fix(security): upgrade express-jwt to v7.7.7

- WORK IN PROGRESS
- BUILD IS BROKEN AT THE MOMENT

Fixes hyperledger-cacti#2231

examples/cactus-example-carbon-accounting-backend/package.json

@@ -75,7 +75,7 @@
   },
   "devDependencies": {
     "@types/express": "4.17.13",
-    "@types/express-jwt": "6.0.2",
+    "@types/express-jwt": "7.4.2",
     "@types/fs-extra": "9.0.12",
     "@types/uuid": "8.3.1",
     "hardhat": "2.6.0",

packages/cactus-cmd-api-server/package.json

@@ -72,7 +72,7 @@
     "cors": "2.8.5",
     "express": "4.17.1",
     "express-http-proxy": "1.6.2",
-    "express-jwt": "6.0.0",
+    "express-jwt": "7.7.7",
     "express-openapi-validator": "4.12.12",
     "express-rate-limit": "6.3.0",
     "fs-extra": "10.0.0",
@@ -97,7 +97,7 @@
     "@types/cors": "2.8.12",
     "@types/express": "4.17.13",
     "@types/express-http-proxy": "1.6.2",
-    "@types/express-jwt": "6.0.2",
+    "@types/express-jwt": "7.4.2",
     "@types/google-protobuf": "3.15.5",
     "@types/jsonwebtoken": "8.5.4",
     "@types/multer": "1.4.7",

packages/cactus-cmd-api-server/src/main/typescript/authzn/authorizer-factory.ts

@@ -1,5 +1,5 @@
 import { RequestHandler } from "express";
-import expressJwt from "express-jwt";
+import { expressjwt } from "express-jwt";
 import { Optional } from "typescript-optional";
 
 import {
@@ -83,7 +83,7 @@ export class AuthorizerFactory {
       throw new Error(`${fnTag}: ${E_BAD_EXPRESS_JWT_OPTIONS}`);
     }
 
-    const options: expressJwt.Options = {
+    const options: unknown = {
       audience: "org.hyperledger.cactus", // default that can be overridden
       ...expressJwtOptions,
     };
@@ -99,7 +99,7 @@ export class AuthorizerFactory {
         "Exempted SocketIO path from express-jwt authorization. Using @thream/socketio-jwt instead)",
       );
     }
-    return expressJwt(options).unless({ path: unprotectedEndpoints });
+    return expressjwt(options).unless({ path: unprotectedEndpoints });
   }
 
   /**

packages/cactus-cmd-api-server/src/main/typescript/authzn/i-authorization-config.ts

@@ -1,8 +1,7 @@
-import type { Options as ExpressJwtOptions } from "express-jwt";
 import type { AuthorizeOptions as SocketIoJwtOptions } from "@thream/socketio-jwt";
 
 export interface IAuthorizationConfig {
-  expressJwtOptions: ExpressJwtOptions;
+  expressJwtOptions: Record<string, unknown>;
   socketIoJwtOptions: SocketIoJwtOptions;
   unprotectedEndpointExemptions: Array<string>;
   socketIoPath?: string;

yarn.lock

@@ -4481,13 +4481,12 @@
   dependencies:
     "@types/express" "*"
 
-"@types/express-jwt@6.0.2":
-  version "6.0.2"
-  resolved "https://registry.yarnpkg.com/@types/express-jwt/-/express-jwt-6.0.2.tgz#15938f9a50945ccab35361227e438f98abdb713f"
-  integrity sha512-WDnO/0jeWyhX253TOIJHZzLE/pmXSucslKeztphjZDxim/wYDaDeDcj6/U9YAHcgFfwBu+I3Obfy+xB6/VaRcA==
+"@types/express-jwt@7.4.2":
+  version "7.4.2"
+  resolved "https://registry.yarnpkg.com/@types/express-jwt/-/express-jwt-7.4.2.tgz#3367f86c856437774a1f3d73acc2597aa0cc9ab9"
+  integrity sha512-wb3wbD/XaWdBu9366M07Ugb3fuIiW7B2oUdnXfvUchI892eLGZ5eQqgfnVw2oNfN0dF9L2Px859DpZKPDtxzlA==
   dependencies:
-    "@types/express" "*"
-    "@types/express-unless" "*"
+    express-jwt "*"
 
 "@types/express-serve-static-core@*", "@types/express-serve-static-core@^4.17.18":
   version "4.17.28"
@@ -4498,13 +4497,6 @@
     "@types/qs" "*"
     "@types/range-parser" "*"
 
-"@types/express-unless@*":
-  version "0.5.3"
-  resolved "https://registry.yarnpkg.com/@types/express-unless/-/express-unless-0.5.3.tgz#271f8603617445568ed0d6efe25a7d2f338544c1"
-  integrity sha512-TyPLQaF6w8UlWdv4gj8i46B+INBVzURBNRahCozCSXfsK2VTlL1wNyTlMKw817VHygBtlcl5jfnPadlydr06Yw==
-  dependencies:
-    "@types/express" "*"
-
 "@types/express@*", "@types/express@4.17.13":
   version "4.17.13"
   resolved "https://registry.yarnpkg.com/@types/express/-/express-4.17.13.tgz#a76e2995728999bab51a33fabce1d705a3709034"
@@ -4655,6 +4647,13 @@
   dependencies:
     "@types/node" "*"
 
+"@types/jsonwebtoken@^8.5.8":
+  version "8.5.9"
+  resolved "https://registry.yarnpkg.com/@types/jsonwebtoken/-/jsonwebtoken-8.5.9.tgz#2c064ecb0b3128d837d2764aa0b117b0ff6e4586"
+  integrity sha512-272FMnFGzAVMGtu9tkr29hRL6bZj4Zs1KZNeHLnKqAvp06tAIcarTMwOh8/8bz4FmKRcMxZhZNeUAQsNLoiPhg==
+  dependencies:
+    "@types/node" "*"
+
 "@types/jsrsasign@8.0.13":
   version "8.0.13"
   resolved "https://registry.yarnpkg.com/@types/jsrsasign/-/jsrsasign-8.0.13.tgz#770c1e429107dfb0cc4f5b78b472584511a55a28"
@@ -6098,7 +6097,7 @@ async-limiter@~1.0.0:
   resolved "https://registry.yarnpkg.com/async-limiter/-/async-limiter-1.0.1.tgz#dd379e94f0db8310b08291f9d64c3209766617fd"
   integrity sha512-csOlWGAcRFJaI6m+F2WKdnMKr4HhdhFVBk0H/QbJFMCr+uO2kwohwXQPxw/9OCxp05r5ghVBFSyioixx3gfkNQ==
 
-async@^1.4.0, async@^1.5.0, async@^1.5.2:
+async@^1.4.0, async@^1.5.2:
   version "1.5.2"
   resolved "https://registry.yarnpkg.com/async/-/async-1.5.2.tgz#ec6a61ae56480c0c3cb241c95618e20892f9672a"
   integrity sha1-7GphrlZIDAw8skHJVhjiCJL5Zyo=
@@ -10715,15 +10714,14 @@ express-jwt-authz@2.4.1:
   resolved "https://registry.yarnpkg.com/express-jwt-authz/-/express-jwt-authz-2.4.1.tgz#405b303b3479ad3e862878ac0c08be191040c8e5"
   integrity sha512-ruH86e2NvWicG9maStztyAyBJV0E8RsInXUm6Kuc/9pDtVJmJw3qigv1MEVs5bH+aksZuxocYZdz+N1V/9F+Dg==
 
-express-jwt@6.0.0:
-  version "6.0.0"
-  resolved "https://registry.yarnpkg.com/express-jwt/-/express-jwt-6.0.0.tgz#20886c730983ffb1c706a4383235df86eff349b8"
-  integrity sha512-C26y9myRjx7CyhZ+BAT3p+gQyRCoDZ7qo8plCvLDaRT6je6ALIAQknT6XLVQGFKwIy/Ux7lvM2MNap5dt0T7gA==
+express-jwt@*, express-jwt@7.7.7:
+  version "7.7.7"
+  resolved "https://registry.yarnpkg.com/express-jwt/-/express-jwt-7.7.7.tgz#b0400a8c759aba0774d84459e1d2eea7e9869d40"
+  integrity sha512-7s04HZ7sAahx7lwKU5AInhVon1kWVitRFxd7cGUKQaLDOQJsAQjB/OEBXaN0GS22RBgX75TjOJXGY7myQmVz5A==
   dependencies:
-    async "^1.5.0"
-    express-unless "^0.3.0"
-    jsonwebtoken "^8.1.0"
-    lodash.set "^4.0.0"
+    "@types/jsonwebtoken" "^8.5.8"
+    express-unless "^2.1.3"
+    jsonwebtoken "^8.5.1"
 
 express-openapi-validator@3.10.0:
   version "3.10.0"
@@ -10767,10 +10765,10 @@ express-rate-limit@6.3.0:
   resolved "https://registry.yarnpkg.com/express-rate-limit/-/express-rate-limit-6.3.0.tgz#253387ce4d36c9c2cc77c7c676068deb36cc0821"
   integrity sha512-932Io1VGKjM3ppi7xW9sb1J5nVkEJSUiOtHw2oE+JyHks1e+AXuOBSXbJKM0mcXwEnW1TibJibQ455Ow1YFjfg==
 
-express-unless@^0.3.0:
-  version "0.3.1"
-  resolved "https://registry.yarnpkg.com/express-unless/-/express-unless-0.3.1.tgz#2557c146e75beb903e2d247f9b5ba01452696e20"
-  integrity sha1-JVfBRudb65A+LSR/m1ugFFJpbiA=
+express-unless@^2.1.3:
+  version "2.1.3"
+  resolved "https://registry.yarnpkg.com/express-unless/-/express-unless-2.1.3.tgz#f951c6cca52a24da3de32d42cfd4db57bc0f9a2e"
+  integrity sha512-wj4tLMyCVYuIIKHGt0FhCtIViBcwzWejX0EjNxveAa6dG+0XBCQhMbx+PnkLkFCxLC69qoFrxds4pIyL88inaQ==
 
 express@4.16.4:
   version "4.16.4"
@@ -14855,7 +14853,7 @@ jsonpath@^1.0.2:
     static-eval "2.0.2"
     underscore "1.12.1"
 
-jsonwebtoken@8.5.1, jsonwebtoken@^8.1.0, jsonwebtoken@^8.5.1:
+jsonwebtoken@8.5.1, jsonwebtoken@^8.5.1:
   version "8.5.1"
   resolved "https://registry.yarnpkg.com/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz#00e71e0b8df54c2121a1f26137df2280673bcc0d"
   integrity sha512-XjwVfRS6jTMsqYs0EsuJ4LGxXV14zQybNd4L2r0UvbVnSF9Af8x7p5MzbJ90Ioz/9TI41/hTCvznF/loiSzn8w==
@@ -15646,11 +15644,6 @@ lodash.once@^4.0.0:
   resolved "https://registry.yarnpkg.com/lodash.once/-/lodash.once-4.1.1.tgz#0dd3971213c7c56df880977d504c88fb471a97ac"
   integrity sha1-DdOXEhPHxW34gJd9UEyI+0cal6w=
 
-lodash.set@^4.0.0:
-  version "4.3.2"
-  resolved "https://registry.yarnpkg.com/lodash.set/-/lodash.set-4.3.2.tgz#d8757b1da807dde24816b0d6a84bea1a76230b23"
-  integrity sha1-2HV7HagH3eJIFrDWqEvqGnYjCyM=
-
 lodash.throttle@^4.1.1:
   version "4.1.1"
   resolved "https://registry.yarnpkg.com/lodash.throttle/-/lodash.throttle-4.1.1.tgz#c23e91b710242ac70c37f1e1cda9274cc39bf2f4"