From a1d58857831f28d7c50dd112b4b64f34faaef9b5 Mon Sep 17 00:00:00 2001 From: Antariksh Mahajan Date: Thu, 29 Jul 2021 18:11:41 +0800 Subject: [PATCH] fix(SGID): disallow SGID authentication in storage mode (#2468) * fix(SGID): prevent authType SGID in storage mode * test: add tests for invalid authType --- .../__tests__/form.server.model.spec.ts | 27 +++++++++++++++++++ src/app/models/form.server.model.ts | 13 ++++++--- 2 files changed, 37 insertions(+), 3 deletions(-) diff --git a/src/app/models/__tests__/form.server.model.spec.ts b/src/app/models/__tests__/form.server.model.spec.ts index dcba3215b9..19ad0a4755 100644 --- a/src/app/models/__tests__/form.server.model.spec.ts +++ b/src/app/models/__tests__/form.server.model.spec.ts @@ -12,6 +12,7 @@ import getFormModel, { getEncryptedFormModel, } from 'src/app/models/form.server.model' import { + AuthType, BasicField, EndPage, FormFieldWithId, @@ -568,6 +569,32 @@ describe('Form Model', () => { mongoose.Error.ValidationError, ) }) + + it('should set authType to NIL when given authType is MyInfo', async () => { + // Arrange + const malformedParams = merge({}, MOCK_ENCRYPTED_FORM_PARAMS, { + authType: AuthType.MyInfo, + }) + + // Act + const invalidForm = await EncryptedForm.create(malformedParams) + + // Assert + await expect(invalidForm.authType).toBe(AuthType.NIL) + }) + + it('should set authType to NIL when given authType is SGID', async () => { + // Arrange + const malformedParams = merge({}, MOCK_ENCRYPTED_FORM_PARAMS, { + authType: AuthType.SGID, + }) + + // Act + const invalidForm = await EncryptedForm.create(malformedParams) + + // Assert + await expect(invalidForm.authType).toBe(AuthType.NIL) + }) }) describe('Email form schema', () => { diff --git a/src/app/models/form.server.model.ts b/src/app/models/form.server.model.ts index b6b48ea238..719d91e2b6 100644 --- a/src/app/models/form.server.model.ts +++ b/src/app/models/form.server.model.ts @@ -338,12 +338,19 @@ const compileFormModel = (db: Mongoose): IFormModel => { // Do not allow authType to be changed if form is published if (this.authType !== v && this.status === Status.Public) { return this.authType + // Singpass/Corppass authentication is available for both email + // and storage mode + // Important - this case must come before the MyInfo/SGID + storage + // mode case, or else we may accidentally set Singpass/Corppass storage + // mode forms to AuthType.NIL + } else if ([AuthType.SP, AuthType.CP].includes(v)) { + return v } else if ( this.responseMode === ResponseMode.Encrypt && - v === AuthType.MyInfo + // SGID and MyInfo are not available for storage mode + (v === AuthType.MyInfo || v === AuthType.SGID) ) { - // Do not allow storage mode to have MyInfo authentication - return this.authType + return AuthType.NIL } else { return v }