Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[chore] bump passport to 0.7.0 #3502

Merged
merged 2 commits into from
Aug 9, 2024
Merged

[chore] bump passport to 0.7.0 #3502

merged 2 commits into from
Aug 9, 2024

Conversation

freemvmt
Copy link
Contributor

@freemvmt freemvmt commented Aug 8, 2024
edited
Loading

🔧 Ticket in Trello.

We've wanted to bump the passport version in use for auth routes for some time, because 0.6.0 fixes a 'moderate' security vulnerability (as flagged by dependabot 2 years ago).

But this version throws up a bug related to our use of cookie-session, which passport does not commit to being compatible with (see here) (it only claims to support express-session). The issue is that passport used to implement the req.session.regenerate and req.session.save methods, which are called by cookie-session, but no longer does.

So in this PR we jump to 0.7.0 (changelog), and implement a fix for this bug by stubbing out dummy methods on req.session. Credit to this comment in passport#904 for the fix.

Supertest does not make the request objection available for testing - only the response. Therefore in order to test things about the request we are actually constructing, I added a new module with a dedicated test route. Very open to other ideas on how to test these dummy methods if that doesn't seem best practice :)

@freemvmt freemvmt force-pushed the bump-passport branch 2 times, most recently from 1054ed9 to 59be957 Compare August 8, 2024 23:56
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 8, 2024
edited
Loading

Removed vultr server and associated DNS entries

@freemvmt freemvmt requested a review from a team August 9, 2024 00:17
jessicamcinchak
jessicamcinchak approved these changes Aug 9, 2024
View reviewed changes
Copy link
Member

@jessicamcinchak jessicamcinchak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Very satisfying to address this longstanding dependabot alert 👌

Can login & logout of pizza as expected ✅

api.planx.uk/modules/test/routes.ts Show resolved Hide resolved
api.planx.uk/session.ts Outdated Show resolved Hide resolved
@freemvmt freemvmt merged commit d2b94f1 into main Aug 9, 2024
12 checks passed
@freemvmt freemvmt deleted the bump-passport branch August 9, 2024 12:01
@jessicamcinchak
Copy link
Member

Upgrade the passport dependency

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jessicamcinchak jessicamcinchak jessicamcinchak approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@freemvmt @jessicamcinchak