Launch Week Day 5: Introducing Reachability for PHP.Learn More
Socket
Book a DemoSign in
Socket
Book a DemoSign in

express-openid-connect

Package Overview
Dependencies
Maintainers
51
Versions
54
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

express-openid-connect - npm Package Compare versions

Comparing version
2.5.1
 to
2.5.2
+5
-1
index.d.ts

@@ -651,5 +651,9 @@ // Type definitions for express-openid-connect

*/
refresh(params?: TokenParameters): Promise<AccessToken>;
refresh(params?: RefreshParams): Promise<AccessToken>;
}
interface RefreshParams {
tokenEndpointParams?: TokenParameters;
}
interface TokenParameters {

@@ -656,0 +660,0 @@ [key: string]: unknown;

+38
-12
lib/appSession.js

@@ -18,2 +18,5 @@ const { strict: assert, AssertionError } = require('assert');

const REASSIGN = Symbol('reassign');
const REGENERATED_SESSION_ID = Symbol('regenerated_session_id');
function attachSessionObject(req, sessionName, value) {

@@ -26,3 +29,3 @@ Object.defineProperty(req, sessionName, {

set(arg) {
if (arg === null || arg === undefined) {
if (arg === null || arg === undefined || arg[REASSIGN]) {
value = arg;

@@ -37,2 +40,13 @@ } else {

function regenerateSessionStoreId(req, config) {
if (config.session.store) {
req[REGENERATED_SESSION_ID] = config.session.genid(req);
}
}
function replaceSession(req, session, config) {
session[REASSIGN] = true;
req[config.session.name] = session;
}
module.exports = (config) => {

@@ -181,3 +195,3 @@ let current;

setCookie(id, req, res, iat) {
setCookie(req, res, iat) {
setCookie(req, res, iat);

@@ -204,8 +218,10 @@ }

) {
if (!req[sessionName] || !Object.keys(req[sessionName]).length) {
if (req[COOKIES][sessionName]) {
await this._destroy(id);
}
} else {
await this._set(id, {
const hasPrevSession = !!req[COOKIES][sessionName];
const replacingPrevSession = !!req[REGENERATED_SESSION_ID];
const hasCurrentSession = req[sessionName] && Object.keys(req[sessionName]).length;
if (hasPrevSession && (replacingPrevSession || !hasCurrentSession)) {
await this._destroy(id);
}
if (hasCurrentSession) {
await this._set(req[REGENERATED_SESSION_ID] || id, {
header: { iat, uat, exp },

@@ -241,3 +257,4 @@ data: req[sessionName],

const store = config.session.store
const isCustomStore = !!config.session.store;
const store = isCustomStore
? new CustomStore(config.session.store)

@@ -339,7 +356,9 @@ : new CookieStore();

const id = existingSessionValue || generateId(req);
if (isCustomStore) {
const id = existingSessionValue || generateId(req);
onHeaders(res, () => store.setCookie(id, req, res, { iat }));
onHeaders(res, () =>
store.setCookie(req[REGENERATED_SESSION_ID] || id, req, res, { iat })
);
if (store.set) {
const { end: origEnd } = res;

@@ -359,2 +378,6 @@ res.end = async function resEnd(...args) {

};
} else {
onHeaders(res, () =>
store.setCookie(req, res, { iat })
);
}

@@ -365,1 +388,4 @@

};
module.exports.regenerateSessionStoreId = regenerateSessionStoreId;
module.exports.replaceSession = replaceSession;
+24
-4
middleware/auth.js

@@ -13,2 +13,3 @@ const express = require('express');

const appSession = require('../lib/appSession');
const { regenerateSessionStoreId, replaceSession } = appSession;
const { decodeState } = require('../lib/hooks/getLoginState');

@@ -87,3 +88,3 @@

let session;
let tokenSet;

@@ -115,3 +116,3 @@ try {

session = await client.callback(
tokenSet = await client.callback(
redirectUri,

@@ -126,2 +127,4 @@ callbackParams,

let session = Object.assign({}, tokenSet); // Remove non-enumerable methods from the TokenSet
if (config.afterCallback) {

@@ -131,3 +134,3 @@ session = await config.afterCallback(

res,
Object.assign({}, session), // Remove non-enumerable methods from the TokenSet
session,
req.openidState

@@ -137,3 +140,20 @@ );

Object.assign(req[config.session.name], session);
if (req.oidc.isAuthenticated()) {
if (req.oidc.user.sub === tokenSet.claims().sub) {
// If it's the same user logging in again, just update the existing session.
Object.assign(req[config.session.name], session);
} else {
// If it's a different user, replace the session to remove any custom user
// properties on the session
replaceSession(req, session, config);
// And regenerate the session id so the previous user wont know the new user's session id
regenerateSessionStoreId(req, config);
}
} else {
// If a new user is replacing an anonymous session, update the existing session to keep
// any anonymous session state (eg. checkout basket)
Object.assign(req[config.session.name], session);
// But update the session store id so a previous anonymous user wont know the new user's session id
regenerateSessionStoreId(req, config);
}
attemptSilentLogin.resumeSilentLogin(req, res);

@@ -140,0 +160,0 @@ 

+4
-4
package.json
{
"name": "express-openid-connect",
"version": "2.5.1",
"version": "2.5.2",
"description": "Express middleware to protect web applications using OpenID Connect.",

@@ -35,7 +35,7 @@ "homepage": "https://github.com/auth0/express-openid-connect",

"http-errors": "^1.8.0",
"joi": "^17.4.1",
"joi": "^17.4.2",
"jose": "^2.0.5",
"on-headers": "^1.0.2",
"openid-client": "^4.7.5",
"p-memoize": "^4.0.1",
"openid-client": "^4.9.1",
"p-memoize": "^4.0.2",
"url-join": "^4.0.1"

@@ -42,0 +42,0 @@ },