ -556,6 +541,22 @@ function config(app, { showLoginPage, isStateless }) {
           // Omit authorization-info_endpoint for CP
         }
 
+        if (idp === 'singPass') {
+          data['scopes_supported'] = [
+            ...data['scopes_supported'],
+            'uinfin',
+            'name',
+            'email',
+            'mobileno',
+            'regadd',
+          ]
+          data['userinfo_endpoint'] = `${baseUrl}/userinfo`
+          data['userinfo_signing_alg_values_supported'] = ['ES256']
+          data['userinfo_encryption_alg_values_supported'] =
+            userinfo_encryption_alg_values_supported[idp]
+          data['userinfo_encryption_enc_values_supported'] = ['A256GCM']
+        }
+
         res.status(200).send(data)
       },
     )
@@ -563,8 +564,199 @@ function config(app, { showLoginPage, isStateless }) {
     app.get(`/${idp.toLowerCase()}/v2/.well-known/keys`, (req, res) => {
       res.status(200).send(JSON.parse(aspPublic))
     })
+
+    app.get(`/${idp.toLowerCase()}/v2/userinfo`, async (req, res) => {
+      const { protocol, headers } = req
+      const host = req.get('host')
+
+      const authCode = extractBearerTokenFromHeader(headers, res)
+
+      const found = lookUpByAuthCode(authCode, {
+        isStateless,
+      })
+
+      if (!found || !found.scopes) {
+        return res.status(400).send({
+          error: 'invalid_request',
+          error_description:
+            'Myinfo profile has yet to be provisioned for the user',
+        })
+      }
+
+      const {
+        profile: { uuid },
+        scopes,
+        clientId,
+      } = found
+      const scopesArr = scopes.split(' ')
+      console.log('userinfo scopes: ', scopesArr)
+
+      const profile = assertions.oidc.singPass.find((p) => p.uuid === uuid)
+
+      const iss = `${protocol}://${host}/${idp.toLowerCase()}/v2`
+      const aud = clientId
+
+      // Reuse the sub generation logic that was meant for ID token
+      const {
+        idTokenClaims: { sub, iat },
+      } = await assertions.oidc.create[idp](profile, iss, aud)
+
+      const userinfoPayload = {
+        sub,
+        iss,
+        aud,
+        iat,
+      }
+
+      const claimMap = profile.claims || {
+        uinfin: makeClaim(profile.nric),
+        name: makeClaim(`USER ${profile.nric}`),
+      }
+
+      for (const [claim, value] of Object.entries(claimMap)) {
+        if (scopesArr.includes(claim)) {
+          userinfoPayload[claim] = value
+        }
+      }
+
+      console.debug('userinfo payload:', userinfoPayload)
+
+      const rpKeysetJson = await fetchRpJwks({ idp, res })
+      const aspKeyset = JSON.parse(aspSecret)
+      const aspSigningKey = await getSigKey({ keySet: aspKeyset })
+
+      if (!aspSigningKey) {
+        console.error('No suitable signing key found', aspKeyset.keys)
+        return res.status(400).send({
+          error: 'invalid_request',
+          error_description: 'No suitable signing key found',
+        })
+      }
+
+      const signingKey = await jose.importJWK(aspSigningKey, 'ES256')
+      const signedProtectedHeader = {
+        alg: 'ES256',
+        typ: 'JWT',
+        kid: aspSigningKey.kid,
+      }
+
+      const textEncoder = new TextEncoder()
+      const userinfoJws = await new jose.CompactSign(
+        textEncoder.encode(JSON.stringify(userinfoPayload)),
+      )
+        .setProtectedHeader(signedProtectedHeader)
+        .sign(signingKey)
+
+      console.debug('userinfo JWS:', userinfoJws)
+
+      const rpEncryptionKey = findEncryptionKey(
+        rpKeysetJson,
+        userinfo_encryption_alg_values_supported[idp],
+      )
+
+      console.debug('rp encrypted key', rpEncryptionKey)
+
+      const encryptedProtectedHeader = {
+        alg: rpEncryptionKey.alg,
+        typ: 'JWT',
+        kid: rpEncryptionKey.kid,
+        enc: 'A256GCM',
+        cty: 'JWT',
+      }
+
+      const encryptionKey = await jose.importJWK(rpEncryptionKey, 'ES256')
+      const userinfoJwe = await new jose.CompactEncrypt(
+        textEncoder.encode(userinfoJws),
+      )
+        .setProtectedHeader(encryptedProtectedHeader)
+        .encrypt(encryptionKey)
+
+      console.debug('userinfo JWE:', userinfoJwe)
+
+      return res.status(200).type('application/jwt').send(userinfoJwe)
+    })
   }
+
   return app
 }
 
+const fetchRpJwks = async ({ idp, res }) => {
+  const rpJwksEndpoint =
+    idp === 'singPass'
+      ? process.env.SP_RP_JWKS_ENDPOINT
+      : process.env.CP_RP_JWKS_ENDPOINT
+
+  let rpKeysetString
+
+  if (rpJwksEndpoint) {
+    try {
+      const rpKeysetResponse = await fetch(rpJwksEndpoint, {
+        method: 'GET',
+      })
+      rpKeysetString = await rpKeysetResponse.text()
+      if (!rpKeysetResponse.ok) {
+        throw new Error(rpKeysetString)
+      }
+    } catch (e) {
+      console.error('Failed to fetch RP JWKS from', rpJwksEndpoint, e.message)
+      return res.status(400).send({
+        error: 'invalid_client',
+        error_description: `Failed to fetch RP JWKS from specified endpoint: ${e.message}`,
+      })
+    }
+  } else {
+    // If the endpoint is not defined, default to the sample keyset we provided.
+    rpKeysetString = rpPublic
+  }
+
+  let rpKeysetJson
+  try {
+    rpKeysetJson = JSON.parse(rpKeysetString)
+  } catch (e) {
+    console.error('Unable to parse RP keyset', e.message)
+    return res.status(400).send({
+      error: 'invalid_client',
+      error_description: `Unable to parse RP keyset: ${e.message}`,
+    })
+  }
+
+  return rpKeysetJson
+}
+
+const getSigKey = async ({ keySet, kty = 'EC', crv = 'P-256' }) => {
+  const signingKey = keySet.keys.find(
+    (item) => item.use === 'sig' && item.kty === kty && item.crv === crv,
+  )
+
+  return signingKey
+}
+
+const extractBearerTokenFromHeader = (headers, res) => {
+  const authHeader = headers.authorization || headers.Authorization
+
+  if (!authHeader) {
+    return res.status(401).send({
+      error: 'invalid_request',
+      error_description: 'Missing Authorization header',
+    })
+  }
+
+  const tokenParts = authHeader.trim().split(' ')
+  if (tokenParts.length !== 2 || tokenParts[0] !== 'Bearer' || !tokenParts[1]) {
+    return res.status(401).send({
+      error: 'invalid_request',
+      error_description: 'Malformed Authorization header',
+    })
+  }
+
+  return tokenParts[1]
+}
+
+const makeClaim = (value) => ({
+  lastupdated: '2023-03-23',
+  source: '1',
+  classification: 'C',
+  value,
+})
+
 module.exports = config

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opengovsg/mockpass",
-  "version": "4.4.3",
+  "version": "4.5.1",
   "description": "A mock SingPass/CorpPass server for dev purposes",
   "main": "app.js",
   "bin": {
@@ -58,7 +58,7 @@
     "commitizen": "^4.2.4",
     "cz-conventional-changelog": "^3.2.0",
     "eslint": "^9.8.0",
-    "eslint-config-prettier": "^9.1.0",
+    "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-prettier": "^4.0.0",
     "globals": "^16.0.0",
     "husky": "^9.0.11",