Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
passport - npm Package Compare versions
Comparing version 0.5.3 to 0.6.0
@@ -9,2 +9,9 @@ # Changelog | ||
| ## [0.6.0] - 2022-05-20 | ||
| ### Security | ||
| - Improved robustness against session fixation attacks in cases where there is | ||
| physical access to the same system or the application is susceptible to | ||
| cross-site scripting (XSS). | ||
| ## [0.5.3] - 2022-05-16 | ||
@@ -54,5 +61,6 @@ ### Fixed | ||
| [Unreleased]: https://github.com/jaredhanson/passport/compare/v0.5.3...HEAD | ||
| [Unreleased]: https://github.com/jaredhanson/passport/compare/v0.6.0...HEAD | ||
| [0.6.0]: https://github.com/jaredhanson/passport/compare/v0.5.3...v0.6.0 | ||
| [0.5.3]: https://github.com/jaredhanson/passport/compare/v0.5.2...v0.5.3 | ||
| [0.5.2]: https://github.com/jaredhanson/passport/compare/v0.5.1...v0.5.2 | ||
| [0.5.1]: https://github.com/jaredhanson/passport/compare/v0.5.0...v0.5.1 |
@@ -39,3 +39,3 @@ var req = exports = module.exports = {}; | ||
| var self = this; | ||
| this._sessionManager.logIn(this, user, function(err) { | ||
| this._sessionManager.logIn(this, user, options, function(err) { | ||
| if (err) { self[property] = null; return done(err); } | ||
@@ -55,3 +55,9 @@ done(); | ||
| req.logout = | ||
| req.logOut = function() { | ||
| req.logOut = function(options, done) { | ||
| if (typeof options == 'function') { | ||
| done = options; | ||
| options = {}; | ||
| } | ||
| options = options || {}; | ||
| var property = this._userProperty || 'user'; | ||
@@ -61,3 +67,7 @@ | ||
| if (this._sessionManager) { | ||
| this._sessionManager.logOut(this); | ||
| if (typeof done != 'function') { throw new Error('req#logout requires a callback function'); } | ||
| this._sessionManager.logOut(this, options, done); | ||
| } else { | ||
| done && done(); | ||
| } | ||
@@ -64,0 +74,0 @@ }; |
@@ -0,1 +1,3 @@ | ||
| var merge = require('utils-merge'); | ||
| function SessionManager(options, serializeUser) { | ||
@@ -12,26 +14,81 @@ if (typeof options == 'function') { | ||
| SessionManager.prototype.logIn = function(req, user, cb) { | ||
| SessionManager.prototype.logIn = function(req, user, options, cb) { | ||
| if (typeof options == 'function') { | ||
| cb = options; | ||
| options = {}; | ||
| } | ||
| options = options || {}; | ||
| if (!req.session) { return cb(new Error('Login sessions require session support. Did you forget to use `express-session` middleware?')); } | ||
| var self = this; | ||
| this._serializeUser(user, req, function(err, obj) { | ||
| var prevSession = req.session; | ||
| // regenerate the session, which is good practice to help | ||
| // guard against forms of session fixation | ||
| req.session.regenerate(function(err) { | ||
| if (err) { | ||
| return cb(err); | ||
| } | ||
| // TODO: Error if session isn't available here. | ||
| if (!req.session) { | ||
| req.session = {}; | ||
| } | ||
| if (!req.session[self._key]) { | ||
| req.session[self._key] = {}; | ||
| } | ||
| req.session[self._key].user = obj; | ||
| cb(); | ||
| self._serializeUser(user, req, function(err, obj) { | ||
| if (err) { | ||
| return cb(err); | ||
| } | ||
| if (options.keepSessionInfo) { | ||
| merge(req.session, prevSession); | ||
| } | ||
| if (!req.session[self._key]) { | ||
| req.session[self._key] = {}; | ||
| } | ||
| // store user information in session, typically a user id | ||
| req.session[self._key].user = obj; | ||
| // save the session before redirection to ensure page | ||
| // load does not happen before session is saved | ||
| req.session.save(function(err) { | ||
| if (err) { | ||
| return cb(err); | ||
| } | ||
| cb(); | ||
| }); | ||
| }); | ||
| }); | ||
| } | ||
| SessionManager.prototype.logOut = function(req, cb) { | ||
| if (req.session && req.session[this._key]) { | ||
| SessionManager.prototype.logOut = function(req, options, cb) { | ||
| if (typeof options == 'function') { | ||
| cb = options; | ||
| options = {}; | ||
| } | ||
| options = options || {}; | ||
| if (!req.session) { return cb(new Error('Login sessions require session support. Did you forget to use `express-session` middleware?')); } | ||
| var self = this; | ||
| // clear the user from the session object and save. | ||
| // this will ensure that re-using the old session id | ||
| // does not have a logged in user | ||
| if (req.session[this._key]) { | ||
| delete req.session[this._key].user; | ||
| } | ||
| var prevSession = req.session; | ||
| cb && cb(); | ||
| req.session.save(function(err) { | ||
| if (err) { | ||
| return cb(err) | ||
| } | ||
| // regenerate the session, which is good practice to help | ||
| // guard against forms of session fixation | ||
| req.session.regenerate(function(err) { | ||
| if (err) { | ||
| return cb(err); | ||
| } | ||
| if (options.keepSessionInfo) { | ||
| merge(req.session, prevSession); | ||
| } | ||
| cb(); | ||
| }); | ||
| }); | ||
| } | ||
@@ -38,0 +95,0 @@ |
| { | ||
| "name": "passport", | ||
| "version": "0.5.3", | ||
| "version": "0.6.0", | ||
| "description": "Simple, unobtrusive authentication for Node.js.", | ||
@@ -39,3 +39,4 @@ "keywords": [ | ||
| "passport-strategy": "1.x.x", | ||
| "pause": "0.0.1" | ||
| "pause": "0.0.1", | ||
| "utils-merge": "^1.0.1" | ||
| }, | ||
@@ -42,0 +43,0 @@ "devDependencies": { |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by2.83%
81608
- Lines of code
- increased by5.12%
1150
Worsened metrics
- Dependency count
- increased by50%
3
Dependency changes
+ Addedutils-merge@^1.0.1
+ Addedutils-merge@1.0.1(transitive)