Release 2.2.0

**Added** - afterCallback Hook [#168](#168) ([davidpatrick](https://github.com/davidpatrick)) **Changed** - Move transient cookies into single cookie [#171](#171) ([davidpatrick](https://github.com/davidpatrick))
auth0 · Jan 14, 2021 · f60ea02 · f60ea02
1 parent ac45cdd
commit f60ea02
Show file tree

Hide file tree

Showing 6 changed files with 59 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,14 @@
 # CHANGELOG
 
+## [2.2.0](https://github.com/auth0/express-openid-connect/tree/v2.2.0) (2021-01-14)
+[Full Changelog](https://github.com/auth0/express-openid-connect/compare/v2.1.0...v2.2.0)
+
+**Added**
+- afterCallback Hook [#168](https://github.com/auth0/express-openid-connect/pull/168) ([davidpatrick](https://github.com/davidpatrick))
+
+**Changed**
+- Move transient cookies into single cookie [#171](https://github.com/auth0/express-openid-connect/pull/171) ([davidpatrick](https://github.com/davidpatrick))
+
 ## [2.1.0](https://github.com/auth0/express-openid-connect/tree/v2.1.0) (2020-12-15)
 [Full Changelog](https://github.com/auth0/express-openid-connect/compare/v2.0.0...v2.1.0)
 

diff --git a/EXAMPLES.md b/EXAMPLES.md
@@ -215,4 +215,23 @@ app.use(
     // auth0Logout: true // if using custom domain with Auth0
   })
 );
+```
+
+## 8. Validate Claims from an ID token before logging a user in
+
+The `afterCallback` hook can be used to do validation checks on claims after the ID token has been received in the callback phase.
+
+```js
+app.use(
+  auth({
+    afterCallback: (req, res, session) => {
+      const claims = jose.JWT.decode(session.id_token); // using jose library to decode JWT
+      if (claims.org_id !== 'Required Organization') {
+        throw new Error('User is not a part of the Required Organization');
+      }
+      return session;
+    }
+  })
+);
+
 ```
diff --git a/examples/validate_claims.js b/examples/validate_claims.js
@@ -0,0 +1,28 @@
+const express = require('express');
+const jose = require('jose');
+const { auth } = require('../');
+
+const app = express();
+
+app.use(
+  auth({
+    authorizationParams: {
+      response_type: 'code id_token',
+    },
+    afterCallback: (req, res, session) => {
+      const claims = jose.JWT.decode(session.id_token); 
+
+      if (claims.org_id !== 'Required Organization') {
+        throw new Error('User is not a part of the Required Organization');
+      }
+      return session;
+    }
+  })
+);
+
+app.get('/', async (req, res) => {
+  const userInfo = await req.oidc.fetchUserInfo();
+  res.send(`hello ${userInfo.sub}`);
+});
+
+module.exports = app;
diff --git a/middleware/auth.js b/middleware/auth.js
@@ -104,6 +104,7 @@ module.exports = function (params) {
           }
 
           if (config.afterCallback) {
+            session = Object.assign({}, session); // serializes session
             session = await config.afterCallback(req, res, session, req.openidState); 
           }
 

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "express-openid-connect",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "description": "Express middleware to protect web applications using OpenID Connect.",
   "homepage": "https://github.com/auth0/express-openid-connect",
   "license": "MIT",