From 71696c155e8e1f9fcdcd1d8a6a9f77e3c72027bc Mon Sep 17 00:00:00 2001
From: David <david.patrick@auth0.com>
Date: Wed, 13 Jan 2021 14:48:04 -0800
Subject: [PATCH] Release 2.2.0

**Added**
- afterCallback Hook [#168](https://github.com/auth0/express-openid-connect/pull/168) ([davidpatrick](https://github.com/davidpatrick))

**Changed**
- Move transient cookies into single cookie [#171](https://github.com/auth0/express-openid-connect/pull/171) ([davidpatrick](https://github.com/davidpatrick))
---
 CHANGELOG.md                |  9 +++++++++
 EXAMPLES.md                 | 19 +++++++++++++++++++
 examples/validate_claims.js | 28 ++++++++++++++++++++++++++++
 middleware/auth.js          |  1 +
 package-lock.json           |  2 +-
 package.json                |  2 +-
 6 files changed, 59 insertions(+), 2 deletions(-)
 create mode 100644 examples/validate_claims.js

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b3d42dd9..f0b21028 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,14 @@
 # CHANGELOG
 
+## [2.2.0](https://github.com/auth0/express-openid-connect/tree/v2.2.0) (2021-01-14)
+[Full Changelog](https://github.com/auth0/express-openid-connect/compare/v2.1.0...v2.2.0)
+
+**Added**
+- afterCallback Hook [#168](https://github.com/auth0/express-openid-connect/pull/168) ([davidpatrick](https://github.com/davidpatrick))
+
+**Changed**
+- Move transient cookies into single cookie [#171](https://github.com/auth0/express-openid-connect/pull/171) ([davidpatrick](https://github.com/davidpatrick))
+
 ## [2.1.0](https://github.com/auth0/express-openid-connect/tree/v2.1.0) (2020-12-15)
 [Full Changelog](https://github.com/auth0/express-openid-connect/compare/v2.0.0...v2.1.0)
 
diff --git a/EXAMPLES.md b/EXAMPLES.md
index 42c7efbe..9714a134 100644
--- a/EXAMPLES.md
+++ b/EXAMPLES.md
@@ -215,4 +215,23 @@ app.use(
     // auth0Logout: true // if using custom domain with Auth0
   })
 );
+```
+
+## 8. Validate Claims from an ID token before logging a user in
+
+The `afterCallback` hook can be used to do validation checks on claims after the ID token has been received in the callback phase.
+
+```js
+app.use(
+  auth({
+    afterCallback: (req, res, session) => {
+      const claims = jose.JWT.decode(session.id_token); // using jose library to decode JWT
+      if (claims.org_id !== 'Required Organization') {
+        throw new Error('Not a part of the Required Organization');
+      }
+      return session;
+    }
+  })
+);
+
 ```
\ No newline at end of file
diff --git a/examples/validate_claims.js b/examples/validate_claims.js
new file mode 100644
index 00000000..87520402
--- /dev/null
+++ b/examples/validate_claims.js
@@ -0,0 +1,28 @@
+const express = require('express');
+const jose = require('jose');
+const { auth } = require('../');
+
+const app = express();
+
+app.use(
+  auth({
+    authorizationParams: {
+      response_type: 'code id_token',
+    },
+    afterCallback: (req, res, session) => {
+      const claims = jose.JWT.decode(session.id_token); 
+
+      if (claims.org_id !== 'Required Organization') {
+        throw new Error('User is not a part of the Required Organization');
+      }
+      return session;
+    }
+  })
+);
+
+app.get('/', async (req, res) => {
+  const userInfo = await req.oidc.fetchUserInfo();
+  res.send(`hello ${userInfo.sub}`);
+});
+
+module.exports = app;
diff --git a/middleware/auth.js b/middleware/auth.js
index e8ddb78c..3b1d96e1 100644
--- a/middleware/auth.js
+++ b/middleware/auth.js
@@ -104,6 +104,7 @@ module.exports = function (params) {
           }
 
           if (config.afterCallback) {
+            session = Object.assign({}, session); // serializes session
             session = await config.afterCallback(req, res, session, req.openidState); 
           }
 
diff --git a/package-lock.json b/package-lock.json
index d0f49de6..f60c2c1b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
 {
   "name": "express-openid-connect",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
diff --git a/package.json b/package.json
index fcae4a70..bb41b73e 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "express-openid-connect",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "description": "Express middleware to protect web applications using OpenID Connect.",
   "homepage": "https://github.com/auth0/express-openid-connect",
   "license": "MIT",