ATO-745: Identity Support For User Info #111
Conversation
BenjaminWCO
force-pushed
the
ATO-745-Identity-For-User-Info
branch
7 times, most recently
from
db5fc9d
to
64f59e4
Compare
CarlyG55
force-pushed
the
ATO-745-Identity-For-User-Info
branch
from
64f59e4
to
0a6d93c
Compare
BenjaminWCO
force-pushed
the
ATO-745-Identity-For-User-Info
branch
from
0a6d93c
to
fc41225
Compare
|
Can you remove the return codes validation? Since we definitely won't be validating these |
src/config.ts
Outdated
| this.clientId = process.env.CLIENT_ID ?? "HGIOgho9HIRhgoepdIOPFdIUWgewi0jw"; | ||
| this.publicKey = process.env.PUBLIC_KEY ?? defaultPublicKey; | ||
| this.scopes = process.env.SCOPES | ||
| ? process.env.SCOPES.split(",") | ||
| : ["openid", "email", "phone"]; | ||
| this.redirectUrls = process.env.REDIRECT_URLS | ||
| ? process.env.REDIRECT_URLS.split(",") | ||
| : ["http://localhost:8080/authorization-code/callback"]; | ||
| this.claims = process.env.CLAIMS | ||
| ? (process.env.CLAIMS.split(",") as (keyof UserIdentity)[]) | ||
| : ["https://vocab.account.gov.uk/v1/coreIdentityJWT"]; | ||
| this.identityVerificationSupported = | ||
| process.env.IDENTITY_VERIFICATION_SUPPORTED !== "false"; | ||
| this.idTokenSigningAlgorithm = | ||
| process.env.ID_TOKEN_SIGNING_ALGORITHM ?? "ES256"; | ||
| this.clientLoCs = process.env.CLIENT_LOCS | ||
| ? process.env.CLIENT_LOCS.split(",") | ||
| : ["P0", "P2"]; | ||
|
|
||
| this.sub = | ||
| process.env.SUB ?? | ||
| "urn:fdc:gov.uk:2022:56P4CMsGh_02YOlWpd8PAOI-2sVlB2nsNU7mcLZYhYw="; | ||
| this.email = process.env.EMAIL ?? "john.smith@gmail.com"; | ||
| this.emailVerified = process.env.EMAIL_VERIFIED !== "false"; | ||
| this.phoneNumber = process.env.PHONE_NUMBER ?? "07123456789"; | ||
| this.phoneNumberVerified = process.env.PHONE_NUMBER_VERIFIED !== "false"; | ||
|
|
There was a problem hiding this comment.
Is there a reason we moved from the more nested structure that was introduced here?https://github.com/govuk-one-login/simulator/pull/46/files
There was a problem hiding this comment.
The reason is that some properties may be optional in the config request, but must have a value (i.e. some default) so the types don't necessarily align. I suppose an alternative might be to fall back to the defaults from the setters rather than setting them in the constructor. Thoughts?
There was a problem hiding this comment.
Reverted this. Using "!" assertion in getters when needed.
src/types/driving-permit-details.ts
Outdated
| export const generateDrivingPermitPropertyValidators = ( | ||
| parent?: string | ||
| ): ValidationChain[] => { | ||
| const prefix = parent ? `${parent}.` : ""; |
There was a problem hiding this comment.
Do these property validators ever have the value of parent passed in? It looks like they don't, if so we could simplify the code a bit. Appreciate I may be missing something here, so happy to be told otherwise 🙂
There was a problem hiding this comment.
I don't know if this is a good pattern, but it was the best way I could think of. Most of the time it is set, because you have to describe the full chain of properties from the root object. The only case it's unset is for the root object (so ConfigRequest). ConfigRequest could simply not take the optional parameter and all the other types could require it. The reason for duplicating the prefix logic for all the types is just for a consistent pattern. Potentially useful If you had a type that could appear in different locations in a request body.
| } | ||
|
|
||
| export const generateClientConfigurationPropertyValidators = ( |
There was a problem hiding this comment.
I'm not super familiar with these validators, they seem pretty readable, but some tests for these might be nice 🙂
There was a problem hiding this comment.
I've added a few examples in the config integration test. We could add some more thorough tests, tough I'm not sure what the best way to do that would be. Given the way express-validator runs as a middleware, the simplest way would be to add a bunch more test cases to the config endpoint integration test, but given it's an endpoint that's in a state of flux at the moment that might be quite brittle.
There was a problem hiding this comment.
We could come up with some tests helper function that spins up an express server with some test endpoint and pass in the validator to that. That might be a nice way to test validating each type individually.
There was a problem hiding this comment.
I've adde the helper function and some individual tests for validated types.
src/types/identity.ts
Outdated
| .isURL() | ||
| .optional({ values: "null" }), | ||
| body(`${prefix}${nameof<Identity>("sub")}`) | ||
| .isURL() |
There was a problem hiding this comment.
Quite a few of these the isURL method called, I wouldn't expect most of them to be valid URLs. Is this correct?
There was a problem hiding this comment.
I think you're right - iss and sub should just validated to be strings.
There was a problem hiding this comment.
Removed this type as coreIdentityJWT is being generated now
| if ( | ||
| validationResult.claims?.includes( | ||
| "https://vocab.account.gov.uk/v1/inheritedIdentityJWT" | ||
| ) | ||
| ) { | ||
| const inheritedIdentity = config.getInheritedIdentityDetails(); | ||
| userInfo["https://vocab.account.gov.uk/v1/inheritedIdentityJWT"] = | ||
| await new SignJWT(inheritedIdentity as any) | ||
| .setProtectedHeader({ | ||
| alg: "ES256", | ||
| }) | ||
| .sign(signingKey); | ||
| } |
There was a problem hiding this comment.
This is not something that is returned in the user info endpoint. This is a slight abuse of the spec for HMRC to pass us additional information about a user
There was a problem hiding this comment.
I'm really hesitant about the amount of validation we're doing here. We don't own the schema for the validations we're performing, and there's no way to ensure this stays correct and up to date. I happen to know, for example, that new fields will soon be valid in address objects. There's no real way for us to test that this validation matches the information returned by One Login. In general I think we should avoid providing functionality unless we can be confident that we can ensure it stays correct.
| userInfo["https://vocab.account.gov.uk/v1/coreIdentityJWT"] = | ||
| await new SignJWT(coreIdentity as any) | ||
| .setProtectedHeader({ | ||
| alg: "ES256", |
There was a problem hiding this comment.
Think we're missing a kid here?
src/types/identity.ts
Outdated
| vot?: string; | ||
| vtm?: string; | ||
| iss?: string; | ||
| sub?: string; | ||
| nbf?: number; | ||
| exp?: number; | ||
| aud?: string; | ||
| iat?: number; | ||
| jti?: string; |
There was a problem hiding this comment.
Added - vot and vc are configurable. The other fields are now generated.
src/types/identity.ts
Outdated
| vot?: string; | ||
| vtm?: string; | ||
| iss?: string; | ||
| sub?: string; | ||
| nbf?: number; | ||
| exp?: number; | ||
| aud?: string; | ||
| iat?: number; | ||
| jti?: string; |
There was a problem hiding this comment.
Feels like we should be setting some sensible defaults for some of these?
There was a problem hiding this comment.
As above - vot and vc are configurable. The other fields are now generated.
BenjaminWCO
force-pushed
the
ATO-745-Identity-For-User-Info
branch
3 times, most recently
from
2e110ac
to
9ef2f0c
Compare
BenjaminWCO
force-pushed
the
ATO-745-Identity-For-User-Info
branch
2 times, most recently
from
8b1ffb1
to
ddd20b9
Compare
BenjaminWCO
force-pushed
the
ATO-745-Identity-For-User-Info
branch
from
ddd20b9
to
1c5dd66
Compare
|
BAU: