chore(deps): upgrade vulnerable dependencies

.eslintrc.json

@@ -2,15 +2,18 @@
   "extends": [
     "eslint:recommended",
     "plugin:promise/recommended",
-    "plugin:jasmine/recommended"
+    "plugin:jasmine/recommended",
+    "plugin:wdio/recommended"
   ],
   "plugins": [
     "promise",
-    "jasmine"
+    "jasmine",
+    "wdio"
   ],
   "env": {
     "browser": false,
-    "commonjs": true
+    "commonjs": true,
+    "node": true
   },
   "parserOptions": {
     "ecmaVersion": 2017

CHANGELOG.md

@@ -1,3 +1,10 @@
+# 5.0.0
+
+### Breaking Changes
+
+- [#]() Requires Node >= 12.19.0. Update production dependencies:
+  - `openid-client@5.1.9` (was 3.12.2)
+
 # 4.6
 
 -[#53](https://github.com/okta/okta-oidc-middleware/pull/53) Fix: prevents open redirects

package.json

@@ -1,7 +1,7 @@
 {
   "private": true,
   "name": "@okta/oidc-middleware",
-  "version": "4.6.0",
+  "version": "5.0.0",
   "description": "OpenId Connect middleware for authorization code flows",
   "repository": "https://github.com/okta/okta-oidc-middleware",
   "homepage": "https://github.com/okta/okta-oidc-middleware#readme",
@@ -24,17 +24,17 @@
     "lint": "eslint .",
     "lint:report": "eslint -f checkstyle -o ./reports/lint/eslint-checkstyle-result.xml .",
     "test": "yarn lint && yarn test:unit && yarn test:e2e && yarn test:integration",
-    "pretest:e2e": "node scripts/update-se-drivers.js && yarn kill:port",
+    "pretest:e2e": "yarn kill:port",
     "posttest:e2e": "yarn kill:port",
-    "test:e2e": "protractor test/e2e/protractor.conf.js",
+    "test:e2e": "wdio run wdio.conf.js",
     "test:integration": "scripts/tck.sh 0.4.0",
     "test:unit": "jest",
     "start": "node test/e2e/harness/start-server.js",
     "start:custom": "node test/e2e/harness/start-custom-login-server.js",
     "kill:port": "kill -s TERM $(lsof -t -i:8080 -sTCP:LISTEN) || true"
   },
   "engines": {
-    "node": "^10.13.0 || >=12.0.0"
+    "node": "^12.19.0 || ^14.15.0 || ^16.13.0"
   },
   "license": "Apache-2.0",
   "dependencies": {
@@ -45,13 +45,18 @@
     "lodash": "^4.17.21",
     "negotiator": "^0.6.1",
     "node-fetch": "^2.6.7",
-    "openid-client": "3.12.2",
-    "passport": "^0.4.1",
+    "openid-client": "^5.1.9",
+    "passport": "^0.6.0",
     "uuid": "^8.3.2"
   },
   "devDependencies": {
     "@babel/eslint-parser": "^7.17.0",
-    "axios": "^0.27.2",
+    "@wdio/cli": "^7.24.0",
+    "@wdio/jasmine-framework": "^7.24.0",
+    "@wdio/junit-reporter": "^7.24.0",
+    "@wdio/local-runner": "^7.24.0",
+    "@wdio/selenium-standalone-service": "^7.24.0",
+    "@wdio/spec-reporter": "^7.24.0",
     "cookie-parser": "^1.4.5",
     "cross-env": "^7.0.0",
     "dotenv": "^8.1.0",
@@ -60,20 +65,17 @@
     "eslint-plugin-jasmine": "^4.1.0",
     "eslint-plugin-jest": "^23.0.3",
     "eslint-plugin-promise": "^4.2.1",
-    "eslint-plugin-protractor": "^2.1.1",
+    "eslint-plugin-wdio": "^7.21.0",
     "express-session": "^1.15.5",
     "globby": "^6.1.0",
-    "jasmine-protractor-browser-log-reporter": "^1.0.0",
-    "jasmine-reporters": "^2.5.0",
-    "jasmine-spec-reporter": "^4.1.0",
     "jest": "^28.1.1",
     "jest-junit": "^13.2.0",
     "nock": "^11.9.1",
-    "protractor": "^7.0.0",
     "read-package-tree": "^5.1.6",
     "server-destroy": "^1.0.1",
     "shelljs": "0.8.5",
-    "supertest": "^6.0.1"
+    "supertest": "^6.0.1",
+    "wdio-wait-for": "^2.2.6"
   },
   "resolutions": {
     "webdriver-manager": "^12.1.4",

scripts/setup.sh

@@ -10,7 +10,7 @@ export PATH="${PATH}:$(yarn global bin)"
 
 # Install required node version
 export NVM_DIR="/root/.nvm"
-setup_service node v12.22.0
+setup_service node v14.17.0
 
 cd ${OKTA_HOME}/${REPO}
 

src/connectUtil.js

@@ -96,7 +96,10 @@ connectUtil.createLoginCallbackHandler = context => {
   if (!customHandler) {
     // Passport successReturnToOrRedirect always try req.session.returnTo first if it's assigned
     // Use successRedirect field if afterCallback url is explicitly set in config
-    const redirectOptions = { failureRedirect: routes.loginCallback.failureRedirect };
+    const redirectOptions = {
+      failureRedirect: routes.loginCallback.failureRedirect,
+      keepSessionInfo: true, // preserve req.session.returnTo during session regeneration
+    };
     if (routes.loginCallback.afterCallback) {
       redirectOptions.successRedirect = routes.loginCallback.afterCallback;
     } else {

src/logout.js

@@ -64,7 +64,7 @@ logout.forceLogoutAndRevoke = context => {
     const revokes = REVOKABLE_TOKENS.map( revokeIfExists );
 
     // clear local session
-    req.logout();
+    req.logout(function () {});
 
     // attempt all revokes
     await Promise.all(revokes); // these capture (emit) all rejections, no wrapping catch needed, no early fail of .all()

src/oidcUtil.js

@@ -35,16 +35,19 @@ function customizeUserAgent(options) {
   const headers = options.headers || {};
   let clientUserAgent = headers['User-Agent'];
   if (typeof clientUserAgent === 'string') {
-    clientUserAgent = ' ' + clientUserAgent.split(' ')[0]
+    clientUserAgent = ' ' + clientUserAgent.split(' (')[0]
   } else {
     clientUserAgent = '';
   }
 
   const userAgent = `${pkg.name}/${pkg.version}${clientUserAgent} node/${process.versions.node} ${os.platform()}/${os.release()}`;
-  headers['User-Agent'] = userAgent;
-
-  options.headers = headers;
-  return options;
+  return {
+    ...options,
+    headers: {
+      ...headers,
+      'User-Agent': userAgent
+    }
+  }
 }
 
 function appendOptionsToQuery(url, options) {
@@ -68,22 +71,23 @@ oidcUtil.createClient = context => {
     timeout
   } = context.options;
 
-  Issuer[custom.http_options] = function(options) {
+  Issuer[custom.http_options] = function(_, options) {
     options = customizeUserAgent(options);
     options.timeout = timeout || 10000;
     return options;
   };
 
   return Issuer.discover(issuer +  '/.well-known/openid-configuration')
-  .then(iss => {
+  .then((iss) => {
     const client = new iss.Client({
       client_id,
       client_secret,
       redirect_uris: [
         redirect_uri
       ]
     });
-    client[custom.http_options] = options => {
+
+    client[custom.http_options] = (options) => {
       options = customizeUserAgent(options);
       options.timeout = timeout || 10000;
       return options;
@@ -100,7 +104,8 @@ oidcUtil.bootstrapPassportStrategy = context => {
       scope: context.options.scope
     },
     sessionKey: context.options.sessionKey,
-    client: context.client
+    client: context.client,
+    usePKCE: false
   }, (tokenSet, callbackArg1, callbackArg2) => {
     let done;
     let userinfo;

test/e2e/.eslintrc.json

@@ -1,11 +1,11 @@
 {
   "extends": [
-    "plugin:protractor/recommended",
-    "plugin:jasmine/recommended"
+    "plugin:jasmine/recommended",
+    "plugin:wdio/recommended"
   ],
   "plugins": [
-    "protractor",
-    "jasmine"
+    "jasmine",
+    "wdio"
   ],
   "env": {
     "jasmine": true,

test/e2e/page-objects/CustomLoginPage.js

@@ -10,31 +10,53 @@
  * See the License for the specific language governing permissions and limitations under the License.
  */
 
-const EC = protractor.ExpectedConditions;
+const EC = require("wdio-wait-for");
 
 module.exports = class OktaSignInPage {
-  /* eslint-disable protractor/no-repetitive-selectors */
-  constructor() {
-    this.username = $('[name=username]');
-    this.password = $('[name=password]');
-    this.submit = $('#okta-signin-submit');
-    this.banner = $('#banner');
-    this.pageTitle = $('[data-se=o-form-head]');
-    this.usernameLabel = $('[data-se=o-form-label] [for=okta-signin-username]');
-    this.passwordLabel = $('[data-se=o-form-label] [for=okta-signin-password]');
+  constructor() {}
+
+  get username() {
+    return $('[name=username]');
+  }
+
+  get password() {
+    return $('[name=password]');
+  }
+
+  get submit() {
+    return $('#okta-signin-submit');
+  }
+
+  get banner() {
+    return $('#banner');
+  }
+
+  get pageTitle() {
+    return $('[data-se=o-form-head]');
+  }
+
+  get usernameLabel() {
+    return $('[data-se=o-form-label] [for=okta-signin-username]');
+  }
+
+  get passwordLabel() {
+    return $('[data-se=o-form-label] [for=okta-signin-password]');
   }
 
   async load() {
-    await browser.get('/login');
+    await browser.url('/login');
   }
 
   async waitUntilVisible() {
-    await browser.wait(EC.presenceOf(this.banner), 50000, 'wait for banner');
+    await browser.waitUntil(EC.presenceOf(await this.banner), {
+      timeout: 50000,
+      timeoutMsg: 'wait for banner'
+    });
   }
 
   async signIn({username, password}) {
-    await this.username.sendKeys(username);
-    await this.password.sendKeys(password);
-    await this.submit.click();
+    await (await this.username).setValue(username);
+    await (await this.password).setValue(password);
+    await (await this.submit).click();
   }
 }

test/e2e/page-objects/HomePage.js

@@ -12,29 +12,37 @@
 
 const constants = require('../util/constants');
 const util = require('../util/util');
-const EC = protractor.ExpectedConditions;
+const EC = require("wdio-wait-for");
 
 module.exports = class HomePage {
-  constructor() {
-    this.body = $('body');
+  constructor() {}
+
+  get body() {
+    return $('body');
   }
 
   async load() {
-    await browser.get(constants.BASE_URI);
+    await browser.url(constants.BASE_URI);
   }
 
   async waitUntilVisible() {
     const url = util.ensureTrailingSlash(constants.BASE_URI);
-    await browser.wait(EC.urlIs(url), 50000, 'wait for base url');
+    await browser.waitUntil(EC.urlIs(url), {
+      timeout: 50000,
+      timeoutMsg: 'wait for base url'
+    });
   }
 
   async performLogout() { 
     const logoutButton = $('#logout');
     await logoutButton.click();
-    await browser.wait(EC.not(EC.presenceOf(logoutButton)), 5000, 'wait for logout button to disappear');
+    await browser.waitUntil(EC.not(EC.presenceOf(logoutButton)), {
+      timeout: 5000,
+      timeoutMsg: 'wait for logout button to disappear'
+    });
   }
 
   async getBodyText() {
-    return this.body.getText();
+    return (await this.body).getText();
   }
 }