feat: hash email and send it as a sub (#444)

* feat: hash email and send it as a sub

* fix: remove legacy localdev terraform folder

* fix: use a new claim to hold otp guid and use email as sub

Author: NithinKuruba

.github/workflows/publish-otp-provider-image.yml

@@ -27,6 +27,7 @@ jobs:
           CUSTOM_DOMAIN_NAME=otp-sandbox.loginproxy.gov.bc.ca
           CORS_ORIGINS=https://dev.sandbox.loginproxy.gov.bc.ca,https://test.sandbox.loginproxy.gov.bc.ca,https://sandbox.loginproxy.gov.bc.ca,https://sso-playground.apps.gold.devops.gov.bc.ca
           NODE_ENV=production
+          HASH_SALT=${{ secrets.DEV_HASH_SALT }}
 
           EOF
       - name: Checkout repository
@@ -77,6 +78,7 @@ jobs:
           app_env="${{ env.APP_ENV }}"
           node_env="${{ env.NODE_ENV }}"
           app_url="${{ env.APP_URL }}"
+          hash_salt="${{ env.HASH_SALT }}"
           EOF
 
         working-directory: ./docker/otp-provider/terraform

docker/otp-provider/.env.example

@@ -14,3 +14,4 @@ LOG_LEVEL=info
 COOKIE_SECRETS="s3cr3t1,s3cr3t1,s3cr3t2"
 JWKS=
 CORS_ORIGINS=*
+HASH_SALT=

docker/otp-provider/src/config.ts

@@ -20,4 +20,5 @@ export const config = {
   JWKS: process.env.JWKS ? JSON.parse(process.env.JWKS) : {},
   CORS_ORIGINS: process.env.CORS_ORIGINS || '',
   DB_CLEANUP_CRON: process.env.DB_CLEANUP_CRON || '0 1 * * *',
+  HASH_SALT: process.env.HASH_SALT || '',
 };

docker/otp-provider/src/mailer.ts

@@ -43,7 +43,7 @@ const fetchChesToken = async () => {
   }
 };
 
-export const sendEmail = async ({ from = 'bcgov.sso@gov.bc.ca', to, body, ...rest }: EmailOptions) => {
+export const sendEmail = async ({ from = 'no-reply-sso@gov.bc.ca', to, body, ...rest }: EmailOptions) => {
   try {
     const [accessToken, error] = await fetchChesToken();
     if (error) {

docker/otp-provider/src/server.ts

@@ -13,7 +13,7 @@ import { createMigrator } from './modules/sequelize/umzug';
 import logger from './modules/winston.config';
 import SequelizeAdapter from './modules/sequelize/adapter';
 import Keygrip from 'keygrip';
-import { isOrigin } from './utils/helpers';
+import { isOrigin, hashEmail } from './utils/helpers';
 import * as crypto from 'crypto';
 import cron from 'node-cron';
 import { cleanupTables } from './modules/cron/cleanup';
@@ -70,6 +70,10 @@ app.disable('x-powered-by');
 const corsProp = 'allowedCorsOrigins';
 
 const clientsConfig: Configuration = {
+  claims: {
+    openid: ['sub', 'otp_guid'],
+    email: ['sub', 'otp_guid', 'email'],
+  },
   pkce: {
     required: (ctx, client) => {
       // Require PKCE for all clients except those using 'none' client authentication
@@ -86,6 +90,7 @@ const clientsConfig: Configuration = {
     return true;
   },
   features: {
+    claimsParameter: { enabled: true },
     revocation: { enabled: true },
     devInteractions: { enabled: false },
     introspection: { enabled: true },
@@ -165,12 +170,14 @@ const clientsConfig: Configuration = {
     InitialAccessToken: 300, // 5 minutes
     RegistrationAccessToken: 300, // 5 minutes
   },
-  findAccount: async (ctx, incomingEmail) => {
+  findAccount: async (ctx, sub) => {
     return {
-      accountId: incomingEmail,
+      accountId: sub,
       async claims() {
         return {
-          sub: incomingEmail,
+          sub,
+          otp_guid: hashEmail(sub),
+          email: sub,
         };
       },
     };

docker/otp-provider/src/utils/helpers.ts

@@ -1,4 +1,7 @@
 import * as crypto from 'crypto';
+import { config } from '../config';
+
+const { HASH_SALT } = config;
 
 export const generateOtpWithExpiry = () => {
   const otp = crypto.getRandomValues(new Uint32Array(1))[0].toString().slice(-6);
@@ -17,3 +20,9 @@ export const isOtpValid = (otp: string, expiresAt: Date): boolean => {
 export const isOrigin = (value: string) => {
   return typeof value === 'string' && URL.parse(value)?.origin === value;
 };
+
+export const hashEmail = (email: string) => {
+  const salt = Buffer.from(HASH_SALT);
+  const combined = Buffer.concat([Buffer.from(email, 'utf8'), salt]);
+  return crypto.createHash('sha256').update(combined).digest('hex');
+};

docker/otp-provider/terraform/.terraform.lock.hcl

@@ -137,6 +137,10 @@ resource "aws_ecs_task_definition" "this" {
         {
           name  = "DB_CLEANUP_CRON",
           value = var.db_cleanup_cron
+        },
+        {
+          name  = "HASH_SALT",
+          value = var.hash_salt
         }
       ]
       secrets = [

docker/otp-provider/terraform/ecs.tf

@@ -155,3 +155,9 @@ variable "db_cleanup_cron" {
   type        = string
   default     = "0 1 * * *"
 }
+
+variable "hash_salt" {
+  description = "Salt used for hashing email"
+  type        = string
+  default     = ""
+}