Revert "PP-14951 upgrade passport with express-sessions"

package.json

@@ -43,7 +43,6 @@
     "deep-diff": "1.0.2",
     "dotenv": "16.0.3",
     "express": "^5.2.1",
-    "express-session": "^1.19.0",
     "fast-csv": "^4.3.6",
     "google-libphonenumber": "~3.2.21",
     "govuk-frontend": "^5.10.2",
@@ -57,8 +56,8 @@
     "morgan": "^1.10.1",
     "multer": "2.1.1",
     "nunjucks": "3.2.4",
-    "passport": "~0.7.0",
-    "passport-github2": "^0.1.12",
+    "passport": "~0.5.3",
+    "passport-github": "1.1.0",
     "qs": "6.15.0",
     "rfc822-validate": "^1.0.0",
     "sass": "^1.62.1",
@@ -81,7 +80,7 @@
     "@types/morgan": "^1.9.2",
     "@types/multer": "^1.4.5",
     "@types/node": "20.5.9",
-    "@types/passport": "^1.0.17",
+    "@types/passport": "1.0.6",
     "@types/qs": "6.9.6",
     "@types/stripe": "6.25.8",
     "chai": "^4.3.4",

src/lib/auth.ts

@@ -36,10 +36,8 @@ export function unauthorised(req: Request, res: Response) {
   res.status(403).send('User does not have permissions to access the resource')
 }
 
-export function revokeSession(req: Request, res: Response, next: NextFunction) {
+export function revokeSession(req: Request, res: Response) {
   logger.info(`Revoking session for user ${req.user && req.user.username}`)
-    req.logout((err?: unknown) => {
-        if (err) return next(err);
-        res.redirect('/');
-    });
+  req.logout()
+  res.redirect('/') 
 }

src/lib/auth/github/strategy.js

@@ -1,5 +1,5 @@
 // github OAuth strategy
-const { Strategy } = require('passport-github2')
+const { Strategy } = require('passport-github')
 const config = require('../../../config')
 const logger = require('../../logger')
 

src/tests/session.spec.js

@@ -9,7 +9,7 @@ describe('session cookies', () => {
       .get('/healthcheck')
       .expect(200)
       .end((err, res) => {
-        expect(res.headers['set-cookie'][0]).to.contain('Expires=')
+        expect(res.headers['set-cookie'][0]).to.contain('expires=')
         expect(res.headers['set-cookie'][0]).to.not.contain('Invalid Date')
         done()
       })

src/web/server.js

@@ -4,7 +4,7 @@ const express = require('express')
 const metrics = require('@govuk-pay/pay-js-metrics')
 const helmet = require('helmet')
 const flash = require('connect-flash')
-const sessions = require('express-session')
+const sessions = require('client-sessions')
 const nunjucks = require('nunjucks')
 const csurf = require('csurf')
 const Sentry = require('@sentry/node')
@@ -36,9 +36,9 @@ const {
 
 const app = express()
 
-const serverBehindProxy = server.HTTP_PROXY
-
 function configureSecureHeaders(instance) {
+  const serverBehindProxy = server.HTTP_PROXY
+
   // only set certain proxy configured headers if not behind a proxy, the proxy
   // will be responsible for setting these headers
   const helmetOptions = serverBehindProxy ? {
@@ -88,22 +88,17 @@ function configureServingPublicStaticFiles(instance) {
 }
 
 function configureClientSessions(instance) {
+  const serverBehindProxy = server.HTTP_PROXY
   const thirtyMinutesInMillis = 30 * 60 * 1000
   instance.use(sessions({
-    name: 'session',
+    cookieName: 'session',
     secret: server.COOKIE_SESSION_ENCRYPTION_SECRET,
-    resave: false,
-    rolling: true,
-    saveUninitialized: false,
+    duration: server.SESSION_COOKIE_DURATION_IN_MILLIS || thirtyMinutesInMillis,
+    activeDuration: 5 * 60 * 1000,
     cookie: {
-      maxAge: server.SESSION_COOKIE_DURATION_IN_MILLIS || thirtyMinutesInMillis,
-      secure: serverBehindProxy,
-      httpOnly: true,
+      secureProxy: serverBehindProxy
     }
   }))
-  if (serverBehindProxy) {
-    instance.set('trust proxy', 1)
-  }
 }
 
 function configureAuth(instance) {