Closed MarkSchlesinger closed 3 years ago
+1 for a fix
I've made a pull request with a fix for this issue. Is it possible to get it reviewed (and merged if everything looks okay)?
It's not encouraging that the advisory has been out since May, and no fix has been released for an issue bad enough for NPM to say "don't use this package."
Thanks for putting together that PR, @LJNGDAHL! I'm using your fork for the moment.
NPM Audit failure is still showing up with the latest 0.2.2 version. Does that mean this issue is not fixed by the code merged above?
NPM Audit failure
All versions of passport-cognito are vulnerable to Improper Authorization. The package fails to properly scope the variables containing authorization information, such as access token, refresh token and ID token. This causes a race condition where simultaneous authenticated users may receive authorization tokens for a different user. This would allow a user to take actions on another user's behalf.