[BUG] Callback URL switches from https to http

Question

[BUG] Callback URL switches from https to http

newmanw opened this issue 3 months ago · comments

To Reproduce
When using path attribute to config saml the callback url generated is http, not https. These seems to be a regression with a previous version.

passport.use(
  new SamlStrategy(
    {
      path: "/login/callback", // if req is https, the generated url passed to saml server will be http
      entryPoint:
        "https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php",
      issuer: "passport-saml",
      cert: "fake cert", // cert must be provided
    },

Expected behavior
Use same protocol as request

Environment

Node.js version: 18+
passport-saml version: 4.0.4
Express: 4.18.2

srd90 · Answer 1 · Sat May 18 2024 00:04:41 GMT+0800 (China Standard Time)

This is duplicate of:

#677

Issue was addressed at PR which was released at version 5.0.0 (link points to comment that discusses about which way it could be fixed):

node-saml/node-saml#214 (comment)

Also related issue (about path parameter):

#909

Eitherway passport-saml (actually node-saml at the heart of passport-saml) is not in the business of building URLs anymore as maintainer of the project states at the comment #909 (comment)

srd90 · Answer 2 · Sat May 18 2024 00:31:04 GMT+0800 (China Standard Time)

FWIW: If you experienced this issue today it means that you updated from passport-saml 2.x or earlier to 4.0.4 (because issue that you reported surfaced at version 3.x).

Beaware that passport-saml versions < 3.2.2 (and certain 4.x versions) had this authentication bypass vulnerability:

GHSA-m974-647v-whv7

Which was actually vulnerability at one of the dependencies:

GHSA-crh6-fp67-6883