use express() instead of express.Router()

[phonzammi]

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

When we want to integrate/use this library with other frameworks (e.g. unjs/h3), we need to create an express app first than we can use this library. In this case we have to install express package too.
For example when using with unjs/h3

import {
  createApp,
  fromNodeMiddleware,
} from "h3";
import express from "express";

const app = createApp();
const expressApp = express();

app.use(fromNodeMiddleware(expressApp.use(auth(config))));

If we use it like this (without an express app) :

app.use(fromNodeMiddleware((auth(config)))

Than it will throws this errors

/home/phonzammi/Documents/vike-dev/practices/auth0/vike-h3-auth0/node_modules/.pnpm/express@4.18.3/node_modules/express/lib/router/layer.js:95
    fn(req, res, next);
    ^
TypeError: req.get is not a function
    at /home/phonzammi/Documents/vike-dev/practices/auth0/vike-h3-auth0/node_modules/.pnpm/express-openid-connect@2.17.1_express@4.18.3/node_modules/express-openid-connect/lib/appSession.js:289:37
    at Layer.handle [as handle_request] (/home/phonzammi/Documents/vike-dev/practices/auth0/vike-h3-auth0/node_modules/.pnpm/express@4.18.3/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/home/phonzammi/Documents/vike-dev/practices/auth0/vike-h3-auth0/node_modules/.pnpm/express@4.18.3/node_modules/express/lib/router/index.js:328:13)
    at /home/phonzammi/Documents/vike-dev/practices/auth0/vike-h3-auth0/node_modules/.pnpm/express@4.18.3/node_modules/express/lib/router/index.js:286:9
    at Function.process_params (/home/phonzammi/Documents/vike-dev/practices/auth0/vike-h3-auth0/node_modules/.pnpm/express@4.18.3/node_modules/express/lib/router/index.js:346:12)
    at next (/home/phonzammi/Documents/vike-dev/practices/auth0/vike-h3-auth0/node_modules/.pnpm/express@4.18.3/node_modules/express/lib/router/index.js:280:10)
    at Function.handle (/home/phonzammi/Documents/vike-dev/practices/auth0/vike-h3-auth0/node_modules/.pnpm/express@4.18.3/node_modules/express/lib/router/index.js:175:3)
    at router (/home/phonzammi/Documents/vike-dev/practices/auth0/vike-h3-auth0/node_modules/.pnpm/express@4.18.3/node_modules/express/lib/router/index.js:47:12)
    at file:///home/phonzammi/Documents/vike-dev/practices/auth0/vike-h3-auth0/node_modules/.pnpm/h3@1.11.1/node_modules/h3/dist/index.mjs:2285:24
    at new Promise (<anonymous>)

With this changes, we can use this library with other frameworks without having to create an express app

Testing

I have successfully tested this changes with fastify and unjs/h3

• This change adds test coverage for new/changed/fixed functionality

Checklist

• I have added documentation for new/changed functionality in this PR or in auth0.com/docs
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used, if not the default branch

[phonzammi]

Hi @frederikprijck, I'm sorry to tag you.

Would you mind reviewing this PR ?
I'd like to know what do you think of this. is this a "breaking changes"?
Does Auth0 team has any plan to support more node js framework or more server environment?

[Copilot]

Pull Request Overview

This PR changes the authentication middleware from using express.Router() to express() to improve compatibility with other web frameworks like unjs/h3 and Fastify. The change allows the library to be used without requiring users to create a separate Express app instance.

Key changes:

• Replace express.Router() with express() in the auth middleware
• Update test assertions to access routes through ._router.stack instead of .stack

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
middleware/auth.js	Changes router instantiation from express.Router() to express()
test/login.tests.js	Updates test assertions to access router stack through ._router.stack property

[Copilot]

Using express() instead of express.Router() creates a full Express application instance rather than just a router. This is a significant architectural change that may have unintended consequences. An Express app has additional overhead and functionality (like settings, engines, etc.) that may not be needed. Consider if this change could cause conflicts when the returned object is used as middleware in another Express app.

Suggested change

	const router = new express();
	const router = express.Router();

[Copilot]

Accessing the private _router property indicates a potential code smell. This implementation detail of Express may change in future versions, making the code brittle. The need to access _router.stack suggests that using express() instead of express.Router() may not be the optimal solution for the stated goal.

Suggested change

	assert.ok(router._router.stack.some(filterRoute('GET', '/login')));
	assert.ok(router._router.stack.some(filterRoute('GET', '/logout')));
	assert.ok(router._router.stack.some(filterRoute('POST', '/callback')));
	assert.ok(router._router.stack.some(filterRoute('GET', '/callback')));
	const routes = getRoutes(router);
	assert.ok(routes.some((r) => r.path === '/login' && r.methods.get));
	assert.ok(routes.some((r) => r.path === '/logout' && r.methods.get));
	assert.ok(routes.some((r) => r.path === '/callback' && r.methods.post));
	assert.ok(routes.some((r) => r.path === '/callback' && r.methods.get));

[aks96]

Here the chnages doesn't resolve the core issue of express-specific dependencies. express() return the application not the router. This changes the behaviour of sdk. We can improve this by have detection mechanism for framework. But the above solution will breaking change.