Skip to content

Commit

Permalink
Add person endpoint, request validation
Browse files Browse the repository at this point in the history
* Bring in lodash as a direct dependency
* myinfo.json - rework to include both personas and valid fields
* Add `/person` and rewrite `/person-basic` endpoints, using a common
  template function that checks that requested fields are allowed, and
  that the requested uinfin is present
  • Loading branch information
LoneRifle committed Jan 11, 2019
1 parent b441e77 commit 6e03781
Show file tree
Hide file tree
Showing 5 changed files with 6,124 additions and 6,048 deletions.
6 changes: 3 additions & 3 deletions lib/assertions.js
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ const readFrom = p => fs.readFileSync(path.resolve(__dirname, p), 'utf8')
const TEMPLATE = readFrom('../static/saml/unsigned-assertion.xml')
const corpPassTemplate = readFrom('../static/saml/corppass.xml')

const MYINFO = JSON.parse(readFrom('../static/myinfo.json'))
const myinfo = JSON.parse(readFrom('../static/myinfo.json'))

const identities = {
singPass: [
Expand Down Expand Up @@ -47,7 +47,7 @@ const identities = {
'F1612358R',
'F1612354N',
'F1612357U',
...Object.keys(MYINFO),
...Object.keys(myinfo.personas),
],
corpPass: [
{ NRIC: 'S8979373D', UEN: '123456789A' },
Expand Down Expand Up @@ -78,5 +78,5 @@ module.exports = {
create: makeCorpPass,
},
identities,
MYINFO,
myinfo,
}
29 changes: 26 additions & 3 deletions lib/express.js
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
const bodyParser = require('body-parser')
const fs = require('fs')
const { pick, partition } = require('lodash')
const morgan = require('morgan')
const { render } = require('mustache')
const path = require('path')
Expand Down Expand Up @@ -81,9 +82,31 @@ function config (app, { showLoginPage, serviceProvider, idpConfig }) {
)
}

app.get('/myinfo/person-basic/:uinfin/', (req, res) => {
res.send(assertions.MYINFO[req.params.uinfin])
})
const lookupPerson = allowedAttributes => (req, res) => {
const requestedAttributes = (req.query.attributes || '').split(',')

const [attributes, disallowedAttributes] = partition(
requestedAttributes,
v => allowedAttributes.includes(v)
)

if (disallowedAttributes.length > 0) {
res.status(401).send({ code: 401, message: 'Disallowed', fields: disallowedAttributes.join(',') })
} else {
const persona = assertions.myinfo.personas[req.params.uinfin]
res.status(persona ? 200 : 404)
.send(
persona
? pick(persona, attributes)
: { code: 404, message: 'Not Found', fields: req.params.uinfin }
)
}
}

const allowedAttributes = assertions.myinfo.attributes

app.get('/myinfo/person-basic/:uinfin/', lookupPerson(allowedAttributes.basic))
app.get('/myinfo/person/:uinfin/', lookupPerson([...allowedAttributes.basic, ...allowedAttributes.income]))

return app
}
Expand Down
6 changes: 3 additions & 3 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
"dependencies": {
"base-64": "^0.1.0",
"express": "^4.16.3",
"lodash": "^4.17.11",
"morgan": "^1.9.1",
"mustache": "^2.3.2",
"xml-crypto": "^1.1.1",
Expand Down
Loading

0 comments on commit 6e03781

Please sign in to comment.