18941 Deploy dev into stage

.gitleaksignore

@@ -1,4 +1 @@
 /src/packages/connectors/connector-saml/README.md:private-key:101
-/src/packages/cli/src/commands/database/ogcio/ogcio-seeder-local.json:generic-api-key:37
-/src/packages/cli/src/commands/database/ogcio/ogcio-seeder-local.json:generic-api-key:46
-/src/packages/cli/src/commands/database/ogcio/ogcio-seeder-local.json:generic-api-key:157

.gitpod.yml

@@ -38,7 +38,8 @@ ports:
     port: 5432
     visibility: public
     onOpen: ignore
-  - port: 5001
+    # OGCIO - formsie port collision fixed
+  - port: 7001
     onOpen: ignore
   - port: 5002
     onOpen: ignore

README.OGCIO.md

@@ -113,3 +113,17 @@ This command can take a parameter to specify the input data file, called `seeder
 Usage: `npm run cli db ogcio -- --seeder-filepath="DATA_FILE_PATH"`
 
 To seed the default data for local dev environments, run `npm run cli db ogcio -- --seeder-filepath="./packages/cli/src/commands/database/ogcio/ogcio-seeder-local.json"`.
+
+### Limitations
+
+In most cases, we have predefined IDs in our seeder to ensure the same database structure, even if the database was cleared and re-seeded. Logto IDs are simple text fields (no UUID or other validations are applied) with a maximum length of 21 characters. Do not use IDs longer than 21 characters; otherwise, the seeder will fail with a database error!
+
+Be careful when defining a new ID because data duplication is avoided based on this field. If you later want to change the ID of any of your entries, the seeder won't be able to detect the existence of the affected entry, and it will try to create a new one. Creating a duplicate entry with a different ID can cause a database error if some other fields have a unique constraint. If this is not the case, a duplicate entry will be created, which is also a mistake, and we want to avoid any of these situations. Once you have defined an ID, do not change it if unnecessary.
+
+Using resources other than those declared in the seeder's data file is also impossible because referencing any resource outside of the seeder's scope is not supported. The seeder is supposed to create all the required resources and use them to seed the custom configuration into the database.
+
+### Edge cases
+
+Some changes might affect other entries from the database, like the user entities. In this case, a custom migration script is required to resolve the changes necessary to the affected entries. Before any change in the seeder data, analyse the situation to determine if it is safe to perform. The seeder is not intended to resolve conflicts or update other data than the configuration it seeds.
+
+Deletion of existing seeded data via the seeder is not yet possible. Only the permissions (scopes) will be removed and recreated every time the seeder is executed because that is safe and does not cause conflicts with other entries. A custom script or manual action is required for any other data that must be eliminated.

mygovid-mock-service/.eslintrc.json

@@ -0,0 +1,21 @@
+{
+  "parser": "@typescript-eslint/parser",
+  "extends": [
+    "plugin:@typescript-eslint/recommended",
+    "plugin:prettier/recommended",
+    "eslint:recommended"
+  ],
+  "parserOptions": {
+    "ecmaVersion": 2020,
+    "sourceType": "module"
+  },
+  "rules": {
+    "no-redeclare": "off",
+    "no-unused-vars": "off"
+  },
+  "env": {
+    "browser": true,
+    "node": true
+  },
+  "ignorePatterns": ["dist"]
+}

mygovid-mock-service/.gitignore

@@ -0,0 +1,2 @@
+node_modules
+.tap

mygovid-mock-service/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "mygovid-mock-service",
+  "version": "1.0.0",
+  "description": "",
+  "main": "dist/index.js",
+  "scripts": {
+    "test": "TAP_RCFILE=tap.yml tap",
+    "start": "node dist/index.js",
+    "dev": "nodemon | pino-pretty",
+    "lint": "eslint . --ext .ts",
+    "build": "echo Build script for the MyGovId mock service not needed so far"
+  },
+  "nodemonConfig": {
+    "ext": "ts,json",
+    "exec": "node --import tsx src/index.ts"
+  },
+  "type": "module",
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "@fastify/cookie": "^9.3.1",
+    "@fastify/formbody": "^7.4.0",
+    "@fastify/sensible": "^5.5.0",
+    "@fastify/type-provider-typebox": "^4.0.0",
+    "@sinclair/typebox": "^0.32.16",
+    "fastify": "^4.26.2",
+    "fastify-plugin": "^4.5.1",
+    "jose": "^5.2.4"
+  },
+  "devDependencies": {
+    "@types/node": "^20.11.28",
+    "@typescript-eslint/eslint-plugin": "^7.5.0",
+    "@typescript-eslint/parser": "^7.5.0",
+    "eslint": "^8.57.0",
+    "eslint-config-prettier": "^9.1.0",
+    "eslint-plugin-prettier": "^5.1.3",
+    "pino-pretty": "^11.0.0",
+    "prettier": "^3.2.5",
+    "tap": "^18.8.0",
+    "ts-node": "^10.9.2",
+    "tsx": "^4.7.1",
+    "typescript": "^5.4.2"
+  }
+}

mygovid-mock-service/src/app.ts

@@ -0,0 +1,21 @@
+import fastify, { FastifyServerOptions } from "fastify";
+import routes from "./routes/index.js";
+import { TypeBoxTypeProvider } from "@fastify/type-provider-typebox";
+import sensible from "@fastify/sensible";
+
+export async function build(opts?: FastifyServerOptions) {
+  const app = fastify(opts).withTypeProvider<TypeBoxTypeProvider>();
+
+  app.register(import("@fastify/cookie"), {
+    hook: "onRequest", // set to false to disable cookie autoparsing or set autoparsing on any of the following hooks: 'onRequest', 'preParsing', 'preHandler', 'preValidation'. default: 'onRequest'
+    parseOptions: {}, // options for parsing cookies
+  });
+
+  app.register(import("@fastify/formbody"));
+
+  app.register(routes);
+
+  app.register(sensible);
+
+  return app;
+}

mygovid-mock-service/src/index.ts

@@ -0,0 +1,13 @@
+import { build } from "./app.js";
+
+const app = await build();
+
+app.listen({ host: "0.0.0.0", port: 4005 }, (err, address) => {
+  if (err) {
+    console.error(err);
+    process.exit(1);
+  }
+  console.log(`MyGovId Mock Service listening at ${address}`);
+});
+
+await app.ready();

mygovid-mock-service/src/routes/healthcheck.ts

@@ -0,0 +1,6 @@
+import { FastifyInstance } from "fastify";
+export default async function healthCheck(app: FastifyInstance) {
+  app.get("/health", async () => {
+    return { status: "ok" };
+  });
+}

mygovid-mock-service/src/routes/index.ts

@@ -0,0 +1,8 @@
+import { FastifyInstance } from "fastify";
+import healthCheck from "./healthcheck.js";
+import logto from "./logto/index.js";
+
+export default async function routes(app: FastifyInstance) {
+  app.register(healthCheck);
+  app.register(logto, { prefix: "/logto/mock" });
+}

mygovid-mock-service/src/routes/logto/index.ts

@@ -0,0 +1,186 @@
+import { FastifyInstance } from "fastify";
+import fs from "fs";
+import path, { dirname } from "path";
+import { exportJWK } from "jose";
+import { fileURLToPath } from "url";
+import { Type } from "@sinclair/typebox";
+import {
+  createMockSignedJwt,
+  getPublicKey,
+  streamToString,
+} from "./utils/index.js";
+import { HttpError } from "../../types/httpErrors.js";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+export default async function login(app: FastifyInstance) {
+  app.get<{
+    Querystring: {
+      response_type: string;
+      client_id: string;
+      redirect_uri: string;
+      state: string;
+      nonce: string;
+      scope: string;
+    };
+  }>(
+    "/auth",
+    {
+      schema: {
+        tags: ["Mock"],
+        querystring: {
+          response_type: Type.String(),
+          client_id: Type.String(),
+          redirect_uri: Type.String(),
+          state: Type.String(),
+          nonce: Type.String(),
+          scope: Type.String(),
+        },
+        response: { 200: Type.String(), 500: HttpError },
+      },
+    },
+    async (request, reply) => {
+      const { redirect_uri, state } = request.query;
+
+      const stream = fs.createReadStream(
+        path.join(__dirname, "..", "static", "mock-login.html")
+      );
+
+      const result = (await streamToString(stream))
+        .replace("%REDIRECT_URL%", redirect_uri)
+        .replace("%STATE%", state);
+      return reply.type("text/html").send(result);
+    }
+  );
+
+  app.post<{
+    Body: {
+      password: string;
+      firstName: string;
+      lastName: string;
+      email: string;
+      redirect_url: string;
+      state: string;
+    };
+  }>("/login", async (request, reply) => {
+    const { password, firstName, lastName, email, redirect_url, state } =
+      request.body;
+
+    if (password !== "123")
+      reply.redirect(
+        `/logto/mock/auth?redirect_uri=${redirect_url}&state=${state}`
+      );
+
+    const id_token = await createMockSignedJwt(
+      { firstName, lastName, email },
+      request.headers.origin as unknown as string
+    );
+
+    return reply.redirect(`${redirect_url}?code=${id_token}&state=${state}`);
+  });
+
+  app.post<{
+    Body: {
+      code: string;
+      grant_type: string;
+      redirect_uri: string;
+      client_id: string;
+      client_secret: string;
+    };
+    Reply: {
+      id_token: string;
+      access_token: string;
+      token_type: string;
+      not_before: number;
+      expires_in: number;
+      expires_on: number;
+      id_token_expires_in: number;
+      profile_info: string;
+      scope: string;
+    };
+  }>(
+    "/token",
+    {
+      schema: {
+        tags: ["Mock"],
+        body: Type.Object({
+          code: Type.String(),
+          grant_type: Type.String(),
+          redirect_uri: Type.String(),
+          client_id: Type.String(),
+          client_secret: Type.String(),
+        }),
+        response: {
+          200: Type.Object({
+            id_token: Type.String(),
+            access_token: Type.String(),
+            token_type: Type.String(),
+            not_before: Type.Number(),
+            expires_in: Type.Number(),
+            expires_on: Type.Number(),
+            id_token_expires_in: Type.Number(),
+            profile_info: Type.String(),
+            scope: Type.String(),
+          }),
+          500: HttpError,
+        },
+      },
+    },
+    async (request, _) => {
+      const id_token = request.body.code;
+      return {
+        id_token,
+        access_token: id_token,
+        token_type: "Bearer",
+        not_before: Date.now() - 5000,
+        expires_in: 1800,
+        expires_on: Date.now() - 5000 + 1800,
+        id_token_expires_in: 1800,
+        profile_info:
+          "eyJ2ZXIiOiIxLjAiLCJ0aWQiOiI4OTc5MmE2ZC0xZWE0LTQxMjYtOTRkZi1hNzFkMjkyZGViYzciLCJzdWIiOm51bGwsIm5hbWUiOm51bGwsInByZWZlcnJlZF91c2VybmFtZSI6bnVsbCwiaWRwIjpudWxsfQ",
+        scope: "openid",
+      };
+    }
+  );
+
+  app.get<{
+    Reply: {
+      keys: {
+        kid: string;
+        use: string;
+        kty?: string;
+        n?: string;
+        e?: string;
+      }[];
+    };
+  }>(
+    "/keys",
+    {
+      schema: {
+        tags: ["Mock"],
+        response: {
+          200: Type.Object({
+            keys: Type.Array(
+              Type.Object({
+                kid: Type.String(),
+                use: Type.String(),
+                kty: Type.Optional(Type.String()),
+                n: Type.Optional(Type.String()),
+                e: Type.Optional(Type.String()),
+              })
+            ),
+          }),
+          500: HttpError,
+        },
+      },
+    },
+    async (request, reply) => {
+      const publicKey = await getPublicKey();
+      const { kty, n, e } = await exportJWK(publicKey);
+
+      return {
+        keys: [{ kid: "signingkey.mygovid.v1", use: "sig", kty, n, e }],
+      };
+    }
+  );
+}