[MOL-13183][SW] add getUserInfo method

- deprecated non-PKCE flow methods

Author: shawn wee

src/singpass/singpass-helper-ndi.ts

@@ -1,13 +1,13 @@
 import { AxiosInstance, AxiosProxyConfig } from "axios";
+import { generators } from "openid-client";
 import * as querystringUtil from "querystring";
 import { createClient } from "../client/axios-client";
 import { JweUtil } from "../util";
 import { SingpassMyInfoError } from "../util/error/SingpassMyinfoError";
-import { logger } from "../util/Logger";
-import { TokenPayload, TokenResponse } from "./shared-constants";
 import { Key } from "../util/KeyUtil";
+import { logger } from "../util/Logger";
 import { createClientAssertion } from "../util/SigningUtil";
-import { generators } from "openid-client";
+import { TokenPayload, TokenResponse } from "./shared-constants";
 
 export interface NdiOidcHelperConstructor {
 	oidcConfigUrl: string;
@@ -21,6 +21,7 @@ export interface NdiOidcHelperConstructor {
 interface OidcConfig {
 	issuer: string;
 	authorization_endpoint: string;
+	userinfo_endpoint: string;
 	token_endpoint: string;
 	jwks_uri: string;
 }
@@ -117,19 +118,58 @@ export class NdiOidcHelper {
 			logger.error("Failed to get ID token: invalid response data", response.data);
 			throw new SingpassMyInfoError("Failed to get ID token");
 		}
+		if (!response.data.access_token) {
+			logger.error("Failed to get access token: invalid response data", response.data);
+			throw new SingpassMyInfoError("Failed to get access token");
+		}
 		return response.data;
 	};
 
+	public getUserInfo = async (jweResponse: string, overrideDecryptKey?: Key) => {
+		try {
+			const keys = await this.getKeys();
+
+			const finalDecryptionKey = overrideDecryptKey ?? this.jweDecryptKey;
+			const decryptedJwe = await JweUtil.decryptJWE(
+				jweResponse,
+				finalDecryptionKey.key,
+				finalDecryptionKey.format,
+			);
+			const jwsPayload = decryptedJwe.payload.toString();
+			try {
+				const verified = await JweUtil.verifyJwsUsingKeyStore(jwsPayload, keys);
+				return JSON.parse(verified.payload.toString()) as TokenPayload;
+			} catch (e) {
+				logger.error("could not verify user info payload", e);
+				throw e;
+			}
+		} catch (e) {
+			logger.error("Failed to get user info", e);
+			throw e;
+		}
+	};
+
+	private getKeys = async () => {
+		const { jwks_uri } = await this.oidcConfig;
+		const {
+			data: { keys },
+		} = await this.axiosClient.get<{ keys: object[] }>(jwks_uri);
+
+		return keys;
+	};
+
+	// =============================================================================
+	// Deprecated
+	// =============================================================================
 	/**
+	 * @deprecated should not be used with full NDI PKCE flow
+	 *
 	 * Decrypts the ID Token JWT inside the TokenResponse to get the payload
 	 * Use extractNricAndUuidFromPayload on the returned Token Payload to get the NRIC and UUID
 	 */
 	public async getIdTokenPayload(tokens: TokenResponse, overrideDecryptKey?: Key): Promise<TokenPayload> {
 		try {
-			const { jwks_uri } = await this.oidcConfig;
-			const {
-				data: { keys },
-			} = await this.axiosClient.get<{ keys: object[] }>(jwks_uri);
+			const keys = await this.getKeys();
 
 			const { id_token } = tokens;
 
@@ -150,6 +190,8 @@ export class NdiOidcHelper {
 	}
 
 	/**
+	 * @deprecated should not be used with full NDI PKCE flow
+	 *
 	 * Returns the nric and uuid from the token payload
 	 */
 	public extractNricAndUuidFromPayload(payload: TokenPayload): { nric: string; uuid: string } {