Fix breaking dependency issue #38 and bug #74 (Mitigates CVE-2022-25896)

[HNA-JP]

Description

This PR includes 2x single-line fixes for issues #38 and #74.

Fix A resolves or supersedes:

• need to update passport #38 - Dependency issue
• [Snyk] Upgrade passport from 0.1.18 to 0.6.0 #68 - Mitigation for CVE-2022-25896 (CWE-384)

Fix B resolves or supersedes:

• LDAP.js ECONNRESET Errors don't get suppressed correctly #74 - Failure in error check
• it is not e.errno. It must be e.code #65 - PR that didn't use the template

Issue #38

At the present moment, breaking changes in passport v0.5.1 cause Passport-WindowsAuth to fail authentication completely. This appears to be caused by changes in session handling between passport and express-session.
More information on that issue can be found in my comment in issue #38

This PR fixes the issue by bumping passport from ~0.1.15 to ~0.7.0, which is the latest version at the time of writing.

Code changed:

/package.json lines 21-24

@@ -19,7 +19,7 @@
  "author": "Auth0",
  "license": "MIT",
  "dependencies": {
-    "passport": "~0.1.15",
+    "passport": "~0.7.0",
    "ldapjs": "~1.0.0"
  },
  "devDependencies": {

Issue #74

This PR also resolves a bug with an error code check in /lib/LdapLookup.js that causes it to check the wrong object key.
More information on that issue can be found in my comment in issue #74

Code changed:

/lib/LdapLookup.js lines 22-27

@@ -21,7 +21,7 @@ var LdapLookup = module.exports = function(options){

  this._client.on('error', function(e){
    // Suppress logging of ECONNRESET if ldapjs's Client will automatically reconnect.
-    if (e.errno === 'ECONNRESET' && self._client.reconnect) return;
+    if (e.code === 'ECONNRESET' && self._client.reconnect) return;

    console.log('LDAP connection error:', e);
  });

An alternative could have been to change ECONNRESET to the error code shown in the console (-104), however this would have been less clear to anybody unfamiliar with the codebase.

References

• Locally
  • need to update passport #38 - Passport/express-session dependency mismatch
  • LDAP.js ECONNRESET Errors don't get suppressed correctly #74 - LDAP Connection error check failure
  • it is not e.errno. It must be e.code #65 - Stale PR that resolves LDAP.js ECONNRESET Errors don't get suppressed correctly #74
  • [Snyk] Upgrade passport from 0.1.18 to 0.6.0 #68 - Stale PR that mitigates CVE-2022-25896
• Upstream
  • passport.js throws login session error after upgrading from 0.4.1 to 0.6.0 jaredhanson/passport#939 - Upstream issue about serialization and the passport/express-session dependency mismatch

This PR aims to supersede PR #65 as that PR implements the same fix but did not use the PR template.
This PR also aims to supersede PR #68 as that PR has gone unapproved/unresolved

Testing

Testing for these changes should be pretty straightforward

Testing changes for #38

At this point in time, if you try to use the examples shown in readme.md, Passport-WindowsAuth never responds to the client, nor does it print any errors to the console.

If you're able to successfully authenticate after this PR, you'll know it's working as intended.

Testing changes for #74

You'll need to wait for LDAP to receive a connection reset event from the LDAP server. In an Active Directory environment, this should default to 15 minutes or 900 seconds. Once this timeout window occurs, as long as you added options.reconnect in your LDAP client settings, you shouldn't see anything in the console. Prior to this PR, you would have seen an error event logged to the console

Example error you shouldn't see:

(Console output)

LDAP connection error: Error: read ECONNRESET
    at TLSWrap.onStreamRead (node:internal/stream_base_commons:216:20) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

Checklist

• I have added documentation for new/changed functionality in this PR or in auth0.com/docs
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used, if not the default branch

[HNA-JP]

Force pushed so I could sign commit 71e1aa7 (now 28ade10) per repo requirements