@opengovsg/mockpass 4.6.1 → 4.6.3

package/README.md

@@ -21,14 +21,14 @@ For more information regarding the FAPI flow, refer to: https://docs.developer.s
 
 Configure your endpoint to point to the following endpoints:
 - http://localhost:5156/singpass/v3/fapi/.well-known/openid-configuration
-- http://localhost:5156/singpass/v3/fapi/.well-known/jwks.json
+- http://localhost:5156/singpass/v3/fapi/.well-known/keys
 - http://localhost:5156/singpass/v3/fapi/par
 - http://localhost:5156/singpass/v3/fapi/auth
 - http://localhost:5156/singpass/v3/fapi/token
 
 
-In the `/fapi/utils.js file`, you can configure your client JWKS endpoint in the `fapiClientConfiguration`. By default, it is set to `null` and Mockpass will read the default keys that are stored in the `fapi-private.json` and `fapi-public.json` If configured, Mockpass will attempt to fetch the JWKS from the specified endpoint. 
-Your JWKS endpoint will need to be publicly accessible, and it needs to contain a valid JWKS with a sig key and an enc key.
+In the `/fapi/utils.js file`, you can configure your client JWKS endpoint in the `fapiClientConfiguration`. By default, it is set to `null` and Mockpass will read the default keys that are stored in the `fapi-rp-private.json` and `fapi-rp-public.json` files. If configured, Mockpass will attempt to fetch the JWKS from the specified endpoint. 
+Your JWKS endpoint will need to be publicly accessible, and it needs to contain a valid JWKS with a `sig` key and an `enc` key.
 
 Limitations:
 - `client_id` and `redirect_uri` can be set to anything.

package/lib/express/fapi/fapi.controller.js

@@ -8,13 +8,15 @@ const path = require('path')
 function config(app) {
   app.use(express.json())
   app.use(express.urlencoded({ extended: true }))
-  const profiles = assertions.oidc['singPass']
+  const idp = 'singPass'
+  const profiles = assertions.oidc[idp]
   const service = new FapiService()
+  const fapiRoutesBasePath = FapiUtils.getFapiPath(idp.toLowerCase())
 
-  app.get(`${FapiUtils.FAPI_PATH}/.well-known/keys`, (req, res) => {
+  app.get(`${fapiRoutesBasePath}/.well-known/keys`, (req, res) => {
     const keys = JSON.parse(
       fs.readFileSync(
-        path.resolve(__dirname, '../../../static/certs/fapi-public.json'),
+        path.resolve(__dirname, FapiUtils.FAPI_ASP_PUBLIC_JWKS_PATH),
         'utf8',
       ),
     )
@@ -22,13 +24,13 @@ function config(app) {
   })
 
   app.get(
-    `${FapiUtils.FAPI_PATH}/.well-known/openid-configuration`,
+    `${fapiRoutesBasePath}/.well-known/openid-configuration`,
     (req, res) => {
       return res.send(FapiUtils.getFapiOpenIdConfiguration(req))
     },
   )
 
-  app.post(`${FapiUtils.FAPI_PATH}/par`, async (req, res) => {
+  app.post(`${fapiRoutesBasePath}/par`, async (req, res) => {
     try {
       const request_uri = await service.handleParRequest(req)
       return res.status(201).send({ request_uri, expires_in: 60 })
@@ -37,18 +39,25 @@ function config(app) {
     }
   })
 
-  app.get(`${FapiUtils.FAPI_PATH}/auth`, async (req, res) => {
+  app.get(`${fapiRoutesBasePath}/auth`, async (req, res) => {
     try {
       const authRequest = await service.handleAuthorizationRequest(req)
-      return res.send(
-        service.generateLoginPage(profiles, 'singPass', authRequest),
-      )
+      return res.send(service.generateLoginPage(profiles, idp, authRequest))
     } catch (e) {
       return res.status(400).send({ error: e.message })
     }
   })
 
-  app.post(`${FapiUtils.FAPI_PATH}/token`, async (req, res) => {
+  app.get(`${fapiRoutesBasePath}/auth/custom-profile`, (req, res) => {
+    try {
+      const assertURL = service.handleCustomProfileAuthorizationRequest(req)
+      return res.redirect(assertURL)
+    } catch (e) {
+      return res.status(400).send({ error: e.message })
+    }
+  })
+
+  app.post(`${fapiRoutesBasePath}/token`, async (req, res) => {
     try {
       return res.status(200).send(await service.handleTokenRequest(req))
     } catch (e) {
@@ -57,7 +66,7 @@ function config(app) {
   })
 
   //Helper function to generate DPoP proof JWT and client assertion token for testing. In real implementation, these tokens should be generated by the client.
-  app.post(`${FapiUtils.FAPI_PATH}/tests/generate-tokens`, async (req, res) => {
+  app.post(`${fapiRoutesBasePath}/tests/generate-tokens`, async (req, res) => {
     try {
       const { ephemeralPrivateKey, dpopToken, clientAssertionToken } =
         await FapiUtils.generateDpopAndClientAssertionToken(req)

package/lib/express/fapi/fapi.service.js

@@ -68,6 +68,20 @@ class FapiService {
     return await this.generateIdToken(req, authRequest)
   }
 
+  handleCustomProfileAuthorizationRequest(req) {
+    const { nric, uuid, request_uri } = req.query
+    assert(request_uri, 'Request URI is required')
+    assert(nric, 'NRIC is required')
+    assert(uuid, 'UUID is required')
+
+    const authRequest = this.map.get(request_uri)
+    if (!authRequest) throw new Error('No PAR request found in session')
+
+    const profile = { nric, uuid }
+    const authCode = generateAuthCodeForFapi({ profile, authRequest })
+    return buildAssertURL(authRequest.redirect_uri, authCode, authRequest.state)
+  }
+
   generateLoginPage(profiles, idp, authRequest) {
     const state = authRequest.state
     const values = profiles.map((profile) => {
@@ -88,9 +102,12 @@ class FapiService {
     return render(LOGIN_TEMPLATE, {
       values,
       customProfileConfig: {
-        endpoint: `/${idp.toLowerCase()}/v2/auth/custom-profile`,
+        endpoint: `${FapiUtils.getFapiPath(
+          idp.toLowerCase(),
+        )}/auth/custom-profile`,
         showUuid: true,
         showUen: idp === 'corpPass',
+        requestUri: authRequest.request_uri,
         redirectURI: authRequest.redirect_uri,
         state: authRequest.state,
         nonce: authRequest.nonce,
@@ -119,28 +136,23 @@ class FapiService {
     }
 
     //Sign Id Token
-
-    const aspSecret = fs.readFileSync(
-      path.resolve(__dirname, '../../../static/certs/oidc-v2-asp-secret.json'),
+    const signingKid = FapiUtils.FAPI_ASP_SIGNING_KID
+    const fapiPrivateJwks = JSON.parse(
+      fs.readFileSync(
+        path.resolve(__dirname, FapiUtils.FAPI_ASP_PRIVATE_JWKS_PATH),
+      ),
     )
+    const fapiSigningPrivateKey = fapiPrivateJwks.keys.find(
+      (item) => item.use === 'sig' && item.kid === signingKid,
+    )
+    if (!fapiSigningPrivateKey)
+      throw new Error(`No signing key found for kid "${signingKid}"`)
 
-    const getSigKey = async ({ keySet, kty = 'EC', crv = 'P-256' }) => {
-      return keySet.keys.find(
-        (item) => item.use === 'sig' && item.kty === kty && item.crv === crv,
-      )
-    }
-
-    const aspKeyset = JSON.parse(aspSecret)
-    const aspSigningKey = await getSigKey({ keySet: aspKeyset })
-    if (!aspSigningKey) {
-      throw new Error('No suitable signing key found')
-    }
-
-    const signingKey = await jose.importJWK(aspSigningKey, 'ES256')
+    const signingKey = await jose.importJWK(fapiSigningPrivateKey, 'ES256')
     const signedProtectedHeader = {
       alg: 'ES256',
       typ: 'JWT',
-      kid: aspSigningKey.kid,
+      kid: signingKid,
     }
     const signedIdToken = await new jose.CompactSign(
       new TextEncoder().encode(JSON.stringify(id_token)),
@@ -159,7 +171,7 @@ class FapiService {
     } else {
       rpEncPublicKey = JSON.parse(
         readFileSync(
-          path.resolve(__dirname, '../../../static/certs/fapi-public.json'),
+          path.resolve(__dirname, FapiUtils.FAPI_RP_PUBLIC_JWKS_PATH),
         ),
       )['keys'].find((key) => key.use === 'enc')
     }
@@ -249,9 +261,7 @@ async function verifyClientAssertion(req) {
     )
   else
     jwks = JSON.parse(
-      readFileSync(
-        path.resolve(__dirname, '../../../static/certs/fapi-public.json'),
-      ),
+      readFileSync(path.resolve(__dirname, FapiUtils.FAPI_RP_PUBLIC_JWKS_PATH)),
     )
   if (!jwks.keys) throw new Error('Unable to fetch client jwks')
 

package/lib/express/fapi/utils.js

@@ -4,6 +4,7 @@ const {
   createPublicKey,
   randomUUID,
 } = require('crypto')
+const assert = require('assert')
 const jose = require('jose')
 const { readFileSync } = require('fs')
 const path = require('path')
@@ -51,7 +52,13 @@ const idTokenConfiguration = {
   TOKEN_EXPIRY: 1800,
 }
 
-const FAPI_PATH = '/v3/fapi'
+const FAPI_SUFFIX_PATH = '/v3/fapi'
+const FAPI_ASP_SIGNING_KID = 'fapi-asp-sig-key-01'
+const FAPI_ASP_ENCRYPTION_KID = 'fapi-asp-enc-key-01'
+const FAPI_ASP_PRIVATE_JWKS_PATH = '../../../static/certs/fapi-asp-private.json'
+const FAPI_ASP_PUBLIC_JWKS_PATH = '../../../static/certs/fapi-asp-public.json'
+const FAPI_RP_PRIVATE_JWKS_PATH = '../../../static/certs/fapi-rp-private.json'
+const FAPI_RP_PUBLIC_JWKS_PATH = '../../../static/certs/fapi-rp-public.json'
 const fapiClientConfiguration = {
   //This is only used for the /generate-tokens call. If used, your POST request must also use the same client_id
   client_id: 'mock-fapi-client-id',
@@ -60,8 +67,21 @@ const fapiClientConfiguration = {
   client_jwks: process.env.FAPI_CLIENT_JWKS_ENDPOINT || null,
 }
 
+function getFapiPath(idp) {
+  assert(idp, 'IDP is required')
+  return `/${String(idp).toLowerCase()}${FAPI_SUFFIX_PATH}`
+}
+
+function inferIdpFromRequest(req) {
+  const [, idp] = req.path.split('/')
+  assert(idp, 'Unable to infer IDP from request path')
+  return idp
+}
+
 function getIssuerFromRequest(req) {
-  return `${req.protocol}://${req.get('host')}${FAPI_PATH}`
+  return `${req.protocol}://${req.get('host')}${getFapiPath(
+    inferIdpFromRequest(req),
+  )}`
 }
 
 function getFapiOpenIdConfiguration(req) {
@@ -160,15 +180,15 @@ async function generateDpopToken(req, publicKey, privateKey) {
 }
 async function generateClientAssertionToken(req) {
   const clientAssertionPrivateKey = JSON.parse(
-    readFileSync(
-      path.resolve(__dirname, '../../../static/certs/fapi-private.json'),
-    ),
+    readFileSync(path.resolve(__dirname, FAPI_RP_PRIVATE_JWKS_PATH)),
   )['keys'].find((key) => key.use === 'sig')
+  if (!clientAssertionPrivateKey)
+    throw new Error('No RP signing private key found')
   const clientAssertionPublicKey = JSON.parse(
-    readFileSync(
-      path.resolve(__dirname, '../../../static/certs/fapi-public.json'),
-    ),
+    readFileSync(path.resolve(__dirname, FAPI_RP_PUBLIC_JWKS_PATH)),
   )['keys'].find((key) => key.use === 'sig')
+  if (!clientAssertionPublicKey)
+    throw new Error('No RP signing public key found')
   const clientAssertion = {
     headers: {
       alg: 'ES256',
@@ -197,7 +217,13 @@ module.exports = {
   AllowedHttpsRedirectTypes,
   clientAssertionConfig,
   dpopConfiguration,
-  FAPI_PATH,
+  FAPI_ASP_ENCRYPTION_KID,
+  FAPI_ASP_PRIVATE_JWKS_PATH,
+  FAPI_ASP_PUBLIC_JWKS_PATH,
+  FAPI_ASP_SIGNING_KID,
+  FAPI_RP_PRIVATE_JWKS_PATH,
+  FAPI_RP_PUBLIC_JWKS_PATH,
+  getFapiPath,
   fapiClientConfiguration,
   generateDpopAndClientAssertionToken,
   getFapiOpenIdConfiguration,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opengovsg/mockpass",
-  "version": "4.6.1",
+  "version": "4.6.3",
   "description": "A mock SingPass/CorpPass server for dev purposes",
   "main": "app.js",
   "bin": {

package/static/certs/fapi-asp-private.json

@@ -0,0 +1,24 @@
+{
+  "keys": [
+    {
+      "crv": "P-256",
+      "d": "i6SXSFXS82EvOj0vkS2V-4x6ItX79J9FLD79CsSLIks",
+      "kty": "EC",
+      "x": "6L_1vnXNH2IcAQIpTpaZ3LaxNby3j9t3YSQuWFmid8o",
+      "y": "OOTZ53oQxLJGZ0UR0jE4w_NSs7x_OCaz7GMcis53rK8",
+      "use": "sig",
+      "alg": "ES256",
+      "kid": "fapi-asp-sig-key-01"
+    },
+    {
+      "crv": "P-256",
+      "d": "8Kycerjx8N3TLI3a4sllkIET8ZrCyRG9ha3jJrup1gs",
+      "kty": "EC",
+      "x": "yVocAx9MRtU4n59kMmKNvQsri2gBxNX728ID8qMRiSw",
+      "y": "rB8rb1f2IfYD-ByQoa_EXsG2amrhXS8Asvn0Wv1z70c",
+      "use": "enc",
+      "alg": "ECDH-ES+A256KW",
+      "kid": "fapi-asp-enc-key-01"
+    }
+  ]
+}

package/static/certs/fapi-asp-public.json

@@ -0,0 +1,22 @@
+{
+  "keys": [
+    {
+      "crv": "P-256",
+      "kty": "EC",
+      "x": "6L_1vnXNH2IcAQIpTpaZ3LaxNby3j9t3YSQuWFmid8o",
+      "y": "OOTZ53oQxLJGZ0UR0jE4w_NSs7x_OCaz7GMcis53rK8",
+      "use": "sig",
+      "alg": "ES256",
+      "kid": "fapi-asp-sig-key-01"
+    },
+    {
+      "crv": "P-256",
+      "kty": "EC",
+      "x": "yVocAx9MRtU4n59kMmKNvQsri2gBxNX728ID8qMRiSw",
+      "y": "rB8rb1f2IfYD-ByQoa_EXsG2amrhXS8Asvn0Wv1z70c",
+      "use": "enc",
+      "alg": "ECDH-ES+A256KW",
+      "kid": "fapi-asp-enc-key-01"
+    }
+  ]
+}

package/static/certs/{fapi-private.json → fapi-rp-private.json}

@@ -6,6 +6,7 @@
       "y": "elyS0xZn3ymk65tVPYO3pZplEaOEZtj_RegJ3_cwq7A",
       "crv": "P-256",
       "d": "uRwK14a2icjic0DSFsOG2PgKgqfZobaqhjgGS0wbkho",
+      "kid": "fapi-rp-sig-key-01",
       "use": "sig",
       "alg": "ES256"
     },
@@ -17,7 +18,7 @@
       "d": "wqtEFMSkoWeYqfZ-aqbSn5CE2KmgqWZgxrowWQaHCXA",
       "use": "enc",
       "alg": "ECDH-ES+A256KW",
-      "kid": "fapi-enc-key"
+      "kid": "fapi-rp-enc-key-01"
     }
   ]
 }

package/static/certs/{fapi-public.json → fapi-rp-public.json}

@@ -5,7 +5,7 @@
       "crv": "P-256",
       "x": "tkRXMLpC7djlH7cqntg8-fuekxG9YTvJx8IsRKApcAg",
       "y": "elyS0xZn3ymk65tVPYO3pZplEaOEZtj_RegJ3_cwq7A",
-      "kid": "fapi-key-01",
+      "kid": "fapi-rp-sig-key-01",
       "use": "sig",
       "alg": "ES256"
     },
@@ -16,7 +16,7 @@
       "crv": "P-256",
       "use": "enc",
       "alg": "ECDH-ES+A256KW",
-      "kid": "fapi-enc-key"
+      "kid": "fapi-rp-enc-key-01"
     }
   ]
 }

package/static/html/login-page.html

@@ -198,6 +198,7 @@
                                                         {{/showUen}}
 
                                                         {{#assertEndpoint}}<input type="hidden" name="assertEndpoint" value="{{ assertEndpoint }}" />{{/assertEndpoint}}
+                                                        {{#requestUri}}<input type="hidden" name="request_uri" value="{{ requestUri }}" />{{/requestUri}}
                                                         {{#redirectURI}}<input type="hidden" name="redirectURI" value="{{ redirectURI }}" />{{/redirectURI}}
                                                         {{#relayState}}<input type="hidden" name="relayState" value="{{ relayState }}" />{{/relayState}}
                                                         {{#state}}<input type="hidden" name="state" value="{{ state }}" />{{/state}}