updated to express-jwt 6.0.0 to fix security vulnerability

cornflourblue · cornflourblue · commit 2956fd386ec9 · 2020-07-01T20:06:10.000+10:00
diff --git a/_middleware/authorize.js b/_middleware/authorize.js
@@ -1,4 +1,4 @@
-const expressJwt = require('express-jwt');
+const jwt = require('express-jwt');
 const { secret } = require('config.json');
 const db = require('_helpers/db');
 
@@ -13,7 +13,7 @@ function authorize(roles = []) {
 
     return [
         // authenticate JWT token and attach user to request object (req.user)
-        expressJwt({ secret }),
+        jwt({ secret, algorithms: ['HS256'] }),
 
         // authorize based on user role
         async (req, res, next) => {
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -18,7 +18,7 @@
         "cookie-parser": "^1.4.5",
         "cors": "^2.8.5",
         "express": "^4.17.1",
-        "express-jwt": "^5.3.3",
+        "express-jwt": "^6.0.0",
         "jsonwebtoken": "^8.5.1",
         "mongodb": "^3.5.7",
         "mongoose": "^5.9.11",
