Skip to content

Commit

Permalink
chore(deps): upgrade vulnerable dependencies (#54)
Browse files Browse the repository at this point in the history
OKTA-528393 BREAKING CHANGE: version 5.0 release
  • Loading branch information
oleksandrpravosudko-okta authored Sep 7, 2022
1 parent 5d10b3c commit 50c093b
Show file tree
Hide file tree
Showing 20 changed files with 2,219 additions and 793 deletions.
9 changes: 6 additions & 3 deletions .eslintrc.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,18 @@
"extends": [
"eslint:recommended",
"plugin:promise/recommended",
"plugin:jasmine/recommended"
"plugin:jasmine/recommended",
"plugin:wdio/recommended"
],
"plugins": [
"promise",
"jasmine"
"jasmine",
"wdio"
],
"env": {
"browser": false,
"commonjs": true
"commonjs": true,
"node": true
},
"parserOptions": {
"ecmaVersion": 2017
Expand Down
7 changes: 7 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
# 5.0.0

### Breaking Changes

- [#]() Requires Node >= 12.19.0. Update production dependencies:
- `[email protected]` (was 3.12.2)

# 4.6

-[#53](https://github.com/okta/okta-oidc-middleware/pull/53) Fix: prevents open redirects
Expand Down
28 changes: 15 additions & 13 deletions package.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"private": true,
"name": "@okta/oidc-middleware",
"version": "4.6.0",
"version": "5.0.0",
"description": "OpenId Connect middleware for authorization code flows",
"repository": "https://github.com/okta/okta-oidc-middleware",
"homepage": "https://github.com/okta/okta-oidc-middleware#readme",
Expand All @@ -24,17 +24,17 @@
"lint": "eslint .",
"lint:report": "eslint -f checkstyle -o ./reports/lint/eslint-checkstyle-result.xml .",
"test": "yarn lint && yarn test:unit && yarn test:e2e && yarn test:integration",
"pretest:e2e": "node scripts/update-se-drivers.js && yarn kill:port",
"pretest:e2e": "yarn kill:port",
"posttest:e2e": "yarn kill:port",
"test:e2e": "protractor test/e2e/protractor.conf.js",
"test:e2e": "wdio run wdio.conf.js",
"test:integration": "scripts/tck.sh 0.4.0",
"test:unit": "jest",
"start": "node test/e2e/harness/start-server.js",
"start:custom": "node test/e2e/harness/start-custom-login-server.js",
"kill:port": "kill -s TERM $(lsof -t -i:8080 -sTCP:LISTEN) || true"
},
"engines": {
"node": "^10.13.0 || >=12.0.0"
"node": "^12.19.0 || ^14.15.0 || ^16.13.0"
},
"license": "Apache-2.0",
"dependencies": {
Expand All @@ -45,13 +45,18 @@
"lodash": "^4.17.21",
"negotiator": "^0.6.1",
"node-fetch": "^2.6.7",
"openid-client": "3.12.2",
"passport": "^0.4.1",
"openid-client": "^5.1.9",
"passport": "^0.6.0",
"uuid": "^8.3.2"
},
"devDependencies": {
"@babel/eslint-parser": "^7.17.0",
"axios": "^0.27.2",
"@wdio/cli": "^7.24.0",
"@wdio/jasmine-framework": "^7.24.0",
"@wdio/junit-reporter": "^7.24.0",
"@wdio/local-runner": "^7.24.0",
"@wdio/selenium-standalone-service": "^7.24.0",
"@wdio/spec-reporter": "^7.24.0",
"cookie-parser": "^1.4.5",
"cross-env": "^7.0.0",
"dotenv": "^8.1.0",
Expand All @@ -60,20 +65,17 @@
"eslint-plugin-jasmine": "^4.1.0",
"eslint-plugin-jest": "^23.0.3",
"eslint-plugin-promise": "^4.2.1",
"eslint-plugin-protractor": "^2.1.1",
"eslint-plugin-wdio": "^7.21.0",
"express-session": "^1.15.5",
"globby": "^6.1.0",
"jasmine-protractor-browser-log-reporter": "^1.0.0",
"jasmine-reporters": "^2.5.0",
"jasmine-spec-reporter": "^4.1.0",
"jest": "^28.1.1",
"jest-junit": "^13.2.0",
"nock": "^11.9.1",
"protractor": "^7.0.0",
"read-package-tree": "^5.1.6",
"server-destroy": "^1.0.1",
"shelljs": "0.8.5",
"supertest": "^6.0.1"
"supertest": "^6.0.1",
"wdio-wait-for": "^2.2.6"
},
"resolutions": {
"webdriver-manager": "^12.1.4",
Expand Down
2 changes: 1 addition & 1 deletion scripts/setup.sh
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ export PATH="${PATH}:$(yarn global bin)"

# Install required node version
export NVM_DIR="/root/.nvm"
setup_service node v12.22.0
setup_service node v14.17.0

cd ${OKTA_HOME}/${REPO}

Expand Down
42 changes: 0 additions & 42 deletions scripts/update-se-drivers.js

This file was deleted.

5 changes: 4 additions & 1 deletion src/connectUtil.js
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,10 @@ connectUtil.createLoginCallbackHandler = context => {
if (!customHandler) {
// Passport successReturnToOrRedirect always try req.session.returnTo first if it's assigned
// Use successRedirect field if afterCallback url is explicitly set in config
const redirectOptions = { failureRedirect: routes.loginCallback.failureRedirect };
const redirectOptions = {
failureRedirect: routes.loginCallback.failureRedirect,
keepSessionInfo: true, // preserve req.session.returnTo during session regeneration
};
if (routes.loginCallback.afterCallback) {
redirectOptions.successRedirect = routes.loginCallback.afterCallback;
} else {
Expand Down
2 changes: 1 addition & 1 deletion src/logout.js
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ logout.forceLogoutAndRevoke = context => {
const revokes = REVOKABLE_TOKENS.map( revokeIfExists );

// clear local session
req.logout();
req.logout(function () {});

// attempt all revokes
await Promise.all(revokes); // these capture (emit) all rejections, no wrapping catch needed, no early fail of .all()
Expand Down
23 changes: 14 additions & 9 deletions src/oidcUtil.js
Original file line number Diff line number Diff line change
Expand Up @@ -35,16 +35,19 @@ function customizeUserAgent(options) {
const headers = options.headers || {};
let clientUserAgent = headers['User-Agent'];
if (typeof clientUserAgent === 'string') {
clientUserAgent = ' ' + clientUserAgent.split(' ')[0]
clientUserAgent = ' ' + clientUserAgent.split(' (')[0]
} else {
clientUserAgent = '';
}

const userAgent = `${pkg.name}/${pkg.version}${clientUserAgent} node/${process.versions.node} ${os.platform()}/${os.release()}`;
headers['User-Agent'] = userAgent;

options.headers = headers;
return options;
return {
...options,
headers: {
...headers,
'User-Agent': userAgent
}
}
}

function appendOptionsToQuery(url, options) {
Expand All @@ -68,22 +71,23 @@ oidcUtil.createClient = context => {
timeout
} = context.options;

Issuer[custom.http_options] = function(options) {
Issuer[custom.http_options] = function(_, options) {
options = customizeUserAgent(options);
options.timeout = timeout || 10000;
return options;
};

return Issuer.discover(issuer + '/.well-known/openid-configuration')
.then(iss => {
.then((iss) => {
const client = new iss.Client({
client_id,
client_secret,
redirect_uris: [
redirect_uri
]
});
client[custom.http_options] = options => {

client[custom.http_options] = (options) => {
options = customizeUserAgent(options);
options.timeout = timeout || 10000;
return options;
Expand All @@ -100,7 +104,8 @@ oidcUtil.bootstrapPassportStrategy = context => {
scope: context.options.scope
},
sessionKey: context.options.sessionKey,
client: context.client
client: context.client,
usePKCE: false
}, (tokenSet, callbackArg1, callbackArg2) => {
let done;
let userinfo;
Expand Down
8 changes: 4 additions & 4 deletions test/e2e/.eslintrc.json
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
{
"extends": [
"plugin:protractor/recommended",
"plugin:jasmine/recommended"
"plugin:jasmine/recommended",
"plugin:wdio/recommended"
],
"plugins": [
"protractor",
"jasmine"
"jasmine",
"wdio"
],
"env": {
"jasmine": true,
Expand Down
52 changes: 37 additions & 15 deletions test/e2e/page-objects/CustomLoginPage.js
Original file line number Diff line number Diff line change
Expand Up @@ -10,31 +10,53 @@
* See the License for the specific language governing permissions and limitations under the License.
*/

const EC = protractor.ExpectedConditions;
const EC = require("wdio-wait-for");

module.exports = class OktaSignInPage {
/* eslint-disable protractor/no-repetitive-selectors */
constructor() {
this.username = $('[name=username]');
this.password = $('[name=password]');
this.submit = $('#okta-signin-submit');
this.banner = $('#banner');
this.pageTitle = $('[data-se=o-form-head]');
this.usernameLabel = $('[data-se=o-form-label] [for=okta-signin-username]');
this.passwordLabel = $('[data-se=o-form-label] [for=okta-signin-password]');
constructor() {}

get username() {
return $('[name=username]');
}

get password() {
return $('[name=password]');
}

get submit() {
return $('#okta-signin-submit');
}

get banner() {
return $('#banner');
}

get pageTitle() {
return $('[data-se=o-form-head]');
}

get usernameLabel() {
return $('[data-se=o-form-label] [for=okta-signin-username]');
}

get passwordLabel() {
return $('[data-se=o-form-label] [for=okta-signin-password]');
}

async load() {
await browser.get('/login');
await browser.url('/login');
}

async waitUntilVisible() {
await browser.wait(EC.presenceOf(this.banner), 50000, 'wait for banner');
await browser.waitUntil(EC.presenceOf(await this.banner), {
timeout: 50000,
timeoutMsg: 'wait for banner'
});
}

async signIn({username, password}) {
await this.username.sendKeys(username);
await this.password.sendKeys(password);
await this.submit.click();
await (await this.username).setValue(username);
await (await this.password).setValue(password);
await (await this.submit).click();
}
}
22 changes: 15 additions & 7 deletions test/e2e/page-objects/HomePage.js
Original file line number Diff line number Diff line change
Expand Up @@ -12,29 +12,37 @@

const constants = require('../util/constants');
const util = require('../util/util');
const EC = protractor.ExpectedConditions;
const EC = require("wdio-wait-for");

module.exports = class HomePage {
constructor() {
this.body = $('body');
constructor() {}

get body() {
return $('body');
}

async load() {
await browser.get(constants.BASE_URI);
await browser.url(constants.BASE_URI);
}

async waitUntilVisible() {
const url = util.ensureTrailingSlash(constants.BASE_URI);
await browser.wait(EC.urlIs(url), 50000, 'wait for base url');
await browser.waitUntil(EC.urlIs(url), {
timeout: 50000,
timeoutMsg: 'wait for base url'
});
}

async performLogout() {
const logoutButton = $('#logout');
await logoutButton.click();
await browser.wait(EC.not(EC.presenceOf(logoutButton)), 5000, 'wait for logout button to disappear');
await browser.waitUntil(EC.not(EC.presenceOf(logoutButton)), {
timeout: 5000,
timeoutMsg: 'wait for logout button to disappear'
});
}

async getBodyText() {
return this.body.getText();
return (await this.body).getText();
}
}
Loading

0 comments on commit 50c093b

Please sign in to comment.