Skip to content

Commit

Permalink
fix(security): upgrade express-jwt to v7.7.7
Browse files Browse the repository at this point in the history
- WORK IN PROGRESS
- BUILD IS BROKEN AT THE MOMENT

Fixes hyperledger-cacti#2231
  • Loading branch information
petermetz committed Dec 9, 2022
1 parent 795ee6b commit ea2483f
Show file tree
Hide file tree
Showing 5 changed files with 32 additions and 40 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@
},
"devDependencies": {
"@types/express": "4.17.13",
"@types/express-jwt": "6.0.2",
"@types/express-jwt": "7.4.2",
"@types/fs-extra": "9.0.12",
"@types/uuid": "8.3.1",
"hardhat": "2.6.0",
Expand Down
4 changes: 2 additions & 2 deletions packages/cactus-cmd-api-server/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@
"cors": "2.8.5",
"express": "4.17.1",
"express-http-proxy": "1.6.2",
"express-jwt": "6.0.0",
"express-jwt": "7.7.7",
"express-openapi-validator": "4.12.12",
"express-rate-limit": "6.3.0",
"fs-extra": "10.0.0",
Expand All @@ -97,7 +97,7 @@
"@types/cors": "2.8.12",
"@types/express": "4.17.13",
"@types/express-http-proxy": "1.6.2",
"@types/express-jwt": "6.0.2",
"@types/express-jwt": "7.4.2",
"@types/google-protobuf": "3.15.5",
"@types/jsonwebtoken": "8.5.4",
"@types/multer": "1.4.7",
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import { RequestHandler } from "express";
import expressJwt from "express-jwt";
import { expressjwt } from "express-jwt";
import { Optional } from "typescript-optional";

import {
Expand Down Expand Up @@ -83,7 +83,7 @@ export class AuthorizerFactory {
throw new Error(`${fnTag}: ${E_BAD_EXPRESS_JWT_OPTIONS}`);
}

const options: expressJwt.Options = {
const options: unknown = {
audience: "org.hyperledger.cactus", // default that can be overridden
...expressJwtOptions,
};
Expand All @@ -99,7 +99,7 @@ export class AuthorizerFactory {
"Exempted SocketIO path from express-jwt authorization. Using @thream/socketio-jwt instead)",
);
}
return expressJwt(options).unless({ path: unprotectedEndpoints });
return expressjwt(options).unless({ path: unprotectedEndpoints });
}

/**
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
import type { Options as ExpressJwtOptions } from "express-jwt";
import type { AuthorizeOptions as SocketIoJwtOptions } from "@thream/socketio-jwt";

export interface IAuthorizationConfig {
expressJwtOptions: ExpressJwtOptions;
expressJwtOptions: Record<string, unknown>;
socketIoJwtOptions: SocketIoJwtOptions;
unprotectedEndpointExemptions: Array<string>;
socketIoPath?: string;
Expand Down
57 changes: 25 additions & 32 deletions yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -4481,13 +4481,12 @@
dependencies:
"@types/express" "*"

"@types/express-jwt@6.0.2":
version "6.0.2"
resolved "https://registry.yarnpkg.com/@types/express-jwt/-/express-jwt-6.0.2.tgz#15938f9a50945ccab35361227e438f98abdb713f"
integrity sha512-WDnO/0jeWyhX253TOIJHZzLE/pmXSucslKeztphjZDxim/wYDaDeDcj6/U9YAHcgFfwBu+I3Obfy+xB6/VaRcA==
"@types/express-jwt@7.4.2":
version "7.4.2"
resolved "https://registry.yarnpkg.com/@types/express-jwt/-/express-jwt-7.4.2.tgz#3367f86c856437774a1f3d73acc2597aa0cc9ab9"
integrity sha512-wb3wbD/XaWdBu9366M07Ugb3fuIiW7B2oUdnXfvUchI892eLGZ5eQqgfnVw2oNfN0dF9L2Px859DpZKPDtxzlA==
dependencies:
"@types/express" "*"
"@types/express-unless" "*"
express-jwt "*"

"@types/express-serve-static-core@*", "@types/express-serve-static-core@^4.17.18":
version "4.17.28"
Expand All @@ -4498,13 +4497,6 @@
"@types/qs" "*"
"@types/range-parser" "*"

"@types/express-unless@*":
version "0.5.3"
resolved "https://registry.yarnpkg.com/@types/express-unless/-/express-unless-0.5.3.tgz#271f8603617445568ed0d6efe25a7d2f338544c1"
integrity sha512-TyPLQaF6w8UlWdv4gj8i46B+INBVzURBNRahCozCSXfsK2VTlL1wNyTlMKw817VHygBtlcl5jfnPadlydr06Yw==
dependencies:
"@types/express" "*"

"@types/express@*", "@types/[email protected]":
version "4.17.13"
resolved "https://registry.yarnpkg.com/@types/express/-/express-4.17.13.tgz#a76e2995728999bab51a33fabce1d705a3709034"
Expand Down Expand Up @@ -4655,6 +4647,13 @@
dependencies:
"@types/node" "*"

"@types/jsonwebtoken@^8.5.8":
version "8.5.9"
resolved "https://registry.yarnpkg.com/@types/jsonwebtoken/-/jsonwebtoken-8.5.9.tgz#2c064ecb0b3128d837d2764aa0b117b0ff6e4586"
integrity sha512-272FMnFGzAVMGtu9tkr29hRL6bZj4Zs1KZNeHLnKqAvp06tAIcarTMwOh8/8bz4FmKRcMxZhZNeUAQsNLoiPhg==
dependencies:
"@types/node" "*"

"@types/[email protected]":
version "8.0.13"
resolved "https://registry.yarnpkg.com/@types/jsrsasign/-/jsrsasign-8.0.13.tgz#770c1e429107dfb0cc4f5b78b472584511a55a28"
Expand Down Expand Up @@ -6098,7 +6097,7 @@ async-limiter@~1.0.0:
resolved "https://registry.yarnpkg.com/async-limiter/-/async-limiter-1.0.1.tgz#dd379e94f0db8310b08291f9d64c3209766617fd"
integrity sha512-csOlWGAcRFJaI6m+F2WKdnMKr4HhdhFVBk0H/QbJFMCr+uO2kwohwXQPxw/9OCxp05r5ghVBFSyioixx3gfkNQ==

async@^1.4.0, async@^1.5.0, async@^1.5.2:
async@^1.4.0, async@^1.5.2:
version "1.5.2"
resolved "https://registry.yarnpkg.com/async/-/async-1.5.2.tgz#ec6a61ae56480c0c3cb241c95618e20892f9672a"
integrity sha1-7GphrlZIDAw8skHJVhjiCJL5Zyo=
Expand Down Expand Up @@ -10715,15 +10714,14 @@ [email protected]:
resolved "https://registry.yarnpkg.com/express-jwt-authz/-/express-jwt-authz-2.4.1.tgz#405b303b3479ad3e862878ac0c08be191040c8e5"
integrity sha512-ruH86e2NvWicG9maStztyAyBJV0E8RsInXUm6Kuc/9pDtVJmJw3qigv1MEVs5bH+aksZuxocYZdz+N1V/9F+Dg==

express-jwt@6.0.0:
version "6.0.0"
resolved "https://registry.yarnpkg.com/express-jwt/-/express-jwt-6.0.0.tgz#20886c730983ffb1c706a4383235df86eff349b8"
integrity sha512-C26y9myRjx7CyhZ+BAT3p+gQyRCoDZ7qo8plCvLDaRT6je6ALIAQknT6XLVQGFKwIy/Ux7lvM2MNap5dt0T7gA==
express-jwt@*, [email protected]:
version "7.7.7"
resolved "https://registry.yarnpkg.com/express-jwt/-/express-jwt-7.7.7.tgz#b0400a8c759aba0774d84459e1d2eea7e9869d40"
integrity sha512-7s04HZ7sAahx7lwKU5AInhVon1kWVitRFxd7cGUKQaLDOQJsAQjB/OEBXaN0GS22RBgX75TjOJXGY7myQmVz5A==
dependencies:
async "^1.5.0"
express-unless "^0.3.0"
jsonwebtoken "^8.1.0"
lodash.set "^4.0.0"
"@types/jsonwebtoken" "^8.5.8"
express-unless "^2.1.3"
jsonwebtoken "^8.5.1"

[email protected]:
version "3.10.0"
Expand Down Expand Up @@ -10767,10 +10765,10 @@ [email protected]:
resolved "https://registry.yarnpkg.com/express-rate-limit/-/express-rate-limit-6.3.0.tgz#253387ce4d36c9c2cc77c7c676068deb36cc0821"
integrity sha512-932Io1VGKjM3ppi7xW9sb1J5nVkEJSUiOtHw2oE+JyHks1e+AXuOBSXbJKM0mcXwEnW1TibJibQ455Ow1YFjfg==

express-unless@^0.3.0:
version "0.3.1"
resolved "https://registry.yarnpkg.com/express-unless/-/express-unless-0.3.1.tgz#2557c146e75beb903e2d247f9b5ba01452696e20"
integrity sha1-JVfBRudb65A+LSR/m1ugFFJpbiA=
express-unless@^2.1.3:
version "2.1.3"
resolved "https://registry.yarnpkg.com/express-unless/-/express-unless-2.1.3.tgz#f951c6cca52a24da3de32d42cfd4db57bc0f9a2e"
integrity sha512-wj4tLMyCVYuIIKHGt0FhCtIViBcwzWejX0EjNxveAa6dG+0XBCQhMbx+PnkLkFCxLC69qoFrxds4pIyL88inaQ==

[email protected]:
version "4.16.4"
Expand Down Expand Up @@ -14855,7 +14853,7 @@ jsonpath@^1.0.2:
static-eval "2.0.2"
underscore "1.12.1"

[email protected], jsonwebtoken@^8.1.0, jsonwebtoken@^8.5.1:
[email protected], jsonwebtoken@^8.5.1:
version "8.5.1"
resolved "https://registry.yarnpkg.com/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz#00e71e0b8df54c2121a1f26137df2280673bcc0d"
integrity sha512-XjwVfRS6jTMsqYs0EsuJ4LGxXV14zQybNd4L2r0UvbVnSF9Af8x7p5MzbJ90Ioz/9TI41/hTCvznF/loiSzn8w==
Expand Down Expand Up @@ -15646,11 +15644,6 @@ lodash.once@^4.0.0:
resolved "https://registry.yarnpkg.com/lodash.once/-/lodash.once-4.1.1.tgz#0dd3971213c7c56df880977d504c88fb471a97ac"
integrity sha1-DdOXEhPHxW34gJd9UEyI+0cal6w=

lodash.set@^4.0.0:
version "4.3.2"
resolved "https://registry.yarnpkg.com/lodash.set/-/lodash.set-4.3.2.tgz#d8757b1da807dde24816b0d6a84bea1a76230b23"
integrity sha1-2HV7HagH3eJIFrDWqEvqGnYjCyM=

lodash.throttle@^4.1.1:
version "4.1.1"
resolved "https://registry.yarnpkg.com/lodash.throttle/-/lodash.throttle-4.1.1.tgz#c23e91b710242ac70c37f1e1cda9274cc39bf2f4"
Expand Down

0 comments on commit ea2483f

Please sign in to comment.