Migrate off passport-openid

sahat / hackathon-starter

A boilerplate for Node.js web applications

MIT License

34.8k stars 8.16k forks source link

Migrate off passport-openid #1232

Closed YasharF closed 1 year ago

YasharF commented 1 year ago

passport-openid is unmaintained and is using a vulnerable version of request

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
  openid  1.0.0 - 2.0.8
  Depends on vulnerable versions of request
  node_modules/openid
    passport-openid  >=0.4.0
    Depends on vulnerable versions of openid
    node_modules/passport-openid

YasharF commented 1 year ago

Currently used in the Steam example. openid-client is a potential replacement.

YasharF commented 1 year ago

Found out:

openid-client supports OpenID Connect, which is different than OpenID 2.0. OpenID connect is the newer tech and some call OpenID 2.0 obsolete.
https://en.wikipedia.org/wiki/OpenID shows that starting 2013 various companies started to discontinue support for OpenID.
Steam is still using OpenID, but passport-steam-openid seems to be a maintained plugin that only depends on axios and passport (easier to fork and maintain as well).

New plan:

Drop passport-openid
Add passport-steam-openid to handle the Steam usecase.

YasharF commented 1 year ago

Fixed by: https://github.com/sahat/hackathon-starter/commit/638e9813a735e5007dadbcdd54c1fc34d171c962