req.session.regenerate is not a function since upgrade to 0.6.0

Question

req.session.regenerate is not a function since upgrade to 0.6.0

nickyblissAviva opened this issue 2 years ago · 28 comments

We have been using passport for some time within our application and have had no issues but once upgraded from 0.5.2 to 0.6.0 we are suddenly seeing an error when submitting authentication.

C:\stash\NTTSites\sites\fw-standards\node_modules\passport\lib\sessionmanager.js:28
  req.session.regenerate(function(err) {
              ^

TypeError: req.session.regenerate is not a function
    at SessionManager.logIn (C:\stash\NTTSites\sites\fw-standards\node_modules\passport\lib\sessionmanager.js:28:15)
    at IncomingMessage.req.login.req.logIn (C:\stash\NTTSites\sites\fw-standards\node_modules\passport\lib\http\request.js:39:26)
    at Strategy.strategy.success (C:\stash\NTTSites\sites\fw-standards\node_modules\passport\lib\middleware\authenticate.js:256:13)
    at verified (C:\stash\NTTSites\sites\fw-standards\node_modules\passport-local\lib\strategy.js:83:10)
    at Strategy.runAuth [as _verify] (C:\stash\NTTSites\sites\fw-standards\utils\passport-authentication.js:60:10)

Our passport-authentication.js just initialises passport within expressJS and sets some local strategies.

I have rolled back to 0.5.3 and our application works fine again.

Environment

Operating System: Windows 10
Node version: 16.13.2
passport version: 0.6.0

AlvesJorge commented a year ago

+1 Above

Answer 1 · 2022-05-27T14:35:30.000Z

What are you using for session middleware?

Answer 2 · 2022-05-27T14:40:02.000Z

cookie-session 2.0.0

Answer 3 · 2022-05-27T14:54:17.000Z

Thanks for the report. This is a duplicate of #904. I'd recommend pinning to 0.5.x, until I've had a chance to release an update with the new features described on the initial issue.

Answer 4 · 2022-12-15T07:07:40.000Z

Passport 0.5.0 has a significant vulnerability, and when we update to 0.6.0, we see the error "TypeError: req.session.regenerate is not a function." Does that mean that anything relating to the session create issue needs to be manually edited?

Answer 5 · 2023-03-10T03:25:58.000Z

Any update for March 2023? I see that @VottonDev has a fix in their separate repo..

Answer 6 · 2023-03-10T16:32:34.000Z

Any update for March 2023? I see that @VottonDev has a fix in their separate repo..

Yeah, I'm using: https://github.com/joeyguerra/passport#missing-regenerate-on-req temporarily till passport fixes it upstream and that works for me so far when using the cookie-session module.

Answer 7 · 2023-03-10T20:26:14.000Z

@VottonDev, what's the best way to apply the fix in joeyguerra's fork?

Answer 8 · 2023-03-10T20:32:03.000Z

@VottonDev, what's the best way to apply the fix in joeyguerra's fork?

Well I've changed my package.json passport to
"passport": "github:joeyguerra/passport#missing-regenerate-on-req",

The PR for the fix is here, which is how I found it:
#947

Answer 9 · 2023-03-16T15:30:56.000Z

I am getting the below error when I logout from my application. I am using express-session module to manage the sessions. According to the above discussion is there a permanent fix for this or do I need to downgrade from Passport 0.6.0

/node_modules/passport/lib/sessionmanager.js:83
req.session.regenerate(function(err) {
^
TypeError: Cannot read properties of undefined (reading 'regenerate')
at Immediate. (/node_modules/passport/lib/sessionmanager.js:83:17)
at process.processImmediate (node:internal/timers:471:21)

Answer 10 · 2023-03-20T10:52:18.000Z

Hi All,

Can anyone please confirm the status of this issue as this is currently blocking one of our production deployments? Is there a permanent fix for this or do we need to downgrade to 0.5.x version?

Answer 11 · 2023-04-13T09:47:22.000Z

I encountered a similar problem with version 0.6 of Passport. To resolve it, I downgraded to version 0.5.0

Answer 12 · 2023-06-13T05:40:23.000Z

I ended up resolving this issue for our upgrade to passport 0.6.0 by stubbing the regenerate and save methods. I patched the dependency in our repository in the lib/sessionmanager.js file as such:

  options = options || {};

+  this._delegate = options.delegate || {
+        regenerate: function(req, cb) {
+            cb();
+        },
+        save: function(req, cb) {
+            cb();
+        }
+    };

And then propagating those changes to the various calls to save and regenerate in the file.

Answer 13 · 2023-08-26T18:23:16.000Z

@imartinezmorales-loom do we simply have to add these lines or have to change/remove something as well

Answer 14 · 2023-08-29T14:45:57.000Z

@recursiveway - I actually ended up writing a middleware function that I pull into our express server. The middleware function is just a stub similar to the one above:

export const passportMiddleware = (request, response, next) => {
  if (request.session && !request.session.regenerate) {
    request.session.regenerate = cb => {
      cb();
    };
  }

  if (request.session && !request.session.save) {
    request.session.save = cb => {
      cb();
    };
  }

  next();
};

Answer 15 · 2023-11-02T07:30:55.000Z

instead of using cookie-session I've used express-session as a session middleware with the latest passport package and this solves the problem.

Answer 16 · 2023-11-05T12:12:18.000Z

@tonmoydeb404 but they serve different purposes, it's not a solution.

Answer 17 · 2023-11-07T09:18:40.000Z

Can't believe this still isn't fixed?

Answer 18 · 2023-11-28T09:25:11.000Z

instead of using cookie-session I've used express-session as a session middleware with the latest passport package and this solves the problem.

Yes but it should also work with cookie-session, it did until 0.5.0. It's not so easy for everyone to switch the session manager, especially on large projects. Hopefully this gets fixed sometime soon

Answer 19 · 2023-12-02T18:40:44.000Z

So should I change session manager from cookie-session to express-session, or stay on passport 0.5?

Answer 20 · 2023-12-16T17:37:40.000Z

@drebel, it shows me, Error: req#logout requires a callback function

Answer 21 · 2024-04-11T18:18:36.000Z

Any news for this one? I'm getting same error under passport 0.7.0 and cookie-session 2.1.0

Answer 22 · 2024-04-12T09:07:22.000Z

@yevon

Any news for this one? I'm getting same error under passport 0.7.0 and cookie-session 2.1.0

Hey, the cookie-session isn't officialy supported by passport. So I don't think they will ever make support for it. I used to use cookie-session, but I switched to express-session and it works very well. I suggest you to switch too.

Have a nice day,
Daniel Kroufek

Answer 23 · 2024-04-12T09:31:54.000Z

@yevon

Any news for this one? I'm getting same error under passport 0.7.0 and cookie-session 2.1.0

Hey, the cookie-session isn't officialy supported by passport. So I don't think they will ever make support for it. I used to use cookie-session, but I switched to express-session and it works very well. I suggest you to switch too.

Have a nice day, Daniel Kroufek

Thanks for that! I will try to replace it

Answer 24 · 2024-05-02T17:37:46.000Z

@yevon

Any news for this one? I'm getting same error under passport 0.7.0 and cookie-session 2.1.0

Hey, the cookie-session isn't officialy supported by passport. So I don't think they will ever make support for it. I used to use cookie-session, but I switched to express-session and it works very well. I suggest you to switch too.
Have a nice day, Daniel Kroufek

Thanks for that! I will try to replace it

express-session does not store cookies on the client side, the session gets destroyed every time the serve restarts, this is not a solution.

Answer 25 · 2024-05-02T18:28:06.000Z

With express jwt you can store the coockie as http only, I have it working now.

Answer 26 · 2024-05-28T12:58:09.000Z

express-session

Thanks for your suggestion

Answer 27 · 2024-06-01T10:14:56.000Z

@asaxena1415

express-session does not store cookies on the client side, the session gets destroyed every time the serve restarts, this is not a solution.

The solution for this is making a database to save user sessions, for example really simple is SQLite.