Using jwt-express in Forest app template

Yoad_Snapir · April 7, 2021, 5:27pm

When upgrading Liana express 6.1 → 6.7.2 a new error prevents the server from starting up.
This error is due to the main app doing this:

app.use(
  jwt({
    secret: process.env.FOREST_AUTH_SECRET,
    credentialsRequired: false,
  })
);

While the usage of the “jwt-express” in version 5 allows this, version 6 forces the usage of an algorithem specification (to handle security vulnerability). This is the cause for the error.

My questions is:

This code appears in the latest lumber templates - but is it required? What for? forest-express uses jwt-express 6 internally already.
The template did not have a dependency on jwt-express - assuming the internal dependency from forest-express is enough. not the template syntax is not compatible with 6. Should we keep this code like this and depend on 5 directly? Or should we remove this code? upgrade it to be compatible with 6?
The template now HAS a dependency since this commit:
https://github.com/ForestAdmin/lumber/commit/ce26d4477023a4da180e4eda437faa11f8b8c772
But it’s still a 5. So the vulnerability is still there.

Thanks for the guidance!

anon90145840 · April 8, 2021, 8:17am

Hello @Yoad_Snapir,

Thank you for your message.

I think you should be able to safely remove this code. I will notify our team about the issue and we will fix it as soon as possible. Thank you for the investigation

Topic		Replies	Views
Upgrade to Liana v6 Help me!	4	421	January 26, 2021
Express-jwt update causes errors Help me!	1	369	April 5, 2022
/sessions-google 401 after upgrading to v8 Help me!	5	350	October 19, 2021
Problems authenticating when upgrading to v7 of Liana (forest-express-mongoose) Help me!	8	1083	June 16, 2021
Unable to authenticate you, bis Help me!	1	254	October 3, 2021

Using jwt-express in Forest app template

Related Topics