Release v1.50.0 (#1141)

feat: SSO login

Author: kevinkim-ogp

ecs/env.json

@@ -245,6 +245,18 @@
     {
       "name": "TILES_POSTGRES_PORT",
       "valueFrom": "plumber-<ENVIRONMENT>-tiles-rds-port"
+    },
+    {
+      "name": "SSO_CLIENT_ID",
+      "valueFrom": "plumber-<ENVIRONMENT>-sso-client-id"
+    },
+    {
+      "name": "SSO_CLIENT_SECRET",
+      "valueFrom": "plumber-<ENVIRONMENT>-sso-client-secret"
+    },
+    {
+      "name": "SSO_DISCOVERY_URL",
+      "valueFrom": "plumber-<ENVIRONMENT>-sso-discovery-url"
     }
   ]
-}
+}

package-lock.json

@@ -61,4 +61,9 @@ M365_LOCAL_DEV_CLIENT_ID=...
 M365_LOCAL_DEV_CLIENT_THUMBPRINT=...
 M365_LOCAL_DEV_CLIENT_PRIVATE_KEY=...
 M365_LOCAL_DEV_ALLOWED_SENSITIVITY_LABEL_GUIDS_CSV=11111111-1111-1111-1111-111111111111
-M365_EXCEL_INTERVAL_BETWEEN_ACTIONS_MS=1000
+M365_EXCEL_INTERVAL_BETWEEN_ACTIONS_MS=1000
+
+# SSO LOGIN
+SSO_CLIENT_ID=...
+SSO_CLIENT_SECRET=...
+SSO_DISCOVERY_URL=...

packages/backend/.env-example

@@ -72,6 +72,7 @@
     "multer": "2.0.2",
     "nanoid": "3.3.8",
     "objection": "^3.0.0",
+    "openid-client": "5.4.0",
     "p-limit": "3.1.0",
     "pg": "^8.7.1",
     "pg-query-stream": "4.9.6",
@@ -108,5 +109,5 @@
     "tsconfig-paths": "^4.2.0",
     "type-fest": "4.10.3"
   },
-  "version": "1.49.0"
+  "version": "1.50.0"
 }

packages/backend/package.json

@@ -55,6 +55,11 @@ type AppConfig = {
     database: string
     enableSsl: boolean
   }
+  sso: {
+    clientId: string
+    clientSecret: string
+    discoveryUrl: string
+  }
 }
 
 const port = process.env.PORT || '3000'
@@ -124,6 +129,11 @@ const appConfig: AppConfig = {
     database: process.env.TILES_POSTGRES_DATABASE || 'plumber_tiles_dev',
     enableSsl: process.env.TILES_POSTGRES_ENABLE_SSL === 'true',
   },
+  sso: {
+    clientId: process.env.SSO_CLIENT_ID,
+    clientSecret: process.env.SSO_CLIENT_SECRET,
+    discoveryUrl: process.env.SSO_DISCOVERY_URL,
+  },
 }
 
 if (!appConfig.encryptionKey) {
@@ -151,6 +161,14 @@ if (
   throw new Error('Sgid environment variables need to be set!')
 }
 
+if (
+  !appConfig.sso.clientId ||
+  !appConfig.sso.clientSecret ||
+  !appConfig.sso.discoveryUrl
+) {
+  throw new Error('SSO environment variables need to be set!')
+}
+
 if (!appConfig.launchDarklySdkKey) {
   throw new Error('LAUNCH_DARKLY_SDK_KEY environment variable needs to be set!')
 }

packages/backend/src/config/app.ts

@@ -16,6 +16,7 @@ import generateAuthUrl from './mutations/generate-auth-url'
 import generatePresignedUrl from './mutations/generate-presigned-url'
 import loginWithSelectedSgid from './mutations/login-with-selected-sgid'
 import loginWithSgid from './mutations/login-with-sgid'
+import loginWithSso from './mutations/login-with-sso'
 import logout from './mutations/logout'
 import registerConnection from './mutations/register-connection'
 import requestOtp from './mutations/request-otp'
@@ -76,6 +77,7 @@ export default {
   logout,
   loginWithSgid,
   loginWithSelectedSgid,
+  loginWithSso,
   createFlowTransfer,
   updateFlowTransferStatus,
   duplicateFlow,

packages/backend/src/graphql/mutation-resolvers.ts

@@ -0,0 +1,68 @@
+import {
+  getOrCreateUser,
+  sendOnboardingEmail,
+  setAuthCookie,
+  updateLastLogin,
+} from '@/helpers/auth'
+import { getLdFlagValue } from '@/helpers/launch-darkly'
+import logger from '@/helpers/logger'
+import { ssoClient } from '@/helpers/sso-client'
+
+import type { MutationResolvers } from '../__generated__/types.generated'
+
+const loginWithSso: MutationResolvers['loginWithSso'] = async (
+  _parent,
+  params,
+  context,
+) => {
+  const { authCode, nonce, verifier } = params.input
+
+  const ssoEnabled = await getLdFlagValue<boolean>(
+    'ogp-sso-enabled',
+    null,
+    false,
+  )
+
+  if (!ssoEnabled) {
+    throw new Error('SSO is not enabled')
+  }
+
+  try {
+    const { accessToken, sub } = await ssoClient.callback({
+      code: authCode,
+      nonce,
+      codeVerifier: verifier,
+    })
+    const userInfo = await ssoClient.userinfo({
+      accessToken,
+      sub,
+    })
+
+    if (!userInfo) {
+      throw new Error('Received nullish user info')
+    }
+
+    const userEmail = userInfo.email.toLowerCase().trim()
+
+    // TODO: Remove this once it's public release
+    if (!userEmail.endsWith('@open.gov.sg')) {
+      throw new Error('Only OGP officers are allowed to login with SSO')
+    }
+
+    const user = await getOrCreateUser(userEmail)
+    await sendOnboardingEmail(user)
+    await updateLastLogin(user.id)
+    setAuthCookie(context.res, { userId: user.id, isSso: true })
+  } catch (error) {
+    // Small log event to make it easier to get pulse on sgid error rate.
+    logger.error('SSO: Unable to query user info', {
+      event: 'sso-login-failed-user-info',
+    })
+
+    throw error
+  }
+
+  return true
+}
+
+export default loginWithSso

packages/backend/src/graphql/mutations/login-with-sso.ts

@@ -1,4 +1,4 @@
-import { deleteAuthCookie } from '@/helpers/auth'
+import { deleteAuthCookie, getParsedAuthCookie } from '@/helpers/auth'
 
 import type { MutationResolvers } from '../__generated__/types.generated'
 
@@ -7,8 +7,11 @@ const logout: MutationResolvers['logout'] = async (
   _params,
   context,
 ) => {
+  const { isSso } = getParsedAuthCookie(context.req)
   deleteAuthCookie(context.res)
-  return true
+  return {
+    isSso,
+  }
 }
 
 export default logout

packages/backend/src/graphql/mutations/logout.ts

@@ -91,8 +91,9 @@ type Mutation {
   bulkRetryIterations(
     input: BulkRetryIterationsInput
   ): BulkRetryIterationsResult!
-  logout: Boolean
-  loginWithSgid(input: LoginWithSgidInput!): LoginWithSgidResult!
+  logout: LogoutResult
+  loginWithSgid(input: OidcLoginInput!): LoginWithSgidResult!
+  loginWithSso(input: OidcLoginInput!): Boolean!
   loginWithSelectedSgid(
     input: LoginWithSelectedSgidInput!
   ): LoginWithSelectedSgidResult!
@@ -895,7 +896,7 @@ type SgidPublicOfficerEmployment {
   employmentTitle: String
 }
 
-input LoginWithSgidInput {
+input OidcLoginInput {
   authCode: String!
   nonce: String!
   verifier: String!
@@ -913,6 +914,10 @@ type LoginWithSelectedSgidResult {
   success: Boolean!
 }
 
+type LogoutResult {
+  isSso: Boolean
+}
+
 # End of SGID types
 # Start of flow transfers types
 

packages/backend/src/graphql/schema.graphql

@@ -12,10 +12,12 @@ const AUTH_COOKIE_NAME = 'plumber.sid'
 const TOKEN_EXPIRES_IN_SEC = 3 * 24 * 60 * 60
 const ONBOARDING_EMAIL_RELEASE_DATE = new Date('2025-03-10')
 
-export function setAuthCookie(
-  res: Response,
-  payload: { userId: string },
-): void {
+interface AuthCookiePayload {
+  userId: string
+  isSso?: boolean
+}
+
+export function setAuthCookie(res: Response, payload: AuthCookiePayload): void {
   // create jwt
   const token = jwt.sign(payload, appConfig.sessionSecretKey, {
     expiresIn: TOKEN_EXPIRES_IN_SEC,
@@ -34,6 +36,17 @@ function getAuthCookie(req: Request) {
   return req.cookies[AUTH_COOKIE_NAME]
 }
 
+export function getParsedAuthCookie(req: Request) {
+  const token = getAuthCookie(req)
+  if (!token) {
+    return null
+  }
+  return jwt.verify(token, appConfig.sessionSecretKey) as {
+    userId: string
+    isSso?: boolean
+  }
+}
+
 export async function getLoggedInUser(req: Request): Promise<User | null> {
   const token = getAuthCookie(req)
   if (!token) {