Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(SGID): disallow SGID authentication in storage mode #2468

Merged
merged 2 commits into from
Jul 29, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions src/app/models/__tests__/form.server.model.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import getFormModel, {
getEncryptedFormModel,
} from 'src/app/models/form.server.model'
import {
AuthType,
BasicField,
EndPage,
FormFieldWithId,
Expand Down Expand Up @@ -568,6 +569,32 @@ describe('Form Model', () => {
mongoose.Error.ValidationError,
)
})

it('should set authType to NIL when given authType is MyInfo', async () => {
// Arrange
const malformedParams = merge({}, MOCK_ENCRYPTED_FORM_PARAMS, {
authType: AuthType.MyInfo,
})

// Act
const invalidForm = await EncryptedForm.create(malformedParams)

// Assert
await expect(invalidForm.authType).toBe(AuthType.NIL)
})

it('should set authType to NIL when given authType is SGID', async () => {
// Arrange
const malformedParams = merge({}, MOCK_ENCRYPTED_FORM_PARAMS, {
authType: AuthType.SGID,
})

// Act
const invalidForm = await EncryptedForm.create(malformedParams)

// Assert
await expect(invalidForm.authType).toBe(AuthType.NIL)
})
})

describe('Email form schema', () => {
Expand Down
13 changes: 10 additions & 3 deletions src/app/models/form.server.model.ts
Original file line number Diff line number Diff line change
Expand Up @@ -338,12 +338,19 @@ const compileFormModel = (db: Mongoose): IFormModel => {
// Do not allow authType to be changed if form is published
if (this.authType !== v && this.status === Status.Public) {
return this.authType
// Singpass/Corppass authentication is available for both email
// and storage mode
// Important - this case must come before the MyInfo/SGID + storage
// mode case, or else we may accidentally set Singpass/Corppass storage
// mode forms to AuthType.NIL
} else if ([AuthType.SP, AuthType.CP].includes(v)) {
return v
} else if (
this.responseMode === ResponseMode.Encrypt &&
v === AuthType.MyInfo
// SGID and MyInfo are not available for storage mode
(v === AuthType.MyInfo || v === AuthType.SGID)
) {
// Do not allow storage mode to have MyInfo authentication
return this.authType
return AuthType.NIL
} else {
return v
}
Expand Down