feat: add typeguard for JWT payload

src/app/modules/spcp/__tests__/spcp.service.spec.ts

@@ -26,6 +26,7 @@ import {
 import { SpcpService } from '../spcp.service'
 
 import {
+  MOCK_CP_JWT_PAYLOAD,
   MOCK_CP_SAML,
   MOCK_DESTINATION,
   MOCK_ERROR_CODE,
@@ -36,6 +37,7 @@ import {
   MOCK_LOGIN_HTML,
   MOCK_REDIRECT_URL,
   MOCK_SERVICE_PARAMS as MOCK_PARAMS,
+  MOCK_SP_JWT_PAYLOAD,
   MOCK_SP_SAML,
   MOCK_SP_SAML_WRONG_HASH,
   MOCK_SP_SAML_WRONG_TYPECODE,
@@ -220,9 +222,11 @@ describe('spcp.service', () => {
       const spcpService = new SpcpService(MOCK_PARAMS)
       // Assumes that SP auth client was instantiated first
       const mockClient = mocked(MockAuthClient.mock.instances[0], true)
-      mockClient.verifyJWT.mockImplementationOnce((jwt, cb) => cb(null, jwt))
+      mockClient.verifyJWT.mockImplementationOnce((jwt, cb) =>
+        cb(null, MOCK_SP_JWT_PAYLOAD),
+      )
       const result = await spcpService.extractJwtPayload(MOCK_JWT, AuthType.SP)
-      expect(result._unsafeUnwrap()).toEqual(MOCK_JWT)
+      expect(result._unsafeUnwrap()).toEqual(MOCK_SP_JWT_PAYLOAD)
     })
 
     it('should return VerifyJwtError when SingPass JWT is invalid', async () => {
@@ -240,9 +244,11 @@ describe('spcp.service', () => {
       const spcpService = new SpcpService(MOCK_PARAMS)
       // Assumes that SP auth client was instantiated first
       const mockClient = mocked(MockAuthClient.mock.instances[1], true)
-      mockClient.verifyJWT.mockImplementationOnce((jwt, cb) => cb(null, jwt))
+      mockClient.verifyJWT.mockImplementationOnce((jwt, cb) =>
+        cb(null, MOCK_CP_JWT_PAYLOAD),
+      )
       const result = await spcpService.extractJwtPayload(MOCK_JWT, AuthType.CP)
-      expect(result._unsafeUnwrap()).toEqual(MOCK_JWT)
+      expect(result._unsafeUnwrap()).toEqual(MOCK_CP_JWT_PAYLOAD)
     })
 
     it('should return VerifyJwtError when CorpPass JWT is invalid', async () => {

src/app/modules/spcp/__tests__/spcp.test.constants.ts

@@ -45,6 +45,12 @@ export const MOCK_LOGIN_HTML = 'html'
 export const MOCK_ERROR_CODE = 'errorCode'
 export const MOCK_TITLE = 'title'
 export const MOCK_JWT = 'jwt'
+
+export const MOCK_SP_JWT_PAYLOAD = { userName: 'mockUserName' }
+export const MOCK_CP_JWT_PAYLOAD = {
+  userName: 'mockUserName',
+  userInfo: 'mockUserInfo',
+}
 const spPartnerHash = crypto
   .createHash('sha1')
   .update(MOCK_SERVICE_PARAMS.spIdpId, 'utf8')

src/app/modules/spcp/spcp.errors.ts

@@ -75,3 +75,14 @@ export class MissingAttributesError extends ApplicationError {
     super(message)
   }
 }
+
+/**
+ * JWT has the wrong shape
+ */
+export class InvalidJwtError extends ApplicationError {
+  constructor(
+    message = 'Decoded JWT did not contain the correct SPCP attributes',
+  ) {
+    super(message)
+  }
+}

src/app/modules/spcp/spcp.service.ts

@@ -3,7 +3,7 @@ import axios from 'axios'
 import fs from 'fs'
 import { StatusCodes } from 'http-status-codes'
 import mongoose from 'mongoose'
-import { err, errAsync, ok, Result, ResultAsync } from 'neverthrow'
+import { err, errAsync, ok, okAsync, Result, ResultAsync } from 'neverthrow'
 
 import { ISpcpMyInfo } from '../../../config/feature-manager'
 import { createLoggerWithLabel } from '../../../config/logger'
@@ -15,6 +15,7 @@ import {
   AuthTypeMismatchError,
   CreateRedirectUrlError,
   FetchLoginPageError,
+  InvalidJwtError,
   InvalidOOBParamsError,
   LoginPageValidationError,
   MissingAttributesError,
@@ -33,6 +34,7 @@ import {
   extractFormId,
   getAttributesPromise,
   getSubstringBetween,
+  isJwtPayload,
   isValidAuthenticationQuery,
   verifyJwtPromise,
 } from './spcp.util'
@@ -212,7 +214,12 @@ export class SpcpService {
         })
         return new VerifyJwtError()
       },
-    )
+    ).andThen((payload) => {
+      if (isJwtPayload(payload, authType)) {
+        return okAsync(payload)
+      }
+      return errAsync(new InvalidJwtError())
+    })
   }
 
   /**

src/app/modules/spcp/spcp.util.ts

@@ -10,6 +10,7 @@ import { ProcessedSingleAnswerResponse } from '../submission/submission.types'
 import {
   CreateRedirectUrlError,
   FetchLoginPageError,
+  InvalidJwtError,
   LoginPageValidationError,
   VerifyJwtError,
 } from './spcp.errors'
@@ -119,9 +120,9 @@ export const getSubstringBetween = (
 export const verifyJwtPromise = (
   authClient: SPCPAuthClient,
   jwt: string,
-): Promise<JwtPayload> => {
-  return new Promise<JwtPayload>((resolve, reject) => {
-    authClient.verifyJWT<JwtPayload>(jwt, (error: Error, data: JwtPayload) => {
+): Promise<unknown> => {
+  return new Promise<unknown>((resolve, reject) => {
+    authClient.verifyJWT<unknown>(jwt, (error: Error, data: unknown) => {
       if (error) {
         return reject(error)
       }
@@ -130,6 +131,30 @@ export const verifyJwtPromise = (
   })
 }
 
+/**
+ * Typeguard for JWT payload.
+ * @param payload Payload decrypted from JWT
+ */
+export const isJwtPayload = (
+  payload: unknown,
+  authType: AuthType.SP | AuthType.CP,
+): payload is JwtPayload => {
+  if (authType === AuthType.SP) {
+    return (
+      !!payload &&
+      typeof payload === 'object' &&
+      typeof (payload as Record<string, unknown>).userName === 'string'
+    )
+  } else {
+    return (
+      !!payload &&
+      typeof payload === 'object' &&
+      typeof (payload as Record<string, unknown>).userName === 'string' &&
+      typeof (payload as Record<string, unknown>).userInfo === 'string'
+    )
+  }
+}
+
 /**
  * Extracts the SP or CP JWT from an object containing cookies
  * @param cookies Object containing cookies
@@ -221,6 +246,12 @@ export const mapRouteError: MapRouteError = (error) => {
         statusCode: StatusCodes.UNAUTHORIZED,
         errorMessage: 'User is not SPCP authenticated',
       }
+    case InvalidJwtError:
+      return {
+        statusCode: StatusCodes.UNAUTHORIZED,
+        errorMessage:
+          'Sorry, something went wrong with your login. Please refresh and try again.',
+      }
     default:
       logger.error({
         message: 'Unknown route error observed',