Skip to content

Commit

Permalink
refactor(myinfo): replace node-jose with jose for SSO (opengovsg#328)
Browse files Browse the repository at this point in the history
  • Loading branch information
amandalim857 committed Jul 12, 2023
1 parent 555316b commit 5efd27a
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 11 deletions.
32 changes: 21 additions & 11 deletions lib/express/myinfo/controllers.js
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ const path = require('path')
const express = require('express')
const { pick, partition } = require('lodash')

const jose = require('node-jose')
const jose = require('jose')
const jwt = require('jsonwebtoken')

const assertions = require('../../assertions')
Expand All @@ -31,16 +31,27 @@ module.exports =
}

const encryptPersona = async (persona) => {
const signedPersona = jwt.sign(persona, MOCKPASS_PRIVATE_KEY, {
algorithm: 'RS256',
})
const serviceCertAsKey = await jose.JWK.asKey(serviceProvider.cert, 'pem')
const encryptedAndSignedPersona = await jose.JWE.createEncrypt(
{ format: 'compact' },
serviceCertAsKey,
/*
* We sign and encrypt the persona. It's important to note that although a signature is
* usually derived from the payload hash and is thus much smaller than the payload itself,
* we're specifically contructeding a JWT, which contains the original payload.
*
* We then construct a JWE and provide two headers specifying the encryption algorithms used.
* You can read about them here: https://www.rfc-editor.org/rfc/inline-errata/rfc7518.html
*
* These values weren't picked arbitrarily; they were the defaults used by a library we
* formerly used: node-jose. We opted to continue using them for backwards compatibility.
*/
const privateKey = await jose.importPKCS8(MOCKPASS_PRIVATE_KEY.toString())
const sign = await new jose.SignJWT(persona)
.setProtectedHeader({ alg: 'RS256' })
.sign(privateKey)
const publicKey = await jose.importX509(serviceProvider.cert.toString())
const encryptedAndSignedPersona = await new jose.CompactEncrypt(
Buffer.from(sign),
)
.update(JSON.stringify(signedPersona))
.final()
.setProtectedHeader({ alg: 'RSA-OAEP', enc: 'A128CBC-HS256' })
.encrypt(publicKey)
return encryptedAndSignedPersona
}

Expand Down Expand Up @@ -142,7 +153,6 @@ module.exports =
redirect_uri,
})
: {}

if (!tokenTemplate) {
res.status(400).send({
code: 400,
Expand Down
14 changes: 14 additions & 0 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
"dotenv": "^16.0.0",
"expiry-map": "^2.0.0",
"express": "^4.16.3",
"jose": "^4.14.4",
"jsonwebtoken": "^9.0.0",
"lodash": "^4.17.11",
"morgan": "^1.9.1",
Expand Down

0 comments on commit 5efd27a

Please sign in to comment.