Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -0,0 +1,190 @@ | |||
| # V3 Migration Guide | |||
There was a problem hiding this comment.
Just a thought.
Since consumer facing api has no breaking changes, do we need to mention that and it's usage examples here, in detail.
IMO, if consumer comes to read the migration guide, consumer has to go through a lot of detail to be assured that there are no breaking changes.
Would it not suffice to just mention the breaking changes and what consumer are required to follow.
@aks96 What do you think!
There was a problem hiding this comment.
Here we are making sure user understand what changes has been done, regarding breaking changes it just user has to update node, openid-client and jose version.
|
|
||
| // Build a Request object for openid-client v6 | ||
| const protocol = req.protocol; | ||
| const host = req.get('host'); // Use req.get('host') to include port |
There was a problem hiding this comment.
This will not work in any deployment behind a TLS terminating reverse proxy. It'll give back the internal hostname and port which has no relation to the URL the browser is hitting. This URL is used by openid-client to populate the redirect_uri access token request parameter, thus causing a mismatch.
There was a problem hiding this comment.
Using req getters is necessary to account for the express application's trust proxy settings, https://expressjs.com/en/guide/behind-proxies.html
There was a problem hiding this comment.
Unfortunately there's a bug in express@4 where req.host is an alias to req.hostname and thus not containing ports. express@5 req.host works as expected.
To work around this use the following (taken from https://github.com/panva/openid-client/blob/b77d87c1e2f5fef6fab501de615fb83a74a0251f/src/passport.ts#L211C1-L232)
function host(req: express.Request): string | undefined {
try {
const trust = req.app.get('trust proxy fn')
let val = req.get('x-forwarded-host')
if (!val || !trust(req.socket.remoteAddress, 0)) {
val = req.get('host')
} else if (val.indexOf(',') !== -1) {
val = val.substring(0, val.indexOf(',')).trimRight()
}
return val || undefined
} catch {
return req.host
}
}
| // Build a Request object for openid-client v6 | ||
| const protocol = req.protocol; | ||
| const host = req.get('host'); // Use req.get('host') to include port | ||
| const currentUrl = new URL(`${protocol}://${host}${req.originalUrl}`); |
There was a problem hiding this comment.
To account for mounted app scenarios
| const currentUrl = new URL(`${protocol}://${host}${req.originalUrl}`); | |
| const currentUrl = new URL(`${protocol}://${host}${req.originalUrl ?? req.url}`); |
3 participants
Description
This PR upgrades the core dependencies
openid-client(v4.9.1 → v6.1.3) andjose(v2.0.7 → v6.1.3) to their latest major versions, bringing improved security, performance, and standards compliance.All Tests Passing: 266/266 tests (100%) - 256 unit tests + 10 end-to-end tests
Zero Breaking Changes to public API
Node.js 20+ Required
Testing
Tested all the examples from example folder.