Skip to content

Commit

Permalink
fix(SGID): disallow SGID authentication in storage mode (#2468)
Browse files Browse the repository at this point in the history
* fix(SGID): prevent authType SGID in storage mode

* test: add tests for invalid authType
  • Loading branch information
mantariksh authored Jul 29, 2021
1 parent 77a3b12 commit a1d5885
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 3 deletions.
27 changes: 27 additions & 0 deletions src/app/models/__tests__/form.server.model.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import getFormModel, {
getEncryptedFormModel,
} from 'src/app/models/form.server.model'
import {
AuthType,
BasicField,
EndPage,
FormFieldWithId,
Expand Down Expand Up @@ -568,6 +569,32 @@ describe('Form Model', () => {
mongoose.Error.ValidationError,
)
})

it('should set authType to NIL when given authType is MyInfo', async () => {
// Arrange
const malformedParams = merge({}, MOCK_ENCRYPTED_FORM_PARAMS, {
authType: AuthType.MyInfo,
})

// Act
const invalidForm = await EncryptedForm.create(malformedParams)

// Assert
await expect(invalidForm.authType).toBe(AuthType.NIL)
})

it('should set authType to NIL when given authType is SGID', async () => {
// Arrange
const malformedParams = merge({}, MOCK_ENCRYPTED_FORM_PARAMS, {
authType: AuthType.SGID,
})

// Act
const invalidForm = await EncryptedForm.create(malformedParams)

// Assert
await expect(invalidForm.authType).toBe(AuthType.NIL)
})
})

describe('Email form schema', () => {
Expand Down
13 changes: 10 additions & 3 deletions src/app/models/form.server.model.ts
Original file line number Diff line number Diff line change
Expand Up @@ -338,12 +338,19 @@ const compileFormModel = (db: Mongoose): IFormModel => {
// Do not allow authType to be changed if form is published
if (this.authType !== v && this.status === Status.Public) {
return this.authType
// Singpass/Corppass authentication is available for both email
// and storage mode
// Important - this case must come before the MyInfo/SGID + storage
// mode case, or else we may accidentally set Singpass/Corppass storage
// mode forms to AuthType.NIL
} else if ([AuthType.SP, AuthType.CP].includes(v)) {
return v
} else if (
this.responseMode === ResponseMode.Encrypt &&
v === AuthType.MyInfo
// SGID and MyInfo are not available for storage mode
(v === AuthType.MyInfo || v === AuthType.SGID)
) {
// Do not allow storage mode to have MyInfo authentication
return this.authType
return AuthType.NIL
} else {
return v
}
Expand Down

0 comments on commit a1d5885

Please sign in to comment.