fix(myinfo): generate base string straight from params

Rework context object to be snake_case for easy interpolation into base string
opengovsg · Nov 8, 2022 · 846b67e · 846b67e
1 parent cd7ea43
commit 846b67e
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 61 deletions.
diff --git a/lib/crypto/myinfo-signature.js b/lib/crypto/myinfo-signature.js
@@ -1,72 +1,44 @@
 const _ = require('lodash')
+const qs = require('node:querystring')
 
 const pki = function pki(authHeader, req, context = {}) {
   const authHeaderFieldPairs = _(authHeader)
     .replace(/"/g, '')
     .split(',')
     .map((v) => v.replace('=', '~').split('~'))
 
-  const authHeaderFields = _(authHeaderFieldPairs)
-    .fromPairs()
-    .mapKeys((_v, k) => _.camelCase(k))
-    .value()
+  const authHeaderFields = Object.fromEntries(authHeaderFieldPairs)
 
   const url = `${req.protocol}://${req.get('host')}${req.baseUrl}${req.path}`
 
-  const { clientSecret, redirectURI } = context
-
-  const {
-    method: httpMethod,
-    query: { attributes, sp_esvcId },
-  } = req
-
-  const { code } = req.body || {}
-
-  const {
-    signature,
-    appId,
-    appId: clientId,
-    nonce,
-    timestamp,
-  } = authHeaderFields
-  return {
-    signature,
-    baseString: req.path.endsWith('/token')
-      ? httpMethod.toUpperCase() +
-        '&' +
-        url +
-        '&app_id=' +
-        appId +
-        '&client_id=' +
-        clientId +
-        '&client_secret=' +
-        clientSecret +
-        '&code=' +
-        code +
-        '&grant_type=authorization_code' +
-        '&nonce=' +
-        nonce +
-        '&redirect_uri=' +
-        redirectURI +
-        '&signature_method=RS256' +
-        '&timestamp=' +
-        timestamp
-      : httpMethod.toUpperCase() +
-        '&' +
-        url +
-        '&app_id=' +
-        appId +
-        '&attributes=' +
-        attributes +
-        '&client_id=' +
-        clientId +
-        '&nonce=' +
-        nonce +
-        '&signature_method=RS256' +
-        (req.path.includes('/person-basic') ? '&sp_esvcId=' + sp_esvcId : '') +
-        '&timestamp=' +
-        timestamp,
-  }
+  const { method: httpMethod, query } = req
+
+  const { signature, app_id, nonce, timestamp } = authHeaderFields
+
+  const params = Object.assign(
+    {},
+    query,
+    {
+      nonce,
+      app_id,
+      signature_method: 'RS256',
+      timestamp,
+    },
+    context.client_secret && context.redirect_uri ? context : {},
+  )
+
+  const sortedParams = Object.fromEntries(
+    Object.entries(params).sort(([k1], [k2]) => k1.localeCompare(k2)),
+  )
+
+  const baseString =
+    httpMethod.toUpperCase() +
+    '&' +
+    url +
+    '&' +
+    qs.unescape(qs.stringify(sortedParams))
+
+  return { signature, baseString }
 }
 
 module.exports = { pki }
diff --git a/lib/express/myinfo/controllers.js b/lib/express/myinfo/controllers.js
@@ -132,14 +132,14 @@ module.exports =
         type: 'application/x-www-form-urlencoded',
       }),
       (req, res) => {
-        const [tokenTemplate, redirectURI] =
+        const [tokenTemplate, redirect_uri] =
           consent.authorizations[req.body.code]
         const [, authHeader] = (req.get('Authorization') || '').split(' ')
 
         const { signature, baseString } = MYINFO_SECRET
           ? myInfoSignature(authHeader, req, {
-              clientSecret: MYINFO_SECRET,
-              redirectURI,
+              client_secret: MYINFO_SECRET,
+              redirect_uri,
             })
           : {}