fix(security): upgrade express-jwt to v8.4.1 #2231
Assignees
Labels
bug
Something isn't working
dependencies
Pull requests that update a dependency file
good-first-issue
Good for newcomers
good-first-issue-400-expert
Hacktoberfest
Hacktoberfest participants are welcome to take a stab at issues marked with this label.
P1
Priority 1: Highest
Security
Related to existing or potential security vulnerabilities
Comments
petermetz
added
bug
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Dec 9, 2022
- WORK IN PROGRESS - BUILD IS BROKEN AT THE MOMENT Fixes hyperledger-cacti#2231
petermetz
changed the title
|
This PR/issue depends on:
|
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Mar 25, 2023
Fixes/changes that needed to be done in order to make the upgrade work: 1. The HTTP verbs for exempted endpoints are now specified both as lowercase and uppercase meaning that if a specific endpoint is configured to be exempt from JWT authorization then it's method will be specified twice, once as 'POST' and once as 'post' because the underlying library (which is called express-unless) does not have the ability to handle verbs in a case insensitive way. 2. In the registerWebServiceEndpoint function, the configuration of the express-jwt-authz library had to be changed because the scope enforcement was broken due to express-jwt changing the default request property where it places the decoded JWT payload from `"user"` to `"auth"` and this made it incompatible by default with the behavior of express-jwt-authz Luckily there is a parameter to set the request property name and that is now being specified explicitly as `"auth"` so that they are playing nice with each other once again and the authorization's scope based access control works just fine. Fixes hyperledger-cacti#2231 Signed-off-by: Peter Somogyvari <[email protected]>
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Apr 4, 2023
Fixes/changes that needed to be done in order to make the upgrade work: 1. The HTTP verbs for exempted endpoints are now specified both as lowercase and uppercase meaning that if a specific endpoint is configured to be exempt from JWT authorization then it's method will be specified twice, once as 'POST' and once as 'post' because the underlying library (which is called express-unless) does not have the ability to handle verbs in a case insensitive way. 2. In the registerWebServiceEndpoint function, the configuration of the express-jwt-authz library had to be changed because the scope enforcement was broken due to express-jwt changing the default request property where it places the decoded JWT payload from `"user"` to `"auth"` and this made it incompatible by default with the behavior of express-jwt-authz Luckily there is a parameter to set the request property name and that is now being specified explicitly as `"auth"` so that they are playing nice with each other once again and the authorization's scope based access control works just fine. Fixes hyperledger-cacti#2231 Signed-off-by: Peter Somogyvari <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Depends on auth0/express-jwt#308
The upgrade is needed due to cascading dependencies of which the root is vulnerabilities in other dependencies of other packages.
More info: #2228
The text was updated successfully, but these errors were encountered: