chore(deps): bump passport from 0.4.0 to 0.6.0 #31
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
dependabot
bot
added
the
dependencies
|
Getting a weird error in the logs with this one:
|
|
Related, gets weirdly stuck in-browser with https://localhost:8080/login.html but does log out the tokens in the console. Directly navigating to https://localhost:8080/me seems to work. Not sure why the redirect isn't working here or what is wrong with the state. |
Bumps [passport](https://github.com/jaredhanson/passport) from 0.4.0 to 0.6.0. - [Release notes](https://github.com/jaredhanson/passport/releases) - [Changelog](https://github.com/jaredhanson/passport/blob/master/CHANGELOG.md) - [Commits](jaredhanson/passport@v0.4.0...v0.6.0) --- updated-dependencies: - dependency-name: passport dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/passport-0.6.0
branch
from
cecde1c to
35f60c7
Compare
|
Note to self: Upgrading from Looks like it is specifically |
|
I'm closer to understanding what is happening based on using the debugging option from express-session: Using that debugging option in the "scripts": {
"start": "ENVIRONMENT='local' DEBUG=express-session node server.js"
},...I see these differences in how the session is handled between passport version 0.4.0[jaimelopez@C02YX7W4LVCG ~/Documents/Source/consumer-api-openid-connect-example (main !)] $ npm run start
> @banno/[email protected] start /Users/jaimelopez/Documents/Source/consumer-api-openid-connect-example
> ENVIRONMENT='local' DEBUG=express-session node server.js
Environment: local
API_ENVIRONMENT: https://digital.garden-fi.com
Server listening on https://localhost:8080
express-session fetching QKJFunyp6gZzwyHuRP9PXy_js5VSvgX7 +0ms
express-session no session found +1ms
express-session set-cookie connect.sid=s%3A85sDdaJ3jqrbmWuLMYjvkAWqwglmj8dk.mQPzqDzO6kJe%2BkYGt1B8x7qA%2FEDwRKluG9Pwefg3Cek; Path=/; HttpOnly; Secure; SameSite=None +7ms
express-session saving 85sDdaJ3jqrbmWuLMYjvkAWqwglmj8dk +1ms
express-session fetching 85sDdaJ3jqrbmWuLMYjvkAWqwglmj8dk +21ms
express-session session found +0ms
express-session touching +3ms
express-session touched +0ms
express-session fetching 85sDdaJ3jqrbmWuLMYjvkAWqwglmj8dk +953ms
express-session session found +0ms
express-session saving 85sDdaJ3jqrbmWuLMYjvkAWqwglmj8dk +2ms
express-session fetching 85sDdaJ3jqrbmWuLMYjvkAWqwglmj8dk +140ms
express-session session found +0ms
TokenSet {
access_token: (token)',
expires_at: 1669144785,
id_token: '(token),
refresh_token: '(token),
scope: 'openid https://api.banno.com/consumer/auth/offline_access https://api.banno.com/consumer/auth/accounts.readonly https://api.banno.com/consumer/auth/transactions.detail.readonly',
token_type: 'Bearer'
}
null {
sub: '277020a3-fe0d-4e04-a6db-39d06ad13bd7',
given_name: 'Jaime',
family_name: 'Lopez',
name: 'Jaime Lopez',
address: {
locality: 'Banno',
postal_code: '657080000',
region: 'MO',
street_address: '123 Banno St.'
},
email: '[email protected]',
'https://api.banno.com/consumer/claim/institution_id': '899f4398-106d-409a-9ed4-a72346778076',
at_hash: 'hTcrMbeCsAq6tChNFLu4Tw',
aud: '3f85ce95-00e7-4f3e-abbe-132d95f96d4e',
exp: 1669147785,
iat: 1669144185,
iss: 'https://digital.garden-fi.com/a/consumer/api/v0/oidc'
} {}
express-session saving 85sDdaJ3jqrbmWuLMYjvkAWqwglmj8dk +491ms
express-session split response +0ms
express-session fetching 85sDdaJ3jqrbmWuLMYjvkAWqwglmj8dk +4ms
express-session session found +0ms
express-session touching +1ms
express-session split response +0ms
express-session touched +0msThe session is consistently 0.6.0[jaimelopez@C02YX7W4LVCG ~/Documents/Source/consumer-api-openid-connect-example (main !)] $ npm run start
> @banno/[email protected] start /Users/jaimelopez/Documents/Source/consumer-api-openid-connect-example
> ENVIRONMENT='local' DEBUG=express-session node server.js
Environment: local
API_ENVIRONMENT: https://digital.garden-fi.com
Server listening on https://localhost:8080
express-session fetching A7ELmwf-4BWhCrK6hmap6SVBw35q281H +0ms
express-session no session found +1ms
express-session set-cookie connect.sid=s%3Ab6aiykVUWqOPwwhNAd2cmAqpLSLz7yDZ.4lvjHai%2FkqTtGBjZ6HX%2FATsPefzvu32UfJ7seTvA%2Fa0; Path=/; HttpOnly; Secure; SameSite=None +5ms
express-session saving b6aiykVUWqOPwwhNAd2cmAqpLSLz7yDZ +2ms
express-session fetching b6aiykVUWqOPwwhNAd2cmAqpLSLz7yDZ +33ms
express-session session found +1ms
express-session touching +2ms
express-session touched +0ms
express-session fetching b6aiykVUWqOPwwhNAd2cmAqpLSLz7yDZ +2s
express-session session found +0ms
express-session saving b6aiykVUWqOPwwhNAd2cmAqpLSLz7yDZ +2ms
express-session fetching b6aiykVUWqOPwwhNAd2cmAqpLSLz7yDZ +272ms
express-session session found +0ms
TokenSet {
access_token: '(token)',
expires_at: 1669144633,
id_token: '(token),
refresh_token: '(token)',
scope: 'openid https://api.banno.com/consumer/auth/offline_access https://api.banno.com/consumer/auth/accounts.readonly https://api.banno.com/consumer/auth/transactions.detail.readonly',
token_type: 'Bearer'
}
null {
sub: '277020a3-fe0d-4e04-a6db-39d06ad13bd7',
given_name: 'Jaime',
family_name: 'Lopez',
name: 'Jaime Lopez',
address: {
locality: 'Banno',
postal_code: '657080000',
region: 'MO',
street_address: '123 Banno St.'
},
email: '[email protected]',
'https://api.banno.com/consumer/claim/institution_id': '899f4398-106d-409a-9ed4-a72346778076',
at_hash: 'h6bd9RaV-1qM1nLCI_q-Mg',
aud: '3f85ce95-00e7-4f3e-abbe-132d95f96d4e',
exp: 1669147634,
iat: 1669144034,
iss: 'https://digital.garden-fi.com/a/consumer/api/v0/oidc'
} {}
State parameter not found in store
express-session split response +454ms
express-session set-cookie connect.sid=s%3AIhYaD2ckkKhu-E86RvC_gpa4MnxShNc6.zZ559VzoXZCDvS7TV4QN16%2FrFc59PRZvuhz0G6%2FlvF4; Path=/; HttpOnly; Secure; SameSite=None +0ms
express-session fetching IhYaD2ckkKhu-E86RvC_gpa4MnxShNc6 +4ms
express-session session found +1ms
express-session touching +1ms
express-session touched +0ms
express-session fetching IhYaD2ckkKhu-E86RvC_gpa4MnxShNc6 +15ms
express-session session found +0ms
express-session touching +1ms
express-session touched +0msIn this case, the session switches from
...which will end up redirecting the user back to the // If a state parameter is present and has a matching local state, lookup the value
if (req.query.state) {
if (req.session.oAuthState && req.session.oAuthState[req.query.state]) {
if (req.session.oAuthState[req.query.state].returnPath) {
nextPath = req.session.oAuthState[req.query.state].returnPath;
}
delete req.session.oAuthState[req.query.state];
} else {
console.error('State parameter not found in store');
return res.redirect('/login.html');
}
} |
|
Based on the passport changelog for 0.5.3 to 0.6.0, it looks like this is pretty much the only PR change: The back-and-forth comments with angry users of passport ends up with this seemingly useful blog post on Medium entitled "Fixing Session Fixation". |
The passport.js changes in `0.6.0` have breaking changes related to protecting against "Session Fixation". - jaredhanson/passport#900 - https://medium.com/passportjs/fixing-session-fixation-b2b68619c51d The assumption for the fix in this commit is that our example project here only has the session storage as its storage mechanism, so we're not quite vulnerable to the same thing since the storage goes away when the local project is stopped.
|
I've updated the |
|
Seems like things are working again, so self-merging this one. 😬 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bumps passport from 0.4.0 to 0.6.0.
Changelog
Sourced from passport's changelog.
... (truncated)
Commits
c33067b0.6.03052bb4Update changelog.42630cbMerge pull request #900 from jaredhanson/fix-fixation8dd79feUse utils-merge rather than Object.assign for compatibility.4f6bd5bChange keepSessionData to keepSessionData.46756e5Silence verbose logging.987b191Add tests.f8a175fAdd tests.29a90d6No need to guard callback existence.bfba8a1Add tests.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)@dependabot use these labelswill set the current labels as the default for future PRs for this repo and language@dependabot use these reviewerswill set the current reviewers as the default for future PRs for this repo and language@dependabot use these assigneeswill set the current assignees as the default for future PRs for this repo and language@dependabot use this milestonewill set the current milestone as the default for future PRs for this repo and languageYou can disable automated security fix PRs for this repo from the Security Alerts page.