Replace jwx with manual RS256 JWT signing

pkg/education/submit.go

@@ -16,13 +16,10 @@
 )
 
 var (
-	errNSCSubmitFailed            = errors.New("nsc submit failed")
-	errNSCMissingEnrollmentStatus = errors.New("nsc response missing enrollment status")
-	errReadNSCSubmitResponseBody  = errors.New("read nsc submit response body")
-	errCloseNSCSubmitResponseBody = errors.New("close nsc submit response body")
+	errLegacyEnrollmentStatusRequired = errors.New("enrollmentStatus is required")
+	errUnsupportedLegacyNSCStatusCode = errors.New("unsupported legacy nsc status code")
 )
 
-//nolint:gocritic // Request is treated as an immutable API payload value.
 func (s *service) LookupEnrollmentStatus(ctx context.Context, reqBody Request) (Response, error) {
 	if s.opts.Timeout > 0 {
 		if _, hasDeadline := ctx.Deadline(); !hasDeadline {
@@ -91,13 +88,13 @@
 	}
 	defer func() {
 		if closeErr := resp.Body.Close(); closeErr != nil {
 			log.WarnContext(ctx, errCloseNSCSubmitResponseBody.Error(), slog.Any("error", closeErr))
 		}
 	}()
 
 	respBytes, readErr := io.ReadAll(resp.Body)
 	if readErr != nil {
 		return Response{}, fmt.Errorf("%w: %w", errReadNSCSubmitResponseBody, readErr)
 	}
 	snippet := bodySnippet(respBytes)
 
@@ -125,7 +122,7 @@
 			slog.String("body_snippet", snippet),
 		)
 
 		return Response{}, fmt.Errorf("%w: status=%d", errNSCSubmitFailed, resp.StatusCode)
 	}
 
 	var out nscResponse
@@ -155,7 +152,7 @@
 		slog.Int("enrollment_records", enrollmentRecordCount(out)),
 	)
 
 	return translateNSCResponse(out, rawBody)
 }
 
 //nolint:gocritic // Request is treated as an immutable API payload value.
@@ -187,15 +184,15 @@
 	return out
 }
 
-//nolint:gocritic // Response is treated as an immutable API payload value.
-func translateNSCResponse(resp nscResponse, rawBody any) (Response, error) {
+//nolint:gocritic // Keeping value semantics is acceptable for this internal translation helper.
+func translateNSCResponse(resp nscResponse) (Response, error) {
 	if isNSCNoHit(resp) || isNSCNotCurrentlyEnrolled(resp) {
 		return Response{}, ErrNotFound
 	}
 
 	status, ok := resolveEnrollmentStatus(resp)
 	if !ok {
 		return Response{}, errNSCMissingEnrollmentStatus
 	}
 
 	details := []EnrollmentDetail{}
@@ -217,7 +214,7 @@
 	return Response{
 		EnrollmentStatus:  status,
 		EnrollmentDetails: details,
 		RawData:           rawBody,
 		DataSource:        core.DataSourceNSC,
 	}, nil
 }
@@ -393,3 +390,27 @@
 
 	return count
 }
+
+type legacySubmitResponse struct {
+	Status legacySubmitStatus `json:"status"`
+}
+
+type legacySubmitStatus struct {
+	Code string `json:"code"`
+}
+
+func mapLegacyEnrollmentStatus(respBytes []byte) (EnrollmentStatus, error) {
+	var legacy legacySubmitResponse
+	if err := json.Unmarshal(respBytes, &legacy); err != nil {
+		return "", fmt.Errorf("decode legacy nsc response: %w", err)
+	}
+
+	switch legacy.Status.Code {
+	case "0":
+		return EnrollmentStatusEnrolled, nil
+	case "":
+		return "", errLegacyEnrollmentStatusRequired
+	default:
+		return "", fmt.Errorf("%w %q", errUnsupportedLegacyNSCStatusCode, legacy.Status.Code)
+	}
+}

pkg/education/submit_test.go

@@ -369,3 +369,27 @@
 		})
 	}
 }
+
+func TestMapLegacyEnrollmentStatus_CodeZeroReturnsEnrolled(t *testing.T) {
+	status, err := mapLegacyEnrollmentStatus([]byte(`{"status":{"code":"0"}}`))
+	require.NoError(t, err)
+	require.Equal(t, EnrollmentStatusEnrolled, status)
+}
+
+func TestMapLegacyEnrollmentStatus_MissingCodeReturnsError(t *testing.T) {
+	status, err := mapLegacyEnrollmentStatus([]byte(`{"status":{}}`))
+	require.Equal(t, EnrollmentStatus(""), status)
+	require.ErrorContains(t, err, "enrollmentStatus is required")
+}
+
+func TestMapLegacyEnrollmentStatus_UnsupportedCodeReturnsError(t *testing.T) {
+	status, err := mapLegacyEnrollmentStatus([]byte(`{"status":{"code":"99"}}`))
+	require.Equal(t, EnrollmentStatus(""), status)
+	require.ErrorContains(t, err, `unsupported legacy nsc status code "99"`)
+}
+
+func TestMapLegacyEnrollmentStatus_InvalidJSONReturnsError(t *testing.T) {
+	status, err := mapLegacyEnrollmentStatus([]byte(`{`))
+	require.Equal(t, EnrollmentStatus(""), status)
+	require.ErrorContains(t, err, "decode legacy nsc response")
+}

pkg/veteran/oauth.go

@@ -2,8 +2,12 @@ package veteran
 
 import (
 	"context"
+	"crypto"
+	"crypto/rand"
 	"crypto/rsa"
+	"crypto/sha256"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
 	"errors"
@@ -18,8 +22,6 @@ import (
 
 	"github.com/cmsgov/emmy-api/pkg/core"
 	"github.com/google/uuid"
-	"github.com/lestrrat-go/jwx/v2/jwa"
-	"github.com/lestrrat-go/jwx/v2/jwt"
 	"golang.org/x/oauth2"
 )
 
@@ -175,24 +177,38 @@ func signedClientAssertion(cfg *core.VAConfig, now time.Time) (string, error) {
 		return "", err
 	}
 
-	token, err := jwt.NewBuilder().
-		Audience([]string{cfg.TokenAudience}).
-		Issuer(cfg.ClientID).
-		Subject(cfg.ClientID).
-		JwtID(strings.ToLower(uuid.NewString())).
-		IssuedAt(now).
-		Expiration(now.Add(clientAssertionLifetime)).
-		Build()
+	headerJSON, err := json.Marshal(map[string]string{
+		"alg": "RS256",
+		"typ": "JWT",
+	})
+	if err != nil {
+		return "", fmt.Errorf("marshal jwt header: %w", err)
+	}
+
+	payloadJSON, err := json.Marshal(map[string]any{
+		"iss": cfg.ClientID,
+		"sub": cfg.ClientID,
+		"aud": cfg.TokenAudience,
+		"jti": strings.ToLower(uuid.NewString()),
+		"iat": now.Unix(),
+		"exp": now.Add(clientAssertionLifetime).Unix(),
+	})
 	if err != nil {
-		return "", fmt.Errorf("build jwt claims: %w", err)
+		return "", fmt.Errorf("marshal jwt claims: %w", err)
 	}
 
-	signed, err := jwt.Sign(token, jwt.WithKey(jwa.RS256, key))
+	encodedHeader := base64.RawURLEncoding.EncodeToString(headerJSON)
+	encodedPayload := base64.RawURLEncoding.EncodeToString(payloadJSON)
+	signingInput := encodedHeader + "." + encodedPayload
+
+	hash := sha256.Sum256([]byte(signingInput))
+	signature, err := rsa.SignPKCS1v15(rand.Reader, key, crypto.SHA256, hash[:])
 	if err != nil {
 		return "", fmt.Errorf("sign jwt: %w", err)
 	}
 
-	return string(signed), nil
+	encodedSignature := base64.RawURLEncoding.EncodeToString(signature)
+	return signingInput + "." + encodedSignature, nil
 }
 
 func loadRSAPrivateKey(path string) (*rsa.PrivateKey, error) {

pkg/veteran/service.go

@@ -65,13 +65,8 @@ type Address struct {
 }
 
 type Response struct {
-	RawData                  any                `json:"rawData"`
-	LegalEffectiveDate       *string            `json:"legalEffectiveDate"`
-	CombinedEffectiveDate    *string            `json:"combinedEffectiveDate"`
-	EarliestRatingEndDate    *string            `json:"earliestRatingEndDate"`
-	DataSource               core.DataSource    `json:"dataSource"`
-	Metadata                 education.Metadata `json:"metadata"`
-	CombinedDisabilityRating int                `json:"combinedDisabilityRating"`
+	//nolint:tagliatelle // External API contract uses camelCase.
+	CombinedDisabilityRating int `json:"combinedDisabilityRating"`
 }
 
 type service struct {

swagger-ui/index.css

@@ -14,3 +14,10 @@ body {
     margin: 0;
     background: #fafafa;
 }
+
+/* Keep button growth anchored on the left edge so hover expansion moves right only. */
+.swagger-ui .btn,
+.swagger-ui .grow,
+.swagger-ui .grow-large {
+    transform-origin: left center;
+}