From 1dcc26e77da2a690886e81cd500225dd5bf30788 Mon Sep 17 00:00:00 2001
From: LoneRifle <LoneRifle@users.noreply.github.com>
Date: Wed, 17 May 2023 21:31:25 +0800
Subject: [PATCH] feat(sgid): migrate to v2 (#542)

Make a breaking change to sgid, taking advantage of relatively low
uptake, to encourage people to move to sgID v2
---
 README.md           |  8 +++--
 lib/express/sgid.js | 81 ++++++++++++++++++++++++---------------------
 2 files changed, 48 insertions(+), 41 deletions(-)

diff --git a/README.md b/README.md
index 1c3c41a9..d7c4480b 100644
--- a/README.md
+++ b/README.md
@@ -44,9 +44,11 @@ MyInfo:
  - http://localhost:5156/myinfo/v3/person
 
 sgID:
- - http://localhost:5156/sgid/v1/oauth/authorize
- - http://localhost:5156/sgid/v1/oauth/token
- - http://localhost:5156/sgid/v1/oauth/userinfo
+ - http://localhost:5156/v2/oauth/authorize
+ - http://localhost:5156/v2/oauth/token
+ - http://localhost:5156/v2/oauth/userinfo
+ - http://localhost:5156/v2/.well-known/openid-configuration - OpenID discovery endpoint
+ - http://localhost:5156/v2/.well-known/jwks.json - JWKS endpoint which exposes the auth provider's signing keys
 
 Provide your application with the `spcp*` certs found in `static/certs`
 and with application certs at `static/certs/{key.pem|server.crt}`
diff --git a/lib/express/sgid.js b/lib/express/sgid.js
index c16b4a09..141b6619 100644
--- a/lib/express/sgid.js
+++ b/lib/express/sgid.js
@@ -12,7 +12,9 @@ const LOGIN_TEMPLATE = fs.readFileSync(
   'utf8',
 )
 
-const PATH_PREFIX = '/sgid/v1/oauth'
+const VERSION_PREFIX = '/v2'
+const OAUTH_PREFIX = '/oauth'
+const PATH_PREFIX = VERSION_PREFIX + OAUTH_PREFIX
 
 const signingPem = fs.readFileSync(
   path.resolve(__dirname, '../../static/certs/spcp-key.pem'),
@@ -77,7 +79,7 @@ function config(app, { showLoginPage, serviceProvider }) {
           `Profile ${JSON.stringify(profile)} with token scope ${scopes}`,
         )
         const accessToken = authCode
-        const iss = `${req.protocol}://${req.get('host')}`
+        const iss = `${req.protocol}://${req.get('host') + VERSION_PREFIX}`
 
         const { idTokenClaims, refreshToken } = assertions.oidc.create.singPass(
           profile,
@@ -165,49 +167,52 @@ function config(app, { showLoginPage, serviceProvider }) {
     })
   })
 
-  app.get('/.well-known/jwks.json', async (_req, res) => {
+  app.get(`${VERSION_PREFIX}/.well-known/jwks.json`, async (_req, res) => {
     const key = await jose.JWK.asKey(signingPem, 'pem')
     const jwk = key.toJSON()
     jwk.use = 'sig'
     res.json({ keys: [jwk] })
   })
 
-  app.get('/.well-known/openid-configuration', async (req, res) => {
-    const issuer = `${req.protocol}://${req.get('host')}`
+  app.get(
+    `${VERSION_PREFIX}/.well-known/openid-configuration`,
+    async (req, res) => {
+      const issuer = `${req.protocol}://${req.get('host') + VERSION_PREFIX}`
 
-    res.json({
-      issuer,
-      authorization_endpoint: `${issuer}/${PATH_PREFIX}/authorize`,
-      token_endpoint: `${issuer}/${PATH_PREFIX}/token`,
-      userinfo_endpoint: `${issuer}/${PATH_PREFIX}/userinfo`,
-      jwks_uri: `${issuer}/.well-known/jwks.json`,
-      response_types_supported: ['code'],
-      grant_types_supported: ['authorization_code'],
-      // Note: some of these scopes are not yet officially documented
-      // in https://docs.id.gov.sg/data-catalog
-      // So they are not officially supported yet.
-      scopes_supported: [
-        'openid',
-        'myinfo.nric_number',
-        'myinfo.name',
-        'myinfo.email',
-        'myinfo.sex',
-        'myinfo.race',
-        'myinfo.mobile_number',
-        'myinfo.registered_address',
-        'myinfo.date_of_birth',
-        'myinfo.passport_number',
-        'myinfo.passport_expiry_date',
-        'myinfo.nationality',
-        'myinfo.residentialstatus',
-        'myinfo.residential',
-        'myinfo.housingtype',
-        'myinfo.hdbtype',
-      ],
-      id_token_signing_alg_values_supported: ['RS256'],
-      subject_types_supported: ['pairwise'],
-    })
-  })
+      res.json({
+        issuer,
+        authorization_endpoint: `${issuer}/${OAUTH_PREFIX}/authorize`,
+        token_endpoint: `${issuer}/${OAUTH_PREFIX}/token`,
+        userinfo_endpoint: `${issuer}/${OAUTH_PREFIX}/userinfo`,
+        jwks_uri: `${issuer}/.well-known/jwks.json`,
+        response_types_supported: ['code'],
+        grant_types_supported: ['authorization_code'],
+        // Note: some of these scopes are not yet officially documented
+        // in https://docs.id.gov.sg/data-catalog
+        // So they are not officially supported yet.
+        scopes_supported: [
+          'openid',
+          'myinfo.nric_number',
+          'myinfo.name',
+          'myinfo.email',
+          'myinfo.sex',
+          'myinfo.race',
+          'myinfo.mobile_number',
+          'myinfo.registered_address',
+          'myinfo.date_of_birth',
+          'myinfo.passport_number',
+          'myinfo.passport_expiry_date',
+          'myinfo.nationality',
+          'myinfo.residentialstatus',
+          'myinfo.residential',
+          'myinfo.housingtype',
+          'myinfo.hdbtype',
+        ],
+        id_token_signing_alg_values_supported: ['RS256'],
+        subject_types_supported: ['pairwise'],
+      })
+    },
+  )
 }
 
 const concatMyInfoRegAddr = (regadd) => {