Using jwt-express in Forest app template

Yoad_Snapir · April 7, 2021, 5:27pm

When upgrading Liana express 6.1 → 6.7.2 a new error prevents the server from starting up.
This error is due to the main app doing this:

app.use(
  jwt({
    secret: process.env.FOREST_AUTH_SECRET,
    credentialsRequired: false,
  })
);

While the usage of the “jwt-express” in version 5 allows this, version 6 forces the usage of an algorithem specification (to handle security vulnerability). This is the cause for the error.

My questions is:

This code appears in the latest lumber templates - but is it required? What for? forest-express uses jwt-express 6 internally already.
The template did not have a dependency on jwt-express - assuming the internal dependency from forest-express is enough. not the template syntax is not compatible with 6. Should we keep this code like this and depend on 5 directly? Or should we remove this code? upgrade it to be compatible with 6?
The template now HAS a dependency since this commit:
https://github.com/ForestAdmin/lumber/commit/ce26d4477023a4da180e4eda437faa11f8b8c772
But it’s still a 5. So the vulnerability is still there.

Thanks for the guidance!

anon90145840 · April 8, 2021, 8:17am

Hello @Yoad_Snapir,

Thank you for your message.

I think you should be able to safely remove this code. I will notify our team about the issue and we will fix it as soon as possible. Thank you for the investigation

Topic		Replies	Views
Upgrade to Liana v6 Help me!	4	469	January 26, 2021
Recurrent error jwt expired Help me!	4	37	October 7, 2024
Express-jwt update causes errors Help me!	1	443	April 5, 2022
Issues going from forest-express-sequelize 3.1 to 6.1 Help me!	5	664	June 10, 2020
Need to address high vulnerability inside lumber-forestadmin npm package Help me!	5	410	November 20, 2020

Using jwt-express in Forest app template

Related topics