Fix premature redirect when used with express-session #680
Conversation
|
Is Passport not being maintained anymore? |
|
@zypA13510 would you like to create this PR against https://github.com/passport-next/passport and I'll take a look. |
|
@jaredhanson Since this is neither closed nor commented, unlike #686, I take it that you would consider this if the checklist items are finished? |
|
@zypA13510 this isn't maintained anymore, if you make a PR against the fork I'll look at it. |
|
@rwky PR created. But you know, I'm reluctant to do this because it is a middleware I used that use passport. I'm not using passport directly. So even if you are able to fix this in your fork, the middleware has to switch the dependency to your fork for this to work (probably never happen). |
|
@zypA13510 is the middleware on github? |
|
@zypA13510 I created a PR okta/okta-oidc-js#250 in that repo which switches to the fork. |
Are you implementing a new feature?
I'm not sure if you will call this "a new feature", it will solve a lot of issues involving
express-sessionnot saving the session in time before redirects happen, by callingreq.session.save().Is this a security patch?
No
Detail
By calling
req.session.save()beforeres.redirect(), it ensures the session is properly stored in the session store, avoiding issues like #306, #401, #477, #482 (and possibly #254, #314, #521). To ensure compatibility, the code will checkreq.session.save && typeof req.session.save == 'function'before callingreq.session.save(). Reference: expressjs/session#74Note
As I only tested this with
express,express-sessionand a specific session store forexpress-session, I'm not sure if this would cause issue with Connect or other middlewares. A more thorough test is probably required.Checklist
$ make test) executes successfully.$ make lint) executes successfully.