fix: #EXUI-2079: Upgrade dependencies with moderate severity vulnerabilities

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hmcts/rpx-xui-node-lib",
-  "version": "2.29.6",
+  "version": "2.29.5-exui-2079-rc13",
   "description": "Common nodejs library components for XUI",
   "main": "dist/index",
   "types": "dist/index.d.ts",
@@ -47,7 +47,7 @@
     "@semantic-release/git": "^10.0.1",
     "@semantic-release/github": "^8.1.0",
     "@types/connect-redis": "^0.0.23",
-    "@types/csurf": "^1.9.36",
+    "@types/csurf": "^1.11.0",
     "@types/debug": "^4.1.5",
     "@types/express": "^4.17.2",
     "@types/express-session": "1.17.10",
@@ -86,22 +86,22 @@
     }
   },
   "dependencies": {
-    "@hapi/joi": "^17.1.1",
+    "@dr.pogodin/csurf": "^1.14.0",
     "axios": "^1.7.7",
     "caller-path": "^3.0.0",
     "connect-redis": "^4.0.4",
-    "csurf": "^1.11.0",
     "debug": "^4.3.7",
     "deepmerge": "^4.2.2",
     "express": "^4.20.0",
     "express-session": "^1.17.0",
     "jest-mock-axios": "^4.7.3",
     "jest-ts-auto-mock": "^2.1.0",
+    "joi": "^17.13.3 ",
     "jwt-decode": "^2.2.0",
-    "openid-client": "^3.10.0",
+    "openid-client": "^5.7.1",
     "otplib": "^12.0.1",
-    "passport": "^0.5.3",
-    "passport-oauth2": "^1.5.0",
+    "passport": "^0.7.0",
+    "passport-oauth2": "^1.8.0",
     "redis": "^3.0.2",
     "session-file-store": "^1.5.0",
     "ts-auto-mock": "^3.5.0",

src/auth/models/strategy.class.ts

@@ -1,14 +1,14 @@
 import * as events from 'events'
 import { NextFunction, Request, RequestHandler, Response, Router } from 'express'
-import passport from 'passport'
+import passport, { LogOutOptions } from 'passport'
 import { AUTH } from '../auth.constants'
 import jwtDecode from 'jwt-decode'
 import { arrayPatternMatch, http, XuiLogger, getLogger } from '../../common'
 import { AuthOptions } from './authOptions.interface'
-import Joi from '@hapi/joi'
+import Joi from 'joi'
 import * as URL from 'url'
 import { generators } from 'openid-client'
-import csrf from 'csurf'
+import csrf from '@dr.pogodin/csurf'
 import { MySessionData } from './sessionData.interface'
 
 export abstract class Strategy extends events.EventEmitter {
@@ -91,7 +91,6 @@ export abstract class Strategy extends events.EventEmitter {
     /* istanbul ignore next */
     public loginHandler = async (req: Request, res: Response, next: NextFunction): Promise<RequestHandler> => {
         this.logger.log('Base loginHandler Hit')
-
         const reqSession = req.session as MySessionData
 
         // we are using oidc generator but it's just a helper, rather than installing another library to provide this
@@ -122,6 +121,7 @@ export abstract class Strategy extends events.EventEmitter {
                 {
                     redirect_uri: reqSession?.callbackURL,
                     state,
+                    keepSessionInfo: true,
                 } as any,
                 (error: any, user: any, info: any) => {
                     /* istanbul ignore next */
@@ -167,7 +167,7 @@ export abstract class Strategy extends events.EventEmitter {
     }
 
     /* istanbul ignore next */
-    public logout = async (req: Request, res: Response): Promise<void> => {
+    public logout = async (req: Request, res: Response, next: NextFunction): Promise<void> => {
         const reqSession = req.session as MySessionData
 
         try {
@@ -188,22 +188,24 @@ export abstract class Strategy extends events.EventEmitter {
             })
 
             //passport provides this method on request object
-            req.logout((err) => {
-                console.error(err)
-            })
-            await this.destroySession(req)
-            /* istanbul ignore next */
-            if (req.query.noredirect) {
-                res.status(200).send({ message: 'You have been logged out!' })
-                return Promise.resolve()
-            }
-
-            const redirect = req.query.redirect ? req.query.redirect : AUTH.ROUTE.LOGIN
-            this.logger.log('redirecting to => ', redirect)
-            // 401 is when no accessToken
-            res.redirect(redirect as string)
+            req.logout({ keepSessionInfo: true }, async (err) => {
+                if (err) {
+                    console.error(err)
+                    return next(err)
+                }
+                await this.destroySession(req)
+                /* istanbul ignore next */
+                if (req.query.noredirect) {
+                    res.status(200).send({ message: 'You have been logged out!' })
+                    return Promise.resolve()
+                }
 
-            /* istanbul ignore next */
+                const redirect = req.query.redirect ? req.query.redirect : AUTH.ROUTE.LOGIN
+                this.logger.log('redirecting to => ', redirect)
+                // 401 is when no accessToken
+                res.redirect(redirect as string)
+                /* istanbul ignore next */
+            })
         } catch (e) {
             this.logger.error('error => ', e)
             res.status(401).redirect(AUTH.ROUTE.DEFAULT_REDIRECT)
@@ -284,6 +286,8 @@ export abstract class Strategy extends events.EventEmitter {
             this.strategyName,
             {
                 redirect_uri: reqSession?.callbackURL,
+                keepSessionInfo: true,
+                failureMessage: true,
             } as any,
             (error: any, user: any, info: any) => {
                 const errorMessages: string[] = []
@@ -410,7 +414,7 @@ export abstract class Strategy extends events.EventEmitter {
                 this.logger.error(
                     `User has no application access, as they do not have a role that matches ${this.options.allowRolesRegex}.`,
                 )
-                return this.logout(req, res)
+                return this.logout(req, res, next)
             }
             if (!this.listenerCount(AUTH.EVENT.AUTHENTICATE_SUCCESS)) {
                 this.logger.log(

src/auth/oidc/models/openid.class.spec.ts

@@ -2,7 +2,7 @@
 
 import { oidc, OpenID } from './openid.class'
 import passport from 'passport'
-import express, { Request, response, Response, Router } from 'express'
+import express, { NextFunction, Request, response, Response, Router } from 'express'
 import { AUTH } from '../../auth.constants'
 import { Client, Issuer, Strategy, TokenSet, UserinfoResponse } from 'openid-client'
 import { createMock } from 'ts-auto-mock'
@@ -466,6 +466,7 @@ xtest('makeAuthorization() Should make an authorisation string', async () => {
 xtest('strategy logout', async () => {
     const session = createMock<MySessionData>()
     const mockRequest = createMock<Request>()
+    const mockNextFunction = createMock<NextFunction>()
     session.passport = {
         user: {
             tokenset: {
@@ -486,7 +487,7 @@ xtest('strategy logout', async () => {
     mockResponse.redirect = jest.fn()
     const spyhttp = jest.spyOn(http, 'delete').mockImplementation(() => Promise.resolve({} as any))
     const spySessionDestroy = jest.spyOn(oidc, 'destroySession').mockImplementation(() => Promise.resolve({} as any))
-    await oidc.logout(mockRequest, mockResponse)
+    await oidc.logout(mockRequest, mockResponse, mockNextFunction)
     expect(spyhttp).toHaveBeenCalled()
     expect(spySessionDestroy).toHaveBeenCalled()
 })

src/auth/oidc/models/openid.class.ts

@@ -130,7 +130,6 @@ export class OpenID extends AuthStrategy {
         const issuer = await this.discoverIssuer()
 
         const metadata = issuer.metadata
-        metadata.issuer = this.options.issuerURL
 
         this.logger.log('discover metadata', metadata)
 
@@ -256,6 +255,8 @@ export class OpenID extends AuthStrategy {
                     redirect_uri: reqsession?.callbackURL,
                     nonce,
                     state,
+                    keepSessionInfo: true,
+                    failureMessage: true,
                 } as any,
                 (error: any, user: any, info: any) => {
                     this.logger.log('passport authenticate')

tsconfig.json

@@ -16,7 +16,8 @@
          "transform": "ts-auto-mock/transformer",
          "cacheBetweenTests": false
      }
-    ]
+    ],
+    "noImplicitAny": false
   },
   "include": ["typings.d.ts", "src"],
   "exclude": ["node_modules", "**/*.spec.ts"]