Replace passport-openidconnect with something better

ytgov / vue-template

A template to for Vuejs based web apps for internal services.

Apache License 2.0

2 stars 4 forks source link

Replace passport-openidconnect with something better #3

Open leeomara opened 3 years ago

leeomara commented 3 years ago

passport-openidconnect, at version 0.0.2, hasn't been updated in years and is responsible (I think) for some of the security alerts identified by Dependabot (https://github.com/ytgov/vue-template/network/alerts).

One option is openid-client, a certified Open ID Connect client for Relying Parties that supports passport.

leeomara commented 2 years ago

Max has done work implementing a new library. See 2d23236.

ryanjagar commented 2 years ago

I've replaced passport-openidconnect with express-openid connect and cleaned out all the package files for /api. As expected, removing the old library cleaned up a lot of the more egregious security errors.

Todo:

[ ] Update README to reflect new ENV settings
[ ] Update env.sampe to reflect new ENV settings

leeomara commented 2 years ago

This work appears to have been done mostly in 480273, 65b15d5.

In the future, I think it would be preferable if this work was done in a branch and a pull request was created to track this work.