Security and integration enhancements, dependency upgrades, bug fixes

Security Enhancements - Added URL validation for redirects through session.returnTo (CWE-601). - Fixed OAuth state parameter generation and handling to address CSRF attack vectors in the OAuth workflow. - Added additional sanitization for user input in database queries using $eq in MongoDB. API and Integration: - Unified formatting for authentication parameters in route definitions and passport.js configuration. - Refactored common code for OAuth 2 token processing in passport strategies to improve maintainability. - Reworked the GitHub and Twitch API integration examples with additional data from the APIs. - Reworked the Twilio API integration example to use Twilio’s sandbox servers and test phone numbers. - Upgraded the Pinterest API example to use v5 calls instead of the broken v1. - Reworked the Tumblr API integration example with additional data from the API. - Added a properly working OAuth 1.0a integration for Tumblr. - Removed sign-in by Snapchat due to increased difficulty for developers and a focus on hackathon participants. - Removed Foursquare OAuth authorization and updated the API demo with new examples. - Renamed Twitter to X (Some of the backend and code still reference Twitter due to upstream dependencies, and the login button is using Twitter colors pending X addition to bootstrap-social). Update/Upgrades: - Dropped support for Nodejs < 22 due to ESM module import issues prior to that version. - Migrated from the unmaintained passport-linkedin-oauth2 to a passport-openidconnect strategy. --- Added support and examples for openid-client. - Migrated from the deprecated paypal-rest-sdk to an example without the SDK, providing OAuth calls depending on the page state. - Migrated from the unmaintained bootstrap-social to a fork that can be easily patched and updated. - Migrated eslint to v9, and its new config format (breaking change). - Migrated Husky to v9, and its new config format (breaking change). Fixed Windows commit issue. - Updated dependencies. - Added temporary patch files for connect-flash and passport-openidconnect based on pending pull requests or issues on GitHub. Other: - Fixed a bug that prevented profile pictures from being displayed. - Added authentication link/unlink options to the user profile page for all OAuth/Identity providers. - Fixed typos, broken links, and minor formatting alignment issues on various pages. - Fixed spelling errors in startup information displayed in the console. - Refactored URL validation in unit tests for Gravatar generation to conform with CodeQL rules. Even though CodeQL does vulnerability checks, this is not a security issue since it is unit tests. - Updated the placeholder main.js to use the current format (not deprecated JS). - Updated the GitHub repo worker/runner configs to use proper permissions - Return exit code 1 if there is a database connection issue at startup. - Added the --trace-deprecation flag to startup to provide better information on runtime deprecation warnings. - .gitignore file to exclude the uploads path. - Updated the copyright year. - Updated documentation.
sahat · Feb 1, 2025 · e42d0f5 · e42d0f5
1 parent ed7f82d
commit e42d0f5
Show file tree

Hide file tree

Showing 44 changed files with 5,812 additions and 3,870 deletions.
diff --git a/.env.example b/.env.example
@@ -25,17 +25,14 @@ NYT_KEY=9548be6f3a64163d23e1539f067fcabd:5:68537648
 LASTFM_KEY=c8c0ea1c4a6b199b3429722512fbd17f
 LASTFM_SECRET=is cb7857b8fba83f819ea46ca13681fe71
 
-SNAPCHAT_ID=181f414f-9581-4498-be9a-a223d024cf10
-SNAPCHAT_SECRET=DyswCZGyuZl5BBEA1yWlcjyAoONB-_qw8WNodhc4hr4
-
 FACEBOOK_ID=754220301289665
 FACEBOOK_SECRET=41860e58c256a3d7ad8267d3c1939a4a
 
 GITHUB_ID=cb448b1d4f0c743a1e36
 GITHUB_SECRET=815aa4606f476444691c5f1c16b9c70da6714dc6
 
-TWITTER_KEY=6NNBDyJ2TavL407A3lWxPFKBI
-TWITTER_SECRET=ZHaYyK3DQCqv49Z9ofsYdqiUgeoICyh6uoBgFfu7OeYC7wTQKa
+X_KEY=6NNBDyJ2TavL407A3lWxPFKBI
+X_SECRET=ZHaYyK3DQCqv49Z9ofsYdqiUgeoICyh6uoBgFfu7OeYC7wTQKa
 
 GOOGLE_ID=828110519058.apps.googleusercontent.com
 GOOGLE_SECRET=JdZsIaWhUFIchmC1a_IZzOHb

diff --git a/.eslintrc b/.eslintrc
diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml
@@ -1,31 +1,29 @@
-# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node
-# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs
-
-name: Node.js CI
+name: Node.js CI with CodeQL
 
 on:
   push:
     branches: [ "master" ]
   pull_request:
     branches: [ "master" ]
 
+permissions:
+  contents: read
+  pull-requests: write
+  security-events: write
+
 jobs:
   build:
-
     runs-on: ubuntu-latest
-
     strategy:
       matrix:
-        node-version: [18.x, 20.x]
-        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
-
+        node-version: [ 22.x ]
     steps:
-    - uses: actions/checkout@v3
-    - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v3
-      with:
-        node-version: ${{ matrix.node-version }}
-        cache: 'npm'
-    - run: npm install
-    - run: npm run lint
-    - run: npm run test
+      - uses: actions/checkout@v4
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+      - run: npm install
+      - run: npm run lint
+      - run: npm run test
diff --git a/.gitignore b/.gitignore
@@ -27,6 +27,9 @@ public/css/main.css
 node_modules
 bower_components
 
+# Uploads
+uploads
+
 # Editors
 .idea
 .vscode

diff --git a/.husky/pre-commit b/.husky/pre-commit
@@ -1 +1,4 @@
-npm run lintStage
+#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+npm test
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,49 @@
 # Changelog
 ---------
 
+### 8.1.0 (February 1, 2025)
+Security Enhancements
+- Added URL validation for redirects through session.returnTo (CWE-601).
+- Fixed OAuth state parameter generation and handling to address CSRF attack vectors in the OAuth workflow.
+- Added additional sanitization for user input in database queries using $eq in MongoDB.
+
+API and Integration:
+- Unified formatting for authentication parameters in route definitions and passport.js configuration.
+- Refactored common code for OAuth 2 token processing in passport strategies to improve maintainability.
+- Reworked the GitHub and Twitch API integration examples with additional data from the APIs.
+- Reworked the Twilio API integration example to use Twilio’s sandbox servers and test phone numbers.
+- Upgraded the Pinterest API example to use v5 calls instead of the broken v1.
+- Reworked the Tumblr API integration example with additional data from the API.
+- Added a properly working OAuth 1.0a integration for Tumblr.
+- Removed sign-in by Snapchat due to increased difficulty for developers and a focus on hackathon participants.
+- Removed Foursquare OAuth authorization and updated the API demo with new examples.
+- Renamed Twitter to X (Some of the backend and code still reference Twitter due to upstream dependencies, and the login button is using Twitter colors pending X addition to bootstrap-social).
+
+Update/Upgrades:
+- Dropped support for Nodejs < 22 due to ESM module import issues prior to that version.
+- Migrated from the unmaintained passport-linkedin-oauth2 to a passport-openidconnect strategy.
+--- Added support and examples for openid-client.
+- Migrated from the deprecated paypal-rest-sdk to an example without the SDK, providing OAuth calls depending on the page state.
+- Migrated from the unmaintained bootstrap-social to a fork that can be easily patched and updated.
+- Migrated eslint to v9, and its new config format (breaking change).
+- Migrated Husky to v9, and its new config format (breaking change). Fixed Windows commit issue.
+- Updated dependencies. 
+- Added temporary patch files for connect-flash and passport-openidconnect based on pending pull requests or issues on GitHub.
+
+Other:
+- Fixed a bug that prevented profile pictures from being displayed.
+- Added authentication link/unlink options to the user profile page for all OAuth/Identity providers.
+- Fixed typos, broken links, and minor formatting alignment issues on various pages.
+- Fixed spelling errors in startup information displayed in the console.
+- Refactored URL validation in unit tests for Gravatar generation to conform with CodeQL rules. Even though CodeQL does vulnerability checks, this is not a security issue since it is unit tests.
+- Updated the placeholder main.js to use the current format (not deprecated JS).
+- Updated the GitHub repo worker/runner configs to use proper permissions
+- Return exit code 1 if there is a database connection issue at startup.
+- Added the --trace-deprecation flag to startup to provide better information on runtime deprecation warnings.
+- .gitignore file to exclude the uploads path.
+- Updated the copyright year.
+- Updated documentation.
+
 ### 8.0.0 (July 28, 2023)
 
 - Security: Renamed the cookie and set secure attribute for cookie transmission when https is present
@@ -47,7 +90,6 @@ API example changes:
 - Added missing parameters for the Lob's new API requirements
 - Improved the Last.fm API example as the artist image is no longer vended by last.fm
 
-
 ### 7.0.0 (Mar 26, 2022)
 - Dropped support for Node.js <16
 - Switched to Bootstrap 5

diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2014-2023 Sahat Yalkabov
+Copyright (c) 2014-2025 Sahat Yalkabov
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal