fix: Security upgrade passport from 0.5.3 to 0.6.0

[Moumouls]

New Pull Request Checklist

• I am not disclosing a vulnerability.
• I am creating this PR in reference to an issue.

Issue Description

Use express session system

Closes: #2759

Approach

Use express session

TODOs before merging

• Add tests
• Add changes to documentation (guides, repository pages, in-code descriptions)

Note

I checked that everything works in locla, login without and with Parse Dashboard users is working, session is correctly set in Cookies with HTTP only

Summary by CodeRabbit

• Bug Fixes

  • Improved logout reliability by ensuring the process completes before redirecting.
  • Stabilized session handling with explicit cookie behavior for consistent user sessions.
  • Ensured flash messages are consistently available during authentication flows.

• Chores

  • Updated authentication-related dependencies.
  • Replaced legacy session middleware with a more robust session implementation.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Replaced cookie-session with express-session in Parse-Dashboard/Authentication.js, moved connect-flash initialization after session middleware, made logout asynchronous using req.logout(callback), and updated package.json dependencies (removed cookie-session, added express-session, bumped passport).

Changes

Cohort / File(s)	Change Summary
Authentication & session management Parse-Dashboard/Authentication.js	Switched from cookie-session to express-session (configured name, secret, resave, saveUninitialized, cookie.maxAge, httpOnly, sameSite: 'lax'); initialized connect-flash after session middleware; updated logout to use req.logout(callback) and forward errors via next.
Dependencies package.json	Removed cookie-session@2.1.1; added express-session@1.18.2; updated passport from 0.5.3 to 0.7.0.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant C as Client
  participant E as Express App
  participant S as express-session
  participant F as connect-flash
  participant P as Passport

  rect rgba(200,230,255,0.20)
    note over E,S: New middleware order: session -> flash -> passport
    C->>E: Request (login / protected)
    E->>S: session middleware (attach req.session)
    E->>F: flash middleware (attach req.flash)
    E->>P: Passport authenticate (reads/writes req.session)
    P-->>E: Auth result (user on req)
    E-->>C: Response (Set-Cookie if session created)
  end

  rect rgba(220,255,220,0.20)
    note over C,E: Logout (async)
    C->>E: POST /logout
    E->>P: req.logout(callback)
    alt success
      P-->>E: callback(null)
      E-->>C: 302 Redirect to login
    else error
      P-->>E: callback(error)
      E->>E: next(error)
    end
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title Check	⚠️ Warning	The current title claims a security upgrade of passport from 0.5.3 to 0.6.0, but the PR actually migrates the session middleware to express-session and bumps passport to 0.7.0, so it does not accurately or clearly describe the main change.	Please revise the title to reflect the primary migration to express-session and the correct passport version, for example: “feat: migrate to express-session for authentication and bump passport to 0.7.0.”

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	The PR description adheres to the repository template by including the checklist, a clear issue description with a closing reference, an approach section, and a TODO list indicating that tests are added and documentation updates are pending, so it is mostly complete.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Moumouls]

@mtrezza ready to review, i checked that everything works locally. So we remove the vulnerability warning of parse-dashboard

[uffizzi-cloud]

Uffizzi Ephemeral Environment deployment-65584

⌚ Updated Oct 10, 2025, 15:15 UTC

☁️ https://app.uffizzi.com/github.com/parse-community/parse-dashboard/pull/3000

📄 View Application Logs etc.

What is Uffizzi? Learn more

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

package.json (1)

45-45: Session middleware added — plan for production store and cookie hardening

Good switch. For production, avoid the default MemoryStore; wire a store (Redis/Mongo/etc.) and ensure cookie options (secure/sameSite) are set in the middleware config in Authentication.js. Based on learnings

Parse-Dashboard/Authentication.js (2)

60-68: Optional: allow external session store via options

To avoid MemoryStore in production, accept options.sessionStore and pass it to express-session. Based on learnings

Apply:

-  app.use(require('express-session')({
+  app.use(require('express-session')({
     name: 'parse_dash',
     secret: cookieSessionSecret,
     resave: false,
     saveUninitialized: false,
+    store: options.sessionStore || undefined,
     cookie: {
       maxAge: cookieSessionMaxAge != null ? Number(cookieSessionMaxAge) : undefined,
       httpOnly: true,
       sameSite: 'lax',
       secure: 'auto'
     }
   }));

---

87-92: Logout should also destroy the session and clear cookie

req.logout removes req.user but leaves the session. Destroy it to prevent reuse, then redirect.

Apply:

-  app.get('/logout', function (req, res, next) {
-    req.logout(function (err) {
-      if (err) { return next(err); }
-      res.redirect(`${self.mountPath}login`);
-    });
-  });
+  app.get('/logout', function (req, res, next) {
+    req.logout(function (err) {
+      if (err) { return next(err); }
+      // Destroy session and clear cookie
+      if (req.session) {
+        req.session.destroy(() => {
+          res.clearCookie('parse_dash');
+          res.redirect(`${self.mountPath}login`);
+        });
+      } else {
+        res.clearCookie('parse_dash');
+        res.redirect(`${self.mountPath}login`);
+      }
+    });
+  });

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d3389f8 and aae634d.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• Parse-Dashboard/Authentication.js (2 hunks)
• package.json (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

Parse-Dashboard/Authentication.js (1)

Parse-Dashboard/server.js (2)

• cookieSessionSecret (20-20)
• cookieSessionMaxAge (22-22)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Docker linux/amd64

🔇 Additional comments (2)

Parse-Dashboard/Authentication.js (1)

60-68: Harden session cookie and coerce maxAge

• In Parse-Dashboard/Authentication.js (lines 60–68), wrap cookieSessionMaxAge in Number() if it may be a string and add:

  httpOnly: true,
  sameSite: 'lax',
  secure: 'auto'
  

• Verify app.set('trust proxy', 1) is enabled when running behind a proxy.

package.json (1)

60-60: Passport 0.7.0 upgrade — no legacy API usage found Verified that all req.logout calls use the callback syntax; no remaining req.login/logIn or cookie-session references.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between aae634d and 54439d5.

📒 Files selected for processing (1)

• Parse-Dashboard/Authentication.js (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

Parse-Dashboard/Authentication.js (1)

Parse-Dashboard/server.js (3)

• app (160-160)
• cookieSessionSecret (20-20)
• cookieSessionMaxAge (22-22)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Docker linux/amd64

🔇 Additional comments (1)

Parse-Dashboard/Authentication.js (1)

88-93: LGTM! Async logout correctly implemented.

The logout handler correctly migrates to passport 0.7.0's asynchronous API, properly handling errors and redirecting only after successful logout.

[mtrezza]

@Moumouls is this a feature (i.e. any notable change for the dev / usr), or a fix due to the vulnerability?

[mtrezza]

@coderabbitai Suggest a PR title that describes the change in this PR and is according to angular commit convention.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@mtrezza, based on the changes in this PR (migrating from cookie-session to express-session and updating Passport to address a vulnerability), here are my suggestions for PR titles following Angular commit convention:

Primary recommendation:

fix(security): migrate from cookie-session to express-session

Alternative options:

If emphasizing the authentication system change:

fix(auth): migrate to express-session for authentication

If emphasizing the dependency updates:

fix(deps): update passport and migrate to express-session

If this is considered more of a refactoring than a fix:

refactor(auth): migrate from cookie-session to express-session

Reasoning:

• Using fix type because this PR addresses a security vulnerability warning mentioned by @Moumouls
• The security or auth scope clearly indicates the area affected
• The subject describes the main technical change (migration from cookie-session to express-session)
• This is more descriptive than the current "feat: Update passport" which doesn't capture the primary change

Would you like me to adjust any of these suggestions?

[parseplatformorg]

🎉 This change has been released in version 7.6.0-alpha.9

[parseplatformorg]

🎉 This change has been released in version 8.0.0