Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(security): upgrade express-jwt to v8.4.1 #2231

Closed
petermetz opened this issue Dec 8, 2022 · 1 comment · Fixed by #2346
Closed

fix(security): upgrade express-jwt to v8.4.1 #2231

petermetz opened this issue Dec 8, 2022 · 1 comment · Fixed by #2346
Assignees
Labels
bug Something isn't working dependencies Pull requests that update a dependency file good-first-issue Good for newcomers good-first-issue-400-expert Hacktoberfest Hacktoberfest participants are welcome to take a stab at issues marked with this label. P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities

Comments

@petermetz
Copy link
Contributor

petermetz commented Dec 8, 2022

Description

Depends on auth0/express-jwt#308

The upgrade is needed due to cascading dependencies of which the root is vulnerabilities in other dependencies of other packages.
More info: #2228

@petermetz petermetz added bug Something isn't working good-first-issue Good for newcomers dependencies Pull requests that update a dependency file Security Related to existing or potential security vulnerabilities Hacktoberfest Hacktoberfest participants are welcome to take a stab at issues marked with this label. good-first-issue-400-expert P1 Priority 1: Highest labels Dec 8, 2022
@petermetz petermetz self-assigned this Dec 8, 2022
petermetz added a commit to petermetz/cacti that referenced this issue Dec 9, 2022
- WORK IN PROGRESS
- BUILD IS BROKEN AT THE MOMENT

Fixes hyperledger-cacti#2231
@petermetz petermetz changed the title fix(security): upgrade express-jwt to v7.7.7 fix(security): upgrade express-jwt to v8.4.1 Mar 24, 2023
@github-actions
Copy link

This PR/issue depends on:

petermetz added a commit to petermetz/cacti that referenced this issue Mar 25, 2023
Fixes/changes that needed to be done in order to make the upgrade work:
1. The HTTP verbs for exempted endpoints are now specified both as
lowercase and uppercase meaning that if a specific endpoint is configured
to be exempt from JWT authorization then it's method will be specified
twice, once as 'POST' and once as 'post' because the underlying library
(which is called express-unless) does not have the ability to handle
verbs in a case insensitive way.

2. In the registerWebServiceEndpoint function, the configuration of the
express-jwt-authz library had to be changed because the scope enforcement
was broken due to express-jwt changing the default request property
where it places the decoded JWT payload from `"user"` to `"auth"` and
this made it incompatible by default with the behavior of express-jwt-authz
Luckily there is a parameter to set the request property name and that is
now being specified explicitly as `"auth"` so that they are playing nice
with each other once again and the authorization's scope based access
control works just fine.

Fixes hyperledger-cacti#2231

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Apr 4, 2023
Fixes/changes that needed to be done in order to make the upgrade work:
1. The HTTP verbs for exempted endpoints are now specified both as
lowercase and uppercase meaning that if a specific endpoint is configured
to be exempt from JWT authorization then it's method will be specified
twice, once as 'POST' and once as 'post' because the underlying library
(which is called express-unless) does not have the ability to handle
verbs in a case insensitive way.

2. In the registerWebServiceEndpoint function, the configuration of the
express-jwt-authz library had to be changed because the scope enforcement
was broken due to express-jwt changing the default request property
where it places the decoded JWT payload from `"user"` to `"auth"` and
this made it incompatible by default with the behavior of express-jwt-authz
Luckily there is a parameter to set the request property name and that is
now being specified explicitly as `"auth"` so that they are playing nice
with each other once again and the authorization's scope based access
control works just fine.

Fixes hyperledger-cacti#2231

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working dependencies Pull requests that update a dependency file good-first-issue Good for newcomers good-first-issue-400-expert Hacktoberfest Hacktoberfest participants are welcome to take a stab at issues marked with this label. P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant