Merge pull request #99 from GovTechSG/update-tests-pkce-login

[MISC][RG] update convenience test suites with PKCE login flow

Author: monK87

.env.sample

@@ -1,3 +1,6 @@
+# ==============================================================================
+# MyInfo
+# ==============================================================================
 SINGPASS_ESERVICE_ID=
 MY_INFO_ENVIRONMENT=
 MY_INFO_PUBLIC_CERT=

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelogs
 
+## x.x.x
+
+-   Update convenience test suite to include SingPass login with PKCE
+
 ## 8.4.6
 
 -   Add `codeVerifier` for new singpass integration

README.md

@@ -13,6 +13,13 @@ Use this module to build client applications that can:
 
 ---
 
+## Testing your SingPass / MyInfo client setup and secrets
+
+- These tests will allow you to check if your IDs / keys / certs / JWK endpoints/objects
+are correctly setup
+- Use `singpass-helper-ndi-ext.spec.ts` to test login and retrieval of tokens
+- After logging in use `myinfo.ext.spec.ts` to test retrieval of myinfo data
+
 ## MyInfo
 
 ---

src/myinfo/helper/__tests__/myinfo.ext.spec.ts

@@ -3,6 +3,12 @@ import { configs } from "./test.configs";
 import { set } from "lodash";
 import { aliasName } from "../../fake/profiles/common";
 
+/**
+ * Convenience tests for MyInfo config / integration
+ * 1. fill in the `testNric`
+ * 2. .env variables must be set, make a copy of `.env.sample`
+ * 3. `singpassEserviceID` is not the SingPass AppId. It looks like STG-T12345678-LOGIN-xxxxxxxx
+ */
 describe("MyInfoClient", () => {
 	describe("STAGING Person basic API V3", () => {
 		it("should use the available env variables, call myinfo, and get back person", async () => {

src/singpass/__tests__/singpass-helper-ndi.ext.spec.ts

@@ -3,13 +3,17 @@ import { KeyFormat } from "../../util/KeyUtil";
 import { logger } from "../../util/Logger";
 import { NdiOidcHelper, NdiOidcHelperConstructor } from "../singpass-helper-ndi";
 import { configs } from "./test.configs";
+import { generators } from "openid-client";
+const expectedUinfin = ""; // FIXME: fill in with expected uinfin
 
 /**
  * Convenience tests for NDI OIDC config / integration
- * - Use the first test to generate auth url and login with your account
- * - then fill up info on second test to verify your setup/keys work
- * - if public keys are not yet deployed to well known endpoint one will need to set the app on SP portal to use JWKS object
- * .env variables must be set
+ * 1. Fill up the FIXME: for expectedUinfin
+ * 2. Use the first test to generate auth url and login with your account, then fill up FIXME:
+ * 		on second test to verify your setup/keys work (authcode comes from the `code` param in the redirect after login)
+ * 3. If public keys are not yet deployed to well known endpoint (or it's not possible to expose such endpoints),
+ * 		one will need to set the client app on SP dev portal to use JWKS object
+ * 4. .env variables must be set, make a copy of .env.sample
  */
 describe.skip("Singpass NDI OIDC integration", () => {
 	const props: NdiOidcHelperConstructor = {
@@ -26,33 +30,61 @@ describe.skip("Singpass NDI OIDC integration", () => {
 		},
 	};
 
-	fdescribe("construct authorization url", () => {
-		// extract the code after successful login and browser redirect from the callback
-		// {callbackEndpoint}?code={CODE-HERE}&state=xxx
+	describe("integration tester for Ndi OIDC", () => {
+		describe("construct authorization url", () => {
 		it("should successfully construct authorization url", async () => {
-			const spNdiHelper = new NdiOidcHelper(props);
-			const nonce = Date.now() + "";
-			const state = nonce + "-state";
-			const authorizationUrl = await spNdiHelper.constructAuthorizationUrl(state, nonce);
-			logger.debug("authorizationUrl: ", authorizationUrl);
+				await constructAuthorizationUrlHelper();
+			});
+		});
+
+		describe("get user identity after successful redirect with auth code", () => {
+			it("should successfully extract nric and uuid", async () => {
+				const authCode = ""; // FIXME: fill in with authCode
+				const nric = await extractNricHelper(authCode);
+				expect(nric).toMatch(expectedUinfin);
+			});
 		});
 	});
 
-	xdescribe("get user identity after successful redirect with auth code", () => {
+	describe("integration tester for Ndi OIDC with PKCE", () => {
+		describe("construct authorization url", () => {
+			it("should successfully construct authorization url", async () => {
+				await constructAuthorizationUrlHelper(true);
+			});
+		});
+
+		describe("get user identity after successful redirect with auth code", () => {
 		it("should successfully extract nric and uuid", async () => {
-			const authCode = ""; // FIXME: fill in with authcode
-			const expectedUinfin = ""; // FIXME: fill in with expected uinfin
+				const authCode = ""; // FIXME: fill in with authCode
+				const codeVerifier = ""; // FIXME: fill in with codeVerifier
+				const nric = await extractNricHelper(authCode, codeVerifier);
+				expect(nric).toMatch(expectedUinfin);
+			});
+		});
+	});
+
+	const constructAuthorizationUrlHelper = async (pkceFlow?: boolean) => {
+		const spNdiHelper = new NdiOidcHelper(props);
+		const nonce = Date.now() + "";
+		const state = nonce + "-state";
+		const codeVerifier = pkceFlow ? generators.codeVerifier() : undefined;
+		const authorizationUrl = await spNdiHelper.constructAuthorizationUrl(state, nonce, codeVerifier);
+		logger.debug("authorizationUrl: ", authorizationUrl);
+		codeVerifier && logger.debug("codeVerifier: ", codeVerifier);
+	};
+
+	const extractNricHelper = async (authCode: string, codeVerifier?: string) => {
 			const spNdiHelper = new NdiOidcHelper(props);
 
-			const tokens = await spNdiHelper.getTokens(authCode);
+		const tokens = await spNdiHelper.getTokens(authCode, codeVerifier);
 			logger.debug("tokens", tokens);
 
 			const tokenPayload = await spNdiHelper.getIdTokenPayload(tokens);
 			logger.debug("tokenPayload", tokenPayload);
 
 			const { nric } = await spNdiHelper.extractNricAndUuidFromPayload(tokenPayload);
 			logger.debug("nric", nric);
-			expect(nric).toMatch(expectedUinfin);
-		});
-	});
+
+		return nric;
+	};
 });