ref: migrate encrypt spcp verified content flow to own verified-content module

package.json

@@ -149,6 +149,7 @@
     "text-encoding": "^0.7.0",
     "toastr": "^2.1.4",
     "triple-beam": "^1.3.0",
+    "ts-essentials": "^7.0.1",
     "tweetnacl": "^1.0.1",
     "twilio": "^3.54.1",
     "ui-select": "^0.19.8",
@@ -259,4 +260,4 @@
     "webpack-merge": "^4.1.3",
     "worker-loader": "^2.0.0"
   }
-}
+}

src/app/factories/webhook-verified-content.factory.js

@@ -1,18 +1,13 @@
 const webhook = require('../modules/webhook/webhook.controller')
-const spcp = require('../controllers/spcp.server.controller')
 const featureManager = require('../../config/feature-manager').default
 
 const webhookVerifiedContentFactory = ({ isEnabled, props }) => {
   if (isEnabled && props) {
     return {
-      encryptedVerifiedFields: spcp.encryptedVerifiedFields(
-        props.signingSecretKey,
-      ),
       post: webhook.post,
     }
   } else {
     return {
-      encryptedVerifiedFields: (req, res, next) => next(),
       post: (req, res, next) => next(),
     }
   }

src/app/modules/form/admin-form/admin-form.utils.ts

@@ -1,9 +1,9 @@
 import { StatusCodes } from 'http-status-codes'
 import { err, ok, Result } from 'neverthrow'
+import { UnreachableCaseError } from 'ts-essentials'
 
 import { createLoggerWithLabel } from '../../../../config/logger'
 import { IPopulatedForm, ResponseMode, Status } from '../../../../types'
-import { assertUnreachable } from '../../../utils/assert-unreachable'
 import {
   ApplicationError,
   DatabaseConflictError,
@@ -206,7 +206,7 @@ export const getAssertPermissionFn = (level: PermissionLevel): AssertFormFn => {
     case PermissionLevel.Delete:
       return assertHasDeletePermissions
     default:
-      return assertUnreachable(level)
+      throw new UnreachableCaseError(level)
   }
 }
 

src/app/modules/form/form.service.ts

@@ -1,10 +1,10 @@
 import mongoose from 'mongoose'
 import { err, errAsync, ok, okAsync, Result, ResultAsync } from 'neverthrow'
+import { UnreachableCaseError } from 'ts-essentials'
 
 import { createLoggerWithLabel } from '../../../config/logger'
 import { IFormSchema, IPopulatedForm, Status } from '../../../types'
 import getFormModel from '../../models/form.server.model'
-import { assertUnreachable } from '../../utils/assert-unreachable'
 import { getMongoErrorMessage } from '../../utils/handle-mongo-error'
 import { ApplicationError, DatabaseError } from '../core/core.errors'
 
@@ -117,6 +117,6 @@ export const isFormPublic = (
     case Status.Private:
       return err(new PrivateFormError(form.inactiveMessage, form.title))
     default:
-      return assertUnreachable(form.status)
+      throw new UnreachableCaseError(form.status)
   }
 }

src/app/modules/form/form.utils.ts

@@ -1,7 +1,12 @@
 import { pick } from 'lodash'
 import { Merge } from 'type-fest'
 
-import { IPopulatedForm } from 'src/types'
+import {
+  IEncryptedFormSchema,
+  IFormSchema,
+  IPopulatedForm,
+  ResponseMode,
+} from '../../../types'
 
 // Kept in this file instead of form.types.ts so that this can be kept in sync
 // with FORM_PUBLIC_FIELDS more easily.
@@ -55,3 +60,14 @@ export const removePrivateDetailsFromForm = (
     admin: pick(form.admin, 'agency'),
   }
 }
+
+/**
+ * Typeguard to check if given form is an encrypt mode form.
+ * @param form the form to check
+ * @returns true if form is encrypt mode form, false otherwise.
+ */
+export const isFormEncryptMode = (
+  form: IFormSchema | IPopulatedForm,
+): form is IEncryptedFormSchema => {
+  return form.responseMode === ResponseMode.Encrypt
+}

src/app/modules/spcp/spcp.errors.ts

@@ -1,5 +1,6 @@
 import { AuthType } from '../../../types'
 import { ApplicationError } from '../../modules/core/core.errors'
+
 /**
  * Error while creating redirect URL
  */
@@ -36,7 +37,7 @@ export class VerifyJwtError extends ApplicationError {
   }
 }
 
-/*
+/**
  * Invalid OOB params passed to login endpoint.
  */
 export class InvalidOOBParamsError extends ApplicationError {

src/app/modules/submission/__tests__/submission/submission.utils.spec.ts

@@ -50,7 +50,7 @@ describe('submission.utils', () => {
       const invalidResponseMode = 'something' as ResponseMode
       // Act + Assert
       expect(() => getModeFilter(invalidResponseMode)).toThrowError(
-        `This should never be reached in TypeScript: "${invalidResponseMode}"`,
+        `Unreachable case: ${invalidResponseMode}`,
       )
     })
   })

src/app/modules/submission/submission.utils.ts

@@ -1,5 +1,6 @@
+import { UnreachableCaseError } from 'ts-essentials'
+
 import { BasicField, ResponseMode } from '../../../types'
-import { assertUnreachable } from '../../utils/assert-unreachable'
 import { FIELDS_TO_REJECT } from '../../utils/field-validation/config'
 
 type ModeFilterParam = {
@@ -15,7 +16,7 @@ export const getModeFilter = (
     case ResponseMode.Encrypt:
       return encryptModeFilter
     default:
-      return assertUnreachable(responseMode)
+      throw new UnreachableCaseError(responseMode)
   }
 }
 

src/app/modules/verified-content/verified-content.errors.ts

@@ -0,0 +1,19 @@
+import { ApplicationError } from '../core/core.errors'
+
+/**
+ * Verified content has the wrong shape
+ */
+export class MalformedVerifiedContentError extends ApplicationError {
+  constructor(message = 'Verified content is malformed') {
+    super(message)
+  }
+}
+
+/**
+ * Error to be returned when verified content fails to be encrypted.
+ */
+export class EncryptVerifiedContentError extends ApplicationError {
+  constructor(message = 'Failed to encrypt verified content') {
+    super(message)
+  }
+}

src/app/modules/verified-content/verified-content.factory.ts

@@ -0,0 +1,66 @@
+import { err } from 'neverthrow'
+
+import FeatureManager, {
+  FeatureNames,
+  RegisteredFeature,
+} from '../../../config/feature-manager'
+import { MissingFeatureError } from '../core/core.errors'
+
+import {
+  EncryptVerifiedContentError,
+  MalformedVerifiedContentError,
+} from './verified-content.errors'
+import * as VerifiedContentService from './verified-content.service'
+import {
+  CpVerifiedContent,
+  EncryptVerificationContentParams,
+  FactoryVerifiedContentResult,
+  GetVerifiedContentParams,
+  SpVerifiedContent,
+} from './verified-content.types'
+
+interface IVerifiedContentFactory {
+  getVerifiedContent: (
+    params: GetVerifiedContentParams,
+  ) => FactoryVerifiedContentResult<
+    CpVerifiedContent | SpVerifiedContent,
+    MalformedVerifiedContentError
+  >
+  encryptVerifiedContent: (
+    params: EncryptVerificationContentParams,
+  ) => FactoryVerifiedContentResult<string, EncryptVerifiedContentError>
+}
+
+const verifiedContentFeature = FeatureManager.get(
+  FeatureNames.WebhookVerifiedContent,
+)
+
+export const createVerifiedContentFactory = ({
+  isEnabled,
+  props,
+}: RegisteredFeature<FeatureNames.WebhookVerifiedContent>): IVerifiedContentFactory => {
+  // Feature is enabled and valid.
+  if (isEnabled && props?.signingSecretKey) {
+    return {
+      getVerifiedContent: VerifiedContentService.getVerifiedContent,
+      // Pass in signing secret key from feature manager.
+      encryptVerifiedContent: ({ verifiedContent, formPublicKey }) =>
+        VerifiedContentService.encryptVerifiedContent({
+          verifiedContent,
+          formPublicKey,
+          signingSecretKey: props.signingSecretKey,
+        }),
+    }
+  }
+
+  return {
+    getVerifiedContent: () =>
+      err(new MissingFeatureError(FeatureNames.WebhookVerifiedContent)),
+    encryptVerifiedContent: () =>
+      err(new MissingFeatureError(FeatureNames.WebhookVerifiedContent)),
+  }
+}
+
+export const VerifiedContentFactory = createVerifiedContentFactory(
+  verifiedContentFeature,
+)

src/app/modules/verified-content/verified-content.middlewares.ts

@@ -0,0 +1,69 @@
+import { RequestHandler } from 'express'
+import { StatusCodes } from 'http-status-codes'
+
+import { createLoggerWithLabel } from '../../../config/logger'
+import { AuthType, WithForm } from '../../../types'
+import { createReqMeta } from '../../utils/request'
+import { MissingFeatureError } from '../core/core.errors'
+import { isFormEncryptMode } from '../form/form.utils'
+
+import { VerifiedContentFactory } from './verified-content.factory'
+
+const logger = createLoggerWithLabel(module)
+
+export const encryptVerifiedSpcpFields: RequestHandler = (req, res, next) => {
+  const { form } = req as WithForm<typeof req>
+
+  // Early return if this is not a Singpass/Corppass submission.
+  if (form.authType === AuthType.NIL) {
+    return next()
+  }
+
+  const logMeta = {
+    action: 'encryptVerifiedSpcpFields',
+    formId: form._id,
+    ...createReqMeta(req),
+  }
+
+  if (!isFormEncryptMode(form)) {
+    logger.error({
+      message: 'encryptVerifiedSpcpFields called on non-encrypt mode form',
+      meta: logMeta,
+    })
+    return res.status(StatusCodes.UNPROCESSABLE_ENTITY).send({
+      message:
+        'Unable to encrypt verified SPCP fields on non storage mode forms',
+    })
+  }
+
+  const encryptVerifiedContentResult = VerifiedContentFactory.getVerifiedContent(
+    { type: form.authType, data: res.locals },
+  ).andThen((verifiedContent) =>
+    VerifiedContentFactory.encryptVerifiedContent({
+      verifiedContent,
+      formPublicKey: form.publicKey,
+    }),
+  )
+
+  if (encryptVerifiedContentResult.isErr()) {
+    const { error } = encryptVerifiedContentResult
+    logger.error({
+      message: 'Unable to encrypt verified content',
+      meta: logMeta,
+      error,
+    })
+
+    // Passthrough if feature is not activated.
+    if (error instanceof MissingFeatureError) {
+      return next()
+    }
+
+    return res
+      .status(StatusCodes.BAD_REQUEST)
+      .json({ message: 'Invalid data was found. Please submit again.' })
+  }
+
+  // No errors, set local variable to the encrypted string.
+  res.locals.verified = encryptVerifiedContentResult.value
+  return next()
+}