express-openid-connect - npm Package Compare versions

Comparing version 2.9.0 to 2.10.0

index.d.ts

@@ -205,3 +205,3 @@ // Type definitions for express-openid-connect
   /**
-   *  URL to return to after login, overrides the Default is {@link Request.originalUrl}
+   *  URL to return to after login, overrides the Default is {@link express!Request.originalUrl Request.originalUrl}
    */
@@ -221,3 +221,3 @@ returnTo?: string;
   /**
-   *  URL to returnTo after logout, overrides the Default in {@link ConfigParams.routes.postLogoutRedirect routes.postLogoutRedirect}
+   *  URL to returnTo after logout, overrides the Default in {@link ConfigParams.routes routes.postLogoutRedirect}
    */
@@ -482,3 +482,3 @@ returnTo?: string;
    */
-  transactionCookie?: Pick<CookieConfigParams, 'sameSite'>;
+  transactionCookie?: Pick<CookieConfigParams, 'sameSite'> & { name?: string };
 
@@ -639,5 +639,9 @@ /**
    * at [genid](https://github.com/expressjs/session/blob/master/README.md#genid).
-   * If encrypted cookie storage is used or no value is provided, a default implementation is used.
-   * Be aware the default implmentation is  slightly different in this library as compared to the
-   * default session id generation used express-session.
+   *
+   * Be aware the default implementation is slightly different in this library as
+   * compared to the default session id generation used in express-session.
+   *
+   * **IMPORTANT** If you override this method you must use a suitable
+   * cryptographically strong random value of sufficient size to prevent collisions
+   * and reduce the ability to hijack a session by guessing the session ID.
    */
@@ -644,0 +648,0 @@ genid?: (req: OpenidRequest) => string;

lib/config.js

@@ -88,2 +88,3 @@ const Joi = require('joi');
       .default(Joi.ref('...session.cookie.sameSite')),
+    name: Joi.string().optional().default('auth_verification'),
   })
@@ -90,0 +91,0 @@ .default()

lib/context.js

@@ -61,9 +61,4 @@ const cb = require('cb');
   if (!('value' in cachedTokenSet)) {
-    const {
-      id_token,
-      access_token,
-      refresh_token,
-      token_type,
-      expires_at,
-    } = session;
+    const { id_token, access_token, refresh_token, token_type, expires_at } =
+      session;
     cachedTokenSet.value = new TokenSet({
@@ -219,5 +214,4 @@ id_token,
 
-      const usePKCE = options.authorizationParams.response_type.includes(
-        'code'
-      );
+      const usePKCE =
+        options.authorizationParams.response_type.includes('code');
       if (usePKCE) {
@@ -263,3 +257,3 @@ debug(
 
-      transient.store('auth_verification', req, res, {
+      transient.store(config.transactionCookie.name, req, res, {
         sameSite:
@@ -266,0 +260,0 @@ options.authorizationParams.response_mode === 'form_post'

middleware/auth.js

@@ -92,3 +92,3 @@ const express = require('express');
             const authVerification = transient.getOnce(
-              'auth_verification',
+              config.transactionCookie.name,
               req,
@@ -95,0 +95,0 @@ res

package.json

 {
   "name": "express-openid-connect",
-  "version": "2.9.0",
+  "version": "2.10.0",
   "description": "Express middleware to protect web applications using OpenID Connect.",
@@ -35,3 +35,3 @@ "homepage": "https://github.com/auth0/express-openid-connect",
     "http-errors": "^1.8.1",
-    "joi": "^17.6.1",
+    "joi": "^17.6.3",
     "jose": "^2.0.6",
@@ -51,3 +51,3 @@ "on-headers": "^1.0.2",
     "eslint": "^5.16.0",
-    "express": "^4.17.1",
+    "express": "^4.18.2",
     "express-oauth2-jwt-bearer": "^1.1.0",
@@ -63,3 +63,3 @@ "husky": "^4.2.5",
     "pretty-quick": "^2.0.1",
-    "puppeteer": "^5.5.0",
+    "puppeteer": "^19.1.0",
     "redis-mock": "^0.56.3",
@@ -69,4 +69,4 @@ "request": "^2.88.2",
     "sinon": "^7.5.0",
-    "typedoc": "^0.17.8",
-    "typescript": "^3.9.6"
+    "typedoc": "^0.23.18",
+    "typescript": "^4.8.4"
   },
@@ -73,0 +73,0 @@ "peerDependencies": {

README.md

@@ -1,34 +0,29 @@
-# Express OpenID Connect
+![Express JS middleware implementing sign on for Express web apps using OpenID Connect.](https://cdn.auth0.com/website/sdks/banner/express-openid-connect-banner.png)
 
-Express JS middleware implementing sign on for Express web apps using OpenID Connect.
+![Release](https://img.shields.io/npm/v/express-openid-connect)
+[![Codecov](https://img.shields.io/codecov/c/github/auth0/express-openid-connect)](https://codecov.io/gh/auth0/express-openid-connect)
+![Downloads](https://img.shields.io/npm/dw/express-openid-connect)
+[![License](https://img.shields.io/:license-mit-blue.svg?style=flat)](https://opensource.org/licenses/MIT)
+![CircleCI](https://img.shields.io/circleci/build/github/auth0/express-openid-connect)
 
-[![CircleCI](https://img.shields.io/circleci/build/github/auth0/express-openid-connect/master?style=flat-square)](https://circleci.com/gh/auth0/express-openid-connect/tree/master)
-[![codecov](https://img.shields.io/codecov/c/github/auth0/express-openid-connect?style=flat-square)](https://codecov.io/gh/auth0/express-openid-connect)
-[![NPM version](https://img.shields.io/npm/v/express-openid-connect.svg?style=flat-square)](https://npmjs.org/package/express-openid-connect)
-[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fexpress-openid-connect.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fexpress-openid-connect?ref=badge_shield)
+📚 [Documentation](#documentation) - 🚀 [Getting Started](#getting-started) - 💻 [API Reference](#api-reference) - 💬 [Feedback](#feedback)
 
-## Table of Contents
+## Documentation
 
-- [Documentation](#documentation)
-- [Install](#install)
-- [Getting Started](#getting-started)
-- [Architecture](./ARCHITECTURE.md)
-- [Contributing](#contributing)
-- [Troubleshooting](./TROUBLESHOOTING.md)
-- [FAQs](./FAQ.md)
-- [Support + Feedback](#support--feedback)
-- [Vulnerability Reporting](#vulnerability-reporting)
-- [What is Auth0](#what-is-auth0)
-- [License](#license)
+- [Quickstart](https://auth0.com/docs/quickstart/webapp/express) - our guide for quickly adding Auth0 to your Express app.
+- [Sample](https://github.com/auth0-samples/auth0-express-webapp-sample/tree/master/01-Login) - an Express app integrated with Auth0.
+- [FAQs](https://github.com/auth0/express-openid-connect/blob/master/FAQ.md) - Frequently asked questions about express-openid-connect.
+- [Docs Site](https://auth0.com/docs) - explore our docs site and learn more about Auth0.
 
-## Documentation
+## Getting Started
 
-- Our [Express Quickstart](https://auth0.com/docs/quickstart/webapp/express) is the quickest way to get up and running from scratch.
-- Use the [Examples for common configurations](https://github.com/auth0/express-openid-connect/blob/master/EXAMPLES.md) for use cases beyond the basics.
-- The [API documentation](https://auth0.github.io/express-openid-connect) details all configuration options, methods, and data that this library provides.
-- You can [run the sample application](https://github.com/auth0-samples/auth0-express-webapp-sample/tree/master) to see how this SDK functions without writing your own integration.
+### Requirements
 
+This library supports the following tooling versions:
+
+- Node.js `^10.19.0 || >=12.0.0`
+
 ## Install
 
-Node.js version **>=12.0.0** is recommended, but **^10.19.0** lts/dubnium is also supported.
+Using [npm](https://npmjs.org) in your project directory, run the following command:
 
@@ -43,4 +38,26 @@ ```bash
 
-The library needs [issuerBaseURL](https://auth0.github.io/express-openid-connect/interfaces/configparams.html#issuerbaseurl), [baseURL](https://auth0.github.io/express-openid-connect/interfaces/configparams.html#baseurl), [clientID](https://auth0.github.io/express-openid-connect/interfaces/configparams.html#clientid) and [secret](https://auth0.github.io/express-openid-connect/interfaces/configparams.html#secret) to request and accept authentication. These can be configured with environmental variables:
+### Configure Auth0
 
+Create a **Regular Web Application** in the [Auth0 Dashboard](https://manage.auth0.com/#/applications).
+
+> **If you're using an existing application**, verify that you have configured the following settings in your Regular Web Application:
+>
+> - Click on the "Settings" tab of your application's page.
+> - Ensure that "Token Endpoint Authentication Method" under "Application Properties" is set to "None"
+> - Scroll down and click on the "Show Advanced Settings" link.
+> - Under "Advanced Settings", click on the "OAuth" tab.
+> - Ensure that "JsonWebToken Signature Algorithm" is set to `RS256` and that "OIDC Conformant" is enabled.
+>   Next, configure the following URLs for your application under the "Application URIs" section of the "Settings" page:
+
+- **Allowed Callback URLs**: `http://localhost:3000`
+- **Allowed Logout URLs**: `http://localhost:3000`
+
+> These URLs should reflect the origins that your application is running on. **Allowed Callback URLs** may also include a path, depending on where you're handling the callback (see below).
+
+Take note of the **Client ID** and **Domain** values under the "Basic Information" section. You'll need these values in the next step.
+
+### Configuring the SDK
+
+The library needs [issuerBaseURL](https://auth0.github.io/express-openid-connect/interfaces/ConfigParams.html#issuerbaseurl), [baseURL](https://auth0.github.io/express-openid-connect/interfaces/ConfigParams.html#baseurl), [clientID](https://auth0.github.io/express-openid-connect/interfaces/ConfigParams.html#clientid) and [secret](https://auth0.github.io/express-openid-connect/interfaces/ConfigParams.html#secret) to request and accept authentication. These can be configured with environmental variables:
+
 ```text
@@ -72,59 +89,63 @@ ISSUER_BASE_URL=https://YOUR_DOMAIN
 
-See the [examples](EXAMPLES.md) for route-specific authentication, custom application session handling, requesting and using access tokens for external APIs, and more.
+### Error Handling
 
-See the [API documentation](https://auth0.github.io/express-openid-connect) for [additional configuration possibilities](https://auth0.github.io/express-openid-connect/interfaces/configparams.html) and [provided methods](https://auth0.github.io/express-openid-connect/globals.html#attemptsilentlogin).
-
-## A note on error handling
-
 Errors raised by this library are handled by the [default Express error handler](https://expressjs.com/en/guide/error-handling.html#the-default-error-handler) which, in the interests of security, does not include the stack trace or error message in the production environment. If you write your own error handler, you should not render the error message or the OAuth `error`/`error_description` properties without using a templating engine that will properly escape them first.
 
-To write your own error handler, see the Express documentation on writing [Custom error handlers](https://expressjs.com/en/guide/error-handling.html#writing-error-handlers). 
+To write your own error handler, see the Express documentation on writing [Custom error handlers](https://expressjs.com/en/guide/error-handling.html#writing-error-handlers).
 
-## Contributing
+For other comprehensive examples such as route-specific authentication, custom application session handling, requesting and using access tokens for external APIs, and more, see the [EXAMPLES.md](https://github.com/auth0/express-openid-connect/blob/master/EXAMPLES.md) document.
 
-We appreciate feedback and contribution to this repo! Before you get started, please see the following:
+See the [examples](https://github.com/auth0/express-openid-connect/blob/master/EXAMPLES.md) for route-specific authentication, custom application session handling, requesting and using access tokens for external APIs, and more.
 
-- [Auth0's general contribution guidelines](https://github.com/auth0/.github/blob/master/CONTRIBUTING.md)
-- [Auth0's code of conduct guidelines](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
+### Use of Custom Session Stores and `genid`
 
-Contributions can be made to this library through PRs to fix issues, improve documentation or add features. Please fork this repo, create a well-named branch, and submit a PR with a complete template filled out.
+If you create your own session id when using [Custom Session Stores](https://github.com/auth0/express-openid-connect/blob/master/EXAMPLES.md#9-use-a-custom-session-store) by overriding the `genid` configuration, you must use a suitable cryptographically strong random value of sufficient size to prevent collisions and reduce the ability to hijack a session by guessing the session ID.
 
-Code changes in PRs should be accompanied by tests covering the changed or added functionality. Tests can be run for this library with:
+## API Reference
 
-```bash
-npm install
-npm test
-```
+Explore the express-openid-connect API.
 
-When you're ready to push your changes, please run the lint command first:
+- [ConfigParams](https://auth0.github.io/express-openid-connect/interfaces/ConfigParams.html)
 
-```bash
-npm run lint
-```
+**Provided middleware:**
 
-## Support + Feedback
+- [attemptSilentLogin](https://auth0.github.io/express-openid-connect/functions/attemptSilentLogin.html)
+- [auth](https://auth0.github.io/express-openid-connect/functions/auth.html)
+- [claimCheck](https://auth0.github.io/express-openid-connect/functions/claimCheck.html)
+- [claimEquals](https://auth0.github.io/express-openid-connect/functions/claimEquals.html)
+- [claimIncludes](https://auth0.github.io/express-openid-connect/functions/claimIncludes.html)
+- [requiresAuth](https://auth0.github.io/express-openid-connect/functions/requiresAuth.html)
 
-Please use the [Issues queue](https://github.com/auth0/express-openid-connect/issues) in this repo for questions and feedback.
+## Feedback
 
-## Vulnerability Reporting
+### Contributing
 
-Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues.
+We appreciate feedback and contribution to this repo! Before you get started, please see the following:
 
-## What is Auth0?
+- [Auth0's general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
+- [Auth0's code of conduct guidelines](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
+- [This repo's contribution guide](https://github.com/auth0/express-openid-connect/blob/master/CONTRIBUTING.md)
 
-Auth0 helps you to easily:
+### Raise an issue
 
-- implement authentication with multiple identity providers, including social (e.g., Google, Facebook, Microsoft, LinkedIn, GitHub, Twitter, etc), or enterprise (e.g., Windows Azure AD, Google Apps, Active Directory, ADFS, SAML, etc.)
-- log in users with username/password databases, passwordless, or multi-factor authentication
-- link multiple user accounts together
-- generate signed JSON Web Tokens to authorize your API calls and flow the user identity securely
-- access demographics and analytics detailing how, when, and where users are logging in
-- enrich user profiles from other data sources using customizable JavaScript rules
+To provide feedback or report a bug, please [raise an issue on our issue tracker](https://github.com/auth0/express-openid-connect/issues).
 
-[Why Auth0?](https://auth0.com/why-auth0)
+### Vulnerability Reporting
 
-## License
+Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues.
 
-This project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more info.
+## What is Auth0?
 
-[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fexpress-openid-connect.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fexpress-openid-connect?ref=badge_large)
+<p align="center">
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_dark_mode.png" width="150">
+    <source media="(prefers-color-scheme: light)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150">
+    <img alt="Auth0 Logo" src="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150">
+  </picture>
+</p>
+<p align="center">
+  Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout <a href="https://auth0.com/why-auth0">Why Auth0?</a>
+</p>
+<p align="center">
+  This project is licensed under the MIT license. See the <a href="https://github.com/auth0/express-openid-connect/blob/master/LICENSE"> LICENSE</a> file for more info.
+</p>

No alert changes

Improved metrics

Total package byte prevSize

88407

increased by1.88%

Number of lines in readme file

150

increased by16.28%

Worsened metrics

Lines of code

2469

decreased by-0.04%

Dependency changes

• Updatedjoi@^17.6.3