@okta/oidc-middleware - npm Package Compare versions

Comparing version 5.3.0 to 5.4.0

package.json

 {
   "name": "@okta/oidc-middleware",
-  "version": "5.3.0",
+  "version": "5.4.0",
   "description": "OpenId Connect middleware for authorization code flows",
@@ -25,14 +25,12 @@ "repository": "https://github.com/okta/okta-oidc-middleware",
   "dependencies": {
-    "@types/csurf": "^1.11.2",
-    "@types/express": "^4.17.17",
     "@okta/configuration-validation": "^0.4.1",
-    "body-parser": "^1.20.1",
-    "csurf": "^1.11.0",
-    "express": "^4.18.2",
+    "@types/express": "^4.17.21",
+    "csrf-sync": "^4.0.3",
+    "express": "^4.19.2",
     "lodash": "^4.17.21",
-    "negotiator": "^0.6.1",
-    "node-fetch": "^2.6.7",
+    "negotiator": "^0.6.3",
+    "node-fetch": "^2.6.13",
     "openid-client": "^5.6.5",
-    "passport": "^0.6.0",
-    "uuid": "^8.3.2"
+    "passport": "^0.7.0",
+    "uuid": "^9.0.1"
   },
@@ -65,5 +63,5 @@ "devDependencies": {
     "supertest": "^6.3.3",
-    "wdio-wait-for": "^2.2.6",
     "tsd": "^0.25.0",
-    "typescript": "^4.1.5"
+    "typescript": "^4.1.5",
+    "wdio-wait-for": "^2.2.6"
   },
@@ -90,5 +88,5 @@ "resolutions": {
   "okta": {
-    "commitSha": "74911bb75a724d96f409f10678a947d686fed7d7",
-    "fullVersion": "5.3.0-g74911bb"
+    "commitSha": "e7aba942028edb7bda59669130680e7b11a6316a",
+    "fullVersion": "5.4.0-ge7aba94"
   }
 }

src/connectUtil.js

@@ -13,7 +13,7 @@ /*!
 
-const csrf = require('csurf');
+const express = require('express');
+const csrf = require('csrf-sync').csrfSync;
 const passport = require('passport');
 const { Router } = require('express');
 const uuid = require('uuid');
-const bodyParser = require('body-parser');
 const logout = require('./logout');
@@ -36,3 +36,3 @@ const OIDCMiddlewareError = require('./OIDCMiddlewareError');
   oidcRouter.use(loginCallbackPath, connectUtil.createLoginCallbackHandler(context));
-  oidcRouter.use(loginPath, bodyParser.urlencoded({ extended: false}), connectUtil.createLoginHandler(context));
+  oidcRouter.use(loginPath, express.urlencoded({ extended: false}), connectUtil.createLoginHandler(context));
   oidcRouter.post(logoutPath, connectUtil.createLogoutHandler(context));
@@ -49,3 +49,19 @@
 connectUtil.createLoginHandler = context => {
-  const csrfProtection = csrf();
+  const { csrfSynchronisedProtection: csrfProtection } = csrf({
+    getTokenFromRequest: (req) => {
+      // https://www.npmjs.com/package/csurf#value (parity with csurf)
+      if (req.body._csrf) {
+        return req.body._csrf;
+      }
+      if (req.query._csrf) {
+        return req.query._csrf;
+      }
+      const headers = ['csrf-token', 'xsrf-token', 'x-csrf-token', 'x-csrf-token'];
+      for (const h of headers) {
+        if (req.headers[h]) {
+          return req.headers[h];
+        }
+      }
+    }
+  });
   const ALLOWED_OPTIONS = ['login_hint'];
@@ -52,0 +68,0 @@

No alert changes

Improved metrics

Total package byte prevSize

56937

increased by0.76%

Dependency count

10

decreased by-16.67%

Lines of code

547

increased by3.01%

Dependency changes

• + Addedcsrf-sync@^4.0.3

• + Addedcsrf-sync@4.0.3(transitive)

• + Addedpassport@0.7.0(transitive)

• + Addeduuid@9.0.1(transitive)

• - Removed@types/csurf@^1.11.2

• - Removedbody-parser@^1.20.1

• - Removedcsurf@^1.11.0

• - Removed@types/csurf@1.11.5(transitive)

• - Removed@types/express-serve-static-core@5.0.5(transitive)

• - Removedcookie@0.4.0(transitive)

• - Removedcsrf@3.1.0(transitive)

• - Removedcsurf@1.11.0(transitive)

• - Removeddepd@1.1.2(transitive)

• - Removedhttp-errors@1.7.3(transitive)

• - Removedpassport@0.6.0(transitive)

• - Removedrandom-bytes@1.0.0(transitive)

• - Removedrndm@1.2.0(transitive)

• - Removedsetprototypeof@1.1.1(transitive)

• - Removedstatuses@1.5.0(transitive)

• - Removedtoidentifier@1.0.0(transitive)

• - Removedtsscmp@1.0.6(transitive)

• - Removeduid-safe@2.1.5(transitive)

• - Removeduuid@8.3.2(transitive)

• Updated@types/express@^4.17.21

• Updatedexpress@^4.19.2

• Updatednegotiator@^0.6.3

• Updatednode-fetch@^2.6.13

• Updatedpassport@^0.7.0

• Updateduuid@^9.0.1