Express-JWT package update issue

Help me!
1

Feature(s) impacted

Can not upgrade to latest Express-jwt package.

Observed behavior

When we update Express-JWT version from 6.1.2 ==> 8.4.1 version, we are not able to open collection in forestAdmin wherever permissionMiddlewareCreator is used in collection from Forest-Admin-Sequelize package.

Expected behavior

Existing collection should be readable and other operations should be working as expected.

Failure Logs

Once we update package to 8.4.1 version, we started getting following error in browser

Screenshot 2024-05-16 at 8.18.09 PM
Screenshot 2024-05-16 at 8.18.09 PM2746×1296 304 KB

Upon debugging more in backend, we are seeing following stacktrace for error

Caught route error TypeError: Cannot read properties of undefined (reading 'id'). 
Stack: "TypeError: Cannot read properties of undefined (reading 'id')
    at AuthorizationService._callee$ (~/curator/node_modules/forest-express-sequelize/node_modules/forest-express/dist/services/authorization/authorization.js:33:30)
        at tryCatch (~/curator/node_modules/forest-express-sequelize/node_modules/forest-express/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:86:17)
            at Generator._invoke (~/curator/node_modules/forest-express-sequelize/node_modules/forest-express/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:66:24)
                at Generator.next (~/curator/node_modules/forest-express-sequelize/node_modules/forest-express/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:117:21)
                    at asyncGeneratorStep (~/curator/node_modules/forest-express-sequelize/node_modules/forest-express/node_modules/@babel/runtime/helpers/asyncToGenerator.js:3:24)
                        at _next (~/curator/node_modules/forest-express-sequelize/node_modules/forest-express/node_modules/@babel/runtime/helpers/asyncToGenerator.js:25:9)
                           at ~/curator/node_modules/forest-express-sequelize/node_modules/forest-express/node_modules/@babel/runtime/helpers/asyncToGenerator.js:32:7
                               at new Promise (<anonymous>)
                                    at AuthorizationService.<anonymous> (~/curator/node_modules/forest-express-sequelize/node_modules/forest-express/node_modules/@babel/runtime/helpers/asyncToGenerator.js:21:12)
                                       at AuthorizationService.assertCanBrowse (~/curator/node_modules/forest-express-sequelize/node_modules/forest-express/dist/services/authorization/authorization.js:67:33)
                                       at _callee2$ (~/curator/node_modules/forest-express-sequelize/node_modules/forest-express/dist/middlewares/permissions.js:161:52)
                                      at tryCatch (~/curator/node_modules/forest-express-sequelize/node_modules/forest-express/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:86:17)
                                          at Generator._invoke (~/curator/node_modules/forest-express-sequelize/node_modules/forest-express/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:66:24)
                                              at Generator.next (~/curator/node_modules/forest-express-sequelize/node_modules/forest-express/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:117:21)
                                              at asyncGeneratorStep (~/curator/node_modules/forest-express-sequelize/node_modules/forest-express/node_modules/@babel/runtime/helpers/asyncToGenerator.js:3:24)
                                                  at _next (~/curator/node_modules/forest-express-sequelize/node_modules/forest-express/node_modules/@babel/runtime/helpers/asyncToGenerator.js:25:9)
                                                      at ~/curator/node_modules/forest-express-sequelize/node_modules/forest-express/node_modules/@babel/runtime/helpers/asyncToGenerator.js:32:7
                                                          at new Promise (<anonymous>)
                                                              at ~/curator/node_modules/forest-express-sequelize/node_modules/forest-express/node_modules/@babel/runtime/helpers/asyncToGenerator.js:21:12
                                                                  at ~/curator/node_modules/forest-express-sequelize/node_modules/forest-express/dist/middlewares/permissions.js:177:24
                                                                      at Layer.handle [as handle_request] (~/curator/node_modules/express/lib/router/layer.js:95:5)
                                                                      at next (~/curator/node_modules/express/lib/router/route.js:144:13)

This seems to be the case with collections using permissionMiddlewareCreator from forest sequelize package. If we remove this middleware from route, everything seems to be working fine.

It seems for express-jwt package upgrade following migration steps needs to be performed. I could be wrong but may be forest package is still trying to read user details from req.user field instead of req.auth as mentioned in the following list of migration steps. Please check if it can be corrected from your end.

Migration from v6 - Link (express-jwt/README.md at master · auth0/express-jwt · GitHub)

  1. The middleware function is now available as a named import rather than a default one: import { expressjwt } from ‘express-jwt’

  2. The decoded JWT payload is now available as req.auth rather than req.user

  3. The secret function had (req, header, payload, cb), now it can return a promise and receives (req, token). token has header and payload.

  4. The isRevoked function had (req, payload, cb), now it can return a promise and receives (req, token). token has header and payload.

Context

  • Project name: Curator
  • Team name: Developer
  • Environment name: ALL (Staging, Development, Production)
  • Agent type & version:
  • Package Version: 9.0.5 (forest-express-sequelize)
  • Express Version: 4.18.2
  • Sequelize Version: 6.3.0
  • Database Dialect: MySql
2

Hello @Nilesh_Shirsat

Could you please provide some more context as to why you need to upgrade this package with a major version ? forest-express-sequelize used was not designed to support it.

A simple workaround that I see for this issue could be to declare a new middleware in your app to handle the mapping of auth → user, just after jwt middleware. something like so:

app.use(jwt.expressjwt({
  secret: xxx,
  credentialsRequired: false,
  algorithms: ['HS256'],
}));

const mapper = (request, response, next) => {
  request.auth = request.user;
  next();
}

app.use(mapper)

please let me know if that would work for you :pray:

3

Above middleware change worked. But after small tweak.
We need to update package as older express-jwt package has found some security vulnerabilities.

Sorry for late reply!

4

Thanks for reporting back @Nilesh_Shirsat,
I’m marking this thread as resolved then !