From b15150542ee221a921f15896b7eda2267628ea57 Mon Sep 17 00:00:00 2001 From: Nicola Molinari Date: Mon, 9 May 2022 17:00:37 +0200 Subject: [PATCH] chore: update `express` and `express-jwt` packages (#2598) * fix(express): migrate to express-jwt v7 * chore: update express * docs: changeset * chore: update lockfile --- .changeset/late-suits-worry.md | 7 + packages-backend/express/package.json | 8 +- packages-backend/express/src/auth.ts | 7 +- packages-backend/loggers/package.json | 2 +- packages/mc-dev-authentication/package.json | 2 +- yarn.lock | 280 +++++++++++++++----- 6 files changed, 235 insertions(+), 71 deletions(-) create mode 100644 .changeset/late-suits-worry.md diff --git a/.changeset/late-suits-worry.md b/.changeset/late-suits-worry.md new file mode 100644 index 0000000000..a5e1b3f3d4 --- /dev/null +++ b/.changeset/late-suits-worry.md @@ -0,0 +1,7 @@ +--- +'@commercetools-backend/express': patch +'@commercetools-backend/loggers': patch +'@commercetools-frontend/mc-dev-authentication': patch +--- + +Update `express` and `express-jwt` packages diff --git a/packages-backend/express/package.json b/packages-backend/express/package.json index 2525bdd98e..b8c6dcfbd9 100644 --- a/packages-backend/express/package.json +++ b/packages-backend/express/package.json @@ -21,11 +21,13 @@ "@babel/runtime": "^7.17.9", "@babel/runtime-corejs3": "^7.17.9", "@types/node": "16.11.26", - "express": "4.17.3", - "express-jwt": "6.1.1", - "jwks-rsa": "2.0.5" + "express": "4.18.1", + "express-jwt": "7.7.0", + "jwks-rsa": "2.1.1" }, "devDependencies": { + "@types/express-unless": "^0.5.3", + "@types/jsonwebtoken": "^8.5.8", "jose": "2.0.5", "msw": "0.39.2" } diff --git a/packages-backend/express/src/auth.ts b/packages-backend/express/src/auth.ts index 508edd0f28..255204c86d 100644 --- a/packages-backend/express/src/auth.ts +++ b/packages-backend/express/src/auth.ts @@ -5,7 +5,10 @@ import type { } from './types'; import jwksRsa from 'jwks-rsa'; -import expressJwtMiddleware from 'express-jwt'; +import { + expressjwt as expressJwtMiddleware, + type GetVerificationKey, +} from 'express-jwt'; import { CLOUD_IDENTIFIERS, MC_API_URLS, @@ -179,7 +182,7 @@ function createSessionAuthVerifier( ...(options.jwks || {}), // This should be set by the middleware, no matter what. jwksUri: `${issuer}/.well-known/jwks.json`, - }), + }) as GetVerificationKey, requestProperty: decodedTokenKey, // Validate the audience and the issuer. audience, diff --git a/packages-backend/loggers/package.json b/packages-backend/loggers/package.json index 9254a9848d..7b2d2a7364 100644 --- a/packages-backend/loggers/package.json +++ b/packages-backend/loggers/package.json @@ -37,6 +37,6 @@ "winston": "3.7.2" }, "devDependencies": { - "express": "4.17.3" + "express": "4.18.1" } } diff --git a/packages/mc-dev-authentication/package.json b/packages/mc-dev-authentication/package.json index dbcceda4c9..8b7db60c43 100644 --- a/packages/mc-dev-authentication/package.json +++ b/packages/mc-dev-authentication/package.json @@ -30,7 +30,7 @@ "devDependencies": { "@commercetools-frontend/application-config": "21.5.0", "@tsconfig/node14": "^1.0.1", - "express": "4.17.3" + "express": "4.18.1" }, "engines": { "node": ">=14" diff --git a/yarn.lock b/yarn.lock index fa1e8d1743..9a5e241fa0 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2400,11 +2400,13 @@ __metadata: dependencies: "@babel/runtime": ^7.17.9 "@babel/runtime-corejs3": ^7.17.9 + "@types/express-unless": ^0.5.3 + "@types/jsonwebtoken": ^8.5.8 "@types/node": 16.11.26 - express: 4.17.3 - express-jwt: 6.1.1 + express: 4.18.1 + express-jwt: 7.7.0 jose: 2.0.5 - jwks-rsa: 2.0.5 + jwks-rsa: 2.1.1 msw: 0.39.2 languageName: unknown linkType: soft @@ -2417,7 +2419,7 @@ __metadata: "@babel/runtime-corejs3": ^7.17.9 "@sentry/node": 6.19.6 "@types/triple-beam": 1.3.2 - express: 4.17.3 + express: 4.18.1 express-winston: 4.2.0 fast-safe-stringify: 2.1.1 lodash: 4.17.21 @@ -3026,7 +3028,7 @@ __metadata: "@babel/runtime-corejs3": ^7.17.9 "@commercetools-frontend/application-config": 21.5.0 "@tsconfig/node14": ^1.0.1 - express: 4.17.3 + express: 4.18.1 languageName: unknown linkType: soft @@ -9474,16 +9476,6 @@ __metadata: languageName: node linkType: hard -"@types/express-jwt@npm:0.0.42": - version: 0.0.42 - resolution: "@types/express-jwt@npm:0.0.42" - dependencies: - "@types/express": "*" - "@types/express-unless": "*" - checksum: b69148367b40c74876e77438a7a2449d3478d222a6094bce008308cf87ea43dcce5d74ebaef5d28bb224b0f0dd695bcf25a634a69d3c186575458eb1a1a6e4f8 - languageName: node - linkType: hard - "@types/express-serve-static-core@npm:*, @types/express-serve-static-core@npm:^4.17.18": version: 4.17.28 resolution: "@types/express-serve-static-core@npm:4.17.28" @@ -9495,12 +9487,12 @@ __metadata: languageName: node linkType: hard -"@types/express-unless@npm:*": - version: 0.5.2 - resolution: "@types/express-unless@npm:0.5.2" +"@types/express-unless@npm:^0.5.3": + version: 0.5.3 + resolution: "@types/express-unless@npm:0.5.3" dependencies: "@types/express": "*" - checksum: 31446f1871e29fb3c576f909c3770e167ac219f9dde94c82c236fe0da45f97bd509fd9dc8bb302caaf5b9b41589b0cb27b53309c8b8459b3904b0e3c98f215f7 + checksum: 5c76425ff7490123f3c072c942ae6d18bb3cbf91d5d9857c52fca1f9a3d11b72413dbfb3e4af28fdd7f745d1a443f90daadbcf7daff714d608eef10bd7c8763c languageName: node linkType: hard @@ -9726,7 +9718,7 @@ __metadata: languageName: node linkType: hard -"@types/jsonwebtoken@npm:^8.5.0": +"@types/jsonwebtoken@npm:^8.5.0, @types/jsonwebtoken@npm:^8.5.8": version: 8.5.8 resolution: "@types/jsonwebtoken@npm:8.5.8" dependencies: @@ -11670,7 +11662,7 @@ __metadata: languageName: node linkType: hard -"async@npm:1.5.2, async@npm:^1.5.0": +"async@npm:1.5.2": version: 1.5.2 resolution: "async@npm:1.5.2" checksum: fe5d6214d8f15bd51eee5ae8ec5079b228b86d2d595f47b16369dec2e11b3ff75a567bb5f70d12d79006665fbbb7ee0a7ec0e388524eefd454ecbe651c124ebd @@ -12425,6 +12417,26 @@ __metadata: languageName: node linkType: hard +"body-parser@npm:1.20.0": + version: 1.20.0 + resolution: "body-parser@npm:1.20.0" + dependencies: + bytes: 3.1.2 + content-type: ~1.0.4 + debug: 2.6.9 + depd: 2.0.0 + destroy: 1.2.0 + http-errors: 2.0.0 + iconv-lite: 0.4.24 + on-finished: 2.4.1 + qs: 6.10.3 + raw-body: 2.5.1 + type-is: ~1.6.18 + unpipe: 1.0.0 + checksum: 12fffdeac82fe20dddcab7074215d5156e7d02a69ae90cbe9fee1ca3efa2f28ef52097cbea76685ee0a1509c71d85abd0056a08e612c09077cad6277a644cf88 + languageName: node + linkType: hard + "bonjour-service@npm:^1.0.11": version: 1.0.11 resolution: "bonjour-service@npm:1.0.11" @@ -13991,6 +14003,13 @@ __metadata: languageName: node linkType: hard +"cookie@npm:0.5.0": + version: 0.5.0 + resolution: "cookie@npm:0.5.0" + checksum: 1f4bd2ca5765f8c9689a7e8954183f5332139eb72b6ff783d8947032ec1fdf43109852c178e21a953a30c0dd42257828185be01b49d1eb1a67fd054ca588a180 + languageName: node + linkType: hard + "copy-descriptor@npm:^0.1.0": version: 0.1.1 resolution: "copy-descriptor@npm:0.1.1" @@ -15790,6 +15809,13 @@ __metadata: languageName: node linkType: hard +"depd@npm:2.0.0": + version: 2.0.0 + resolution: "depd@npm:2.0.0" + checksum: abbe19c768c97ee2eed6282d8ce3031126662252c58d711f646921c9623f9052e3e1906443066beec1095832f534e57c523b7333f8e7e0d93051ab6baef5ab3a + languageName: node + linkType: hard + "depd@npm:^1.1.2, depd@npm:~1.1.2": version: 1.1.2 resolution: "depd@npm:1.1.2" @@ -15818,6 +15844,13 @@ __metadata: languageName: node linkType: hard +"destroy@npm:1.2.0": + version: 1.2.0 + resolution: "destroy@npm:1.2.0" + checksum: 0acb300b7478a08b92d810ab229d5afe0d2f4399272045ab22affa0d99dbaf12637659411530a6fcd597a9bdac718fc94373a61a95b4651bbc7b83684a565e38 + languageName: node + linkType: hard + "destroy@npm:~1.0.4": version: 1.0.4 resolution: "destroy@npm:1.0.4" @@ -17804,15 +17837,13 @@ __metadata: languageName: node linkType: hard -"express-jwt@npm:6.1.1": - version: 6.1.1 - resolution: "express-jwt@npm:6.1.1" +"express-jwt@npm:7.7.0": + version: 7.7.0 + resolution: "express-jwt@npm:7.7.0" dependencies: - async: ^1.5.0 express-unless: ^1.0.0 - jsonwebtoken: ^8.1.0 - lodash: ^4.17.21 - checksum: 91b3da4c2bb080a2c3d125327a492f6f2b90a55c3b0fbdf51c78e979b636a6c94cb73fd2dbcebbdd5eedd9dcfe858f2b4ea4ce9c1285e60547f246546d31d9c1 + jsonwebtoken: ^8.5.1 + checksum: 05a52eed40944d05d60e4fa3d1451f002a92065325373f23480d1295297156e274b16f0330bed595a5d723296b23ba7fd8839bc630285f67e288b4be8cad6f7d languageName: node linkType: hard @@ -17835,41 +17866,42 @@ __metadata: languageName: node linkType: hard -"express@npm:4.17.3, express@npm:^4.17.3": - version: 4.17.3 - resolution: "express@npm:4.17.3" +"express@npm:4.18.1": + version: 4.18.1 + resolution: "express@npm:4.18.1" dependencies: accepts: ~1.3.8 array-flatten: 1.1.1 - body-parser: 1.19.2 + body-parser: 1.20.0 content-disposition: 0.5.4 content-type: ~1.0.4 - cookie: 0.4.2 + cookie: 0.5.0 cookie-signature: 1.0.6 debug: 2.6.9 - depd: ~1.1.2 + depd: 2.0.0 encodeurl: ~1.0.2 escape-html: ~1.0.3 etag: ~1.8.1 - finalhandler: ~1.1.2 + finalhandler: 1.2.0 fresh: 0.5.2 + http-errors: 2.0.0 merge-descriptors: 1.0.1 methods: ~1.1.2 - on-finished: ~2.3.0 + on-finished: 2.4.1 parseurl: ~1.3.3 path-to-regexp: 0.1.7 proxy-addr: ~2.0.7 - qs: 6.9.7 + qs: 6.10.3 range-parser: ~1.2.1 safe-buffer: 5.2.1 - send: 0.17.2 - serve-static: 1.14.2 + send: 0.18.0 + serve-static: 1.15.0 setprototypeof: 1.2.0 - statuses: ~1.5.0 + statuses: 2.0.1 type-is: ~1.6.18 utils-merge: 1.0.1 vary: ~1.1.2 - checksum: 967e53b74a37eafdf9789b9938c8df86102928b4985b1ad5e385c709deeab405a364de95ca744bc2cc5d05b5d9cc1efc69ae2ae17688a462038648d5a924bfad + checksum: c3d44c92e48226ef32ec978becfedb0ecf0ca21316bfd33674b3c5d20459840584f2325726a4f17f33d9c99f769636f728982d1c5433a5b6fe6eb95b8cf0c854 languageName: node linkType: hard @@ -17911,6 +17943,44 @@ __metadata: languageName: node linkType: hard +"express@npm:^4.17.3": + version: 4.17.3 + resolution: "express@npm:4.17.3" + dependencies: + accepts: ~1.3.8 + array-flatten: 1.1.1 + body-parser: 1.19.2 + content-disposition: 0.5.4 + content-type: ~1.0.4 + cookie: 0.4.2 + cookie-signature: 1.0.6 + debug: 2.6.9 + depd: ~1.1.2 + encodeurl: ~1.0.2 + escape-html: ~1.0.3 + etag: ~1.8.1 + finalhandler: ~1.1.2 + fresh: 0.5.2 + merge-descriptors: 1.0.1 + methods: ~1.1.2 + on-finished: ~2.3.0 + parseurl: ~1.3.3 + path-to-regexp: 0.1.7 + proxy-addr: ~2.0.7 + qs: 6.9.7 + range-parser: ~1.2.1 + safe-buffer: 5.2.1 + send: 0.17.2 + serve-static: 1.14.2 + setprototypeof: 1.2.0 + statuses: ~1.5.0 + type-is: ~1.6.18 + utils-merge: 1.0.1 + vary: ~1.1.2 + checksum: 967e53b74a37eafdf9789b9938c8df86102928b4985b1ad5e385c709deeab405a364de95ca744bc2cc5d05b5d9cc1efc69ae2ae17688a462038648d5a924bfad + languageName: node + linkType: hard + "ext@npm:^1.1.2": version: 1.6.0 resolution: "ext@npm:1.6.0" @@ -18351,6 +18421,21 @@ __metadata: languageName: node linkType: hard +"finalhandler@npm:1.2.0": + version: 1.2.0 + resolution: "finalhandler@npm:1.2.0" + dependencies: + debug: 2.6.9 + encodeurl: ~1.0.2 + escape-html: ~1.0.3 + on-finished: 2.4.1 + parseurl: ~1.3.3 + statuses: 2.0.1 + unpipe: ~1.0.0 + checksum: 92effbfd32e22a7dff2994acedbd9bcc3aa646a3e919ea6a53238090e87097f8ef07cced90aa2cc421abdf993aefbdd5b00104d55c7c5479a8d00ed105b45716 + languageName: node + linkType: hard + "finalhandler@npm:~1.1.2": version: 1.1.2 resolution: "finalhandler@npm:1.1.2" @@ -21081,6 +21166,19 @@ __metadata: languageName: node linkType: hard +"http-errors@npm:2.0.0": + version: 2.0.0 + resolution: "http-errors@npm:2.0.0" + dependencies: + depd: 2.0.0 + inherits: 2.0.4 + setprototypeof: 1.2.0 + statuses: 2.0.1 + toidentifier: 1.0.1 + checksum: 9b0a3782665c52ce9dc658a0d1560bcb0214ba5699e4ea15aefb2a496e2ca83db03ebc42e1cce4ac1f413e4e0d2d736a3fd755772c556a9a06853ba2a0b7d920 + languageName: node + linkType: hard + "http-errors@npm:~1.6.2": version: 1.6.3 resolution: "http-errors@npm:1.6.3" @@ -23827,7 +23925,7 @@ __metadata: languageName: node linkType: hard -"jsonwebtoken@npm:^8.1.0, jsonwebtoken@npm:^8.5.1": +"jsonwebtoken@npm:^8.5.1": version: 8.5.1 resolution: "jsonwebtoken@npm:8.5.1" dependencies: @@ -23890,16 +23988,16 @@ __metadata: languageName: node linkType: hard -"jwks-rsa@npm:2.0.5": - version: 2.0.5 - resolution: "jwks-rsa@npm:2.0.5" +"jwks-rsa@npm:2.1.1": + version: 2.1.1 + resolution: "jwks-rsa@npm:2.1.1" dependencies: - "@types/express-jwt": 0.0.42 - debug: ^4.3.2 + "@types/express": ^4.17.13 + debug: ^4.3.4 jose: ^2.0.5 limiter: ^1.1.5 lru-memoizer: ^2.1.4 - checksum: c96d66f16971952826d81299ef027144761b5982e622d17994f57ab76d677fbfd1b4660d8e1bf48a9a92bfb3ab949e35d60a3894cca93b69161daa196acd8942 + checksum: d856e51596e148064e70f74d111392bab037f432ee258a927e399c0f04b6b2c4504ae7f2aef5101089e965c54fa17447d9287a5bd1e63a54f492e9ff74cf0ba9 languageName: node linkType: hard @@ -26983,6 +27081,15 @@ __metadata: languageName: node linkType: hard +"on-finished@npm:2.4.1": + version: 2.4.1 + resolution: "on-finished@npm:2.4.1" + dependencies: + ee-first: 1.1.1 + checksum: d20929a25e7f0bb62f937a425b5edeb4e4cde0540d77ba146ec9357f00b0d497cdb3b9b05b9c8e46222407d1548d08166bff69cc56dfa55ba0e4469228920ff0 + languageName: node + linkType: hard + "on-finished@npm:^2.3.0, on-finished@npm:~2.3.0": version: 2.3.0 resolution: "on-finished@npm:2.3.0" @@ -29081,6 +29188,15 @@ __metadata: languageName: node linkType: hard +"qs@npm:6.10.3, qs@npm:^6.9.4": + version: 6.10.3 + resolution: "qs@npm:6.10.3" + dependencies: + side-channel: ^1.0.4 + checksum: 0fac5e6c7191d0295a96d0e83c851aeb015df7e990e4d3b093897d3ac6c94e555dbd0a599739c84d7fa46d7fee282d94ba76943983935cf33bba6769539b8019 + languageName: node + linkType: hard + "qs@npm:6.9.6": version: 6.9.6 resolution: "qs@npm:6.9.6" @@ -29095,15 +29211,6 @@ __metadata: languageName: node linkType: hard -"qs@npm:^6.9.4": - version: 6.10.3 - resolution: "qs@npm:6.10.3" - dependencies: - side-channel: ^1.0.4 - checksum: 0fac5e6c7191d0295a96d0e83c851aeb015df7e990e4d3b093897d3ac6c94e555dbd0a599739c84d7fa46d7fee282d94ba76943983935cf33bba6769539b8019 - languageName: node - linkType: hard - "qs@npm:~6.5.2": version: 6.5.3 resolution: "qs@npm:6.5.3" @@ -29244,6 +29351,18 @@ __metadata: languageName: node linkType: hard +"raw-body@npm:2.5.1": + version: 2.5.1 + resolution: "raw-body@npm:2.5.1" + dependencies: + bytes: 3.1.2 + http-errors: 2.0.0 + iconv-lite: 0.4.24 + unpipe: 1.0.0 + checksum: 5362adff1575d691bb3f75998803a0ffed8c64eabeaa06e54b4ada25a0cd1b2ae7f4f5ec46565d1bec337e08b5ac90c76eaa0758de6f72a633f025d754dec29e + languageName: node + linkType: hard + "raw-loader@npm:4.0.2, raw-loader@npm:^4.0.2": version: 4.0.2 resolution: "raw-loader@npm:4.0.2" @@ -31024,6 +31143,27 @@ __metadata: languageName: node linkType: hard +"send@npm:0.18.0": + version: 0.18.0 + resolution: "send@npm:0.18.0" + dependencies: + debug: 2.6.9 + depd: 2.0.0 + destroy: 1.2.0 + encodeurl: ~1.0.2 + escape-html: ~1.0.3 + etag: ~1.8.1 + fresh: 0.5.2 + http-errors: 2.0.0 + mime: 1.6.0 + ms: 2.1.3 + on-finished: 2.4.1 + range-parser: ~1.2.1 + statuses: 2.0.1 + checksum: 74fc07ebb58566b87b078ec63e5a3e41ecd987e4272ba67b7467e86c6ad51bc6b0b0154133b6d8b08a2ddda360464f71382f7ef864700f34844a76c8027817a8 + languageName: node + linkType: hard + "sentence-case@npm:^2.1.0": version: 2.1.1 resolution: "sentence-case@npm:2.1.1" @@ -31126,6 +31266,18 @@ __metadata: languageName: node linkType: hard +"serve-static@npm:1.15.0": + version: 1.15.0 + resolution: "serve-static@npm:1.15.0" + dependencies: + encodeurl: ~1.0.2 + escape-html: ~1.0.3 + parseurl: ~1.3.3 + send: 0.18.0 + checksum: af57fc13be40d90a12562e98c0b7855cf6e8bd4c107fe9a45c212bf023058d54a1871b1c89511c3958f70626fff47faeb795f5d83f8cf88514dbaeb2b724464d + languageName: node + linkType: hard + "server-destroy@npm:^1.0.1": version: 1.0.1 resolution: "server-destroy@npm:1.0.1" @@ -31969,6 +32121,13 @@ __metadata: languageName: node linkType: hard +"statuses@npm:2.0.1, statuses@npm:^2.0.0": + version: 2.0.1 + resolution: "statuses@npm:2.0.1" + checksum: 18c7623fdb8f646fb213ca4051be4df7efb3484d4ab662937ca6fbef7ced9b9e12842709872eb3020cc3504b93bde88935c9f6417489627a7786f24f8031cbcb + languageName: node + linkType: hard + "statuses@npm:>= 1.4.0 < 2, statuses@npm:>= 1.5.0 < 2, statuses@npm:~1.5.0": version: 1.5.0 resolution: "statuses@npm:1.5.0" @@ -31976,13 +32135,6 @@ __metadata: languageName: node linkType: hard -"statuses@npm:^2.0.0": - version: 2.0.1 - resolution: "statuses@npm:2.0.1" - checksum: 18c7623fdb8f646fb213ca4051be4df7efb3484d4ab662937ca6fbef7ced9b9e12842709872eb3020cc3504b93bde88935c9f6417489627a7786f24f8031cbcb - languageName: node - linkType: hard - "std-env@npm:^3.0.1": version: 3.0.1 resolution: "std-env@npm:3.0.1"