From 61fd4e585e3dbae7f0e8f2f4d06940df3ebe42c0 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Tue, 24 Dec 2024 14:24:47 +0100
Subject: [PATCH 01/48] update manifest

---
 manifests/nodejs.yml | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/manifests/nodejs.yml b/manifests/nodejs.yml
index 696c928b4f..8d9bb9f9d8 100644
--- a/manifests/nodejs.yml
+++ b/manifests/nodejs.yml
@@ -41,6 +41,7 @@ refs:
   - &ref_5_26_0 '>=5.26.0 || ^4.50.0'
   - &ref_5_27_0 '>=5.27.0 || ^4.51.0'
   - &ref_5_29_0 '>=5.29.0 || ^4.53.0' # express 5 support
+  - &ref_5_31_0 '>=5.31.0 || ^4.55.0'
 
 tests/:
   apm_tracing_e2e/:
@@ -495,21 +496,21 @@ tests/:
       Test_V2_Login_Events_RC: irrelevant
       Test_V3_Auto_User_Instrum_Mode_Capability: *ref_5_29_0
       Test_V3_Login_Events:
-          '*': *ref_5_29_0
-          nextjs: missing_feature
+        '*': *ref_5_29_0
+        nextjs: missing_feature
       Test_V3_Login_Events_Anon:
-          '*': *ref_5_29_0
-          nextjs: missing_feature
+        '*': *ref_5_29_0
+        nextjs: missing_feature
       Test_V3_Login_Events_Blocking:
-          '*': *ref_5_29_0
-          nextjs: missing_feature
+        '*': *ref_5_29_0
+        nextjs: missing_feature
       Test_V3_Login_Events_RC:
-          '*': *ref_5_29_0
-          nextjs: missing_feature
+        '*': *ref_5_29_0
+        nextjs: missing_feature
     test_automated_user_and_session_tracking.py:
-      Test_Automated_Session_Blocking: missing_feature
-      Test_Automated_User_Blocking: missing_feature
-      Test_Automated_User_Tracking: missing_feature
+      Test_Automated_Session_Blocking: *ref_5_31_0
+      Test_Automated_User_Blocking: *ref_5_31_0
+      Test_Automated_User_Tracking: *ref_5_31_0
     test_blocking_addresses.py:
       Test_BlockingGraphqlResolvers:
         '*': *ref_4_22_0

From f6ee13fef26091ad8622d02f75939534bb3f7def Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Tue, 24 Dec 2024 14:25:09 +0100
Subject: [PATCH 02/48] install express-session

---
 .../docker/nodejs/express/package-lock.json   | 119 ++++++++++++++++++
 .../build/docker/nodejs/express/package.json  |   1 +
 2 files changed, 120 insertions(+)

diff --git a/utils/build/docker/nodejs/express/package-lock.json b/utils/build/docker/nodejs/express/package-lock.json
index 20fdbcf0ba..678d63afe7 100644
--- a/utils/build/docker/nodejs/express/package-lock.json
+++ b/utils/build/docker/nodejs/express/package-lock.json
@@ -14,6 +14,7 @@
         "axios": "1.2.3",
         "body-parser": "^1.19.1",
         "cookie-parser": "^1.4.6",
+        "express-session": "^1.18.1",
         "express-xml-bodyparser": "^0.3.0",
         "glob": "^8.0.3",
         "graphql": "^15.8.0",
@@ -1992,6 +1993,72 @@
         "node": ">=0.8.x"
       }
     },
+    "node_modules/express-session": {
+      "version": "1.18.1",
+      "resolved": "https://registry.npmjs.org/express-session/-/express-session-1.18.1.tgz",
+      "integrity": "sha512-a5mtTqEaZvBCL9A9aqkrtfz+3SMDhOVUnjafjo+s7A9Txkq+SVX2DLvSp1Zrv4uCXa3lMSK3viWnh9Gg07PBUA==",
+      "dependencies": {
+        "cookie": "0.7.2",
+        "cookie-signature": "1.0.7",
+        "debug": "2.6.9",
+        "depd": "~2.0.0",
+        "on-headers": "~1.0.2",
+        "parseurl": "~1.3.3",
+        "safe-buffer": "5.2.1",
+        "uid-safe": "~2.1.5"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/express-session/node_modules/cookie": {
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/express-session/node_modules/cookie-signature": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.7.tgz",
+      "integrity": "sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA=="
+    },
+    "node_modules/express-session/node_modules/on-headers": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz",
+      "integrity": "sha512-pZAE+FJLoyITytdqK0U5s+FIpjN0JP3OzFi/u8Rx+EV5/W+JTWGXG8xFzevE7AjBfDqHv/8vL8qQsIhHnqRkrA==",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/express-session/node_modules/parseurl": {
+      "version": "1.3.3",
+      "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
+      "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/express-session/node_modules/uid-safe": {
+      "version": "2.1.5",
+      "resolved": "https://registry.npmjs.org/uid-safe/-/uid-safe-2.1.5.tgz",
+      "integrity": "sha512-KPHm4VL5dDXKz01UuEd88Df+KzynaohSL9fBh096KWAxSKZQDI2uBrVqtvRM4rwrIrRRKsdLNML/lnaaVSRioA==",
+      "dependencies": {
+        "random-bytes": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/express-session/node_modules/uid-safe/node_modules/random-bytes": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/random-bytes/-/random-bytes-1.0.0.tgz",
+      "integrity": "sha512-iv7LhNVO047HzYR3InF6pUcUsPQiHTM1Qal51DcGSuZFBil1aBBWG5eHPNek7bvILMaYJ/8RU1e8w1AMdHmLQQ==",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
     "node_modules/express-xml-bodyparser": {
       "version": "0.3.0",
       "resolved": "https://registry.npmjs.org/express-xml-bodyparser/-/express-xml-bodyparser-0.3.0.tgz",
@@ -6749,6 +6816,58 @@
       "resolved": "https://registry.npmjs.org/events/-/events-3.3.0.tgz",
       "integrity": "sha512-mQw+2fkQbALzQ7V0MY0IqdnXNOeTtP4r0lN9z7AAawCXgqea7bDii20AYrIBrFd/Hx0M2Ocz6S111CaFkUcb0Q=="
     },
+    "express-session": {
+      "version": "1.18.1",
+      "resolved": "https://registry.npmjs.org/express-session/-/express-session-1.18.1.tgz",
+      "integrity": "sha512-a5mtTqEaZvBCL9A9aqkrtfz+3SMDhOVUnjafjo+s7A9Txkq+SVX2DLvSp1Zrv4uCXa3lMSK3viWnh9Gg07PBUA==",
+      "requires": {
+        "cookie": "0.7.2",
+        "cookie-signature": "1.0.7",
+        "debug": "2.6.9",
+        "depd": "~2.0.0",
+        "on-headers": "~1.0.2",
+        "parseurl": "~1.3.3",
+        "safe-buffer": "5.2.1",
+        "uid-safe": "~2.1.5"
+      },
+      "dependencies": {
+        "cookie": {
+          "version": "0.7.2",
+          "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
+          "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w=="
+        },
+        "cookie-signature": {
+          "version": "1.0.7",
+          "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.7.tgz",
+          "integrity": "sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA=="
+        },
+        "on-headers": {
+          "version": "1.0.2",
+          "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz",
+          "integrity": "sha512-pZAE+FJLoyITytdqK0U5s+FIpjN0JP3OzFi/u8Rx+EV5/W+JTWGXG8xFzevE7AjBfDqHv/8vL8qQsIhHnqRkrA=="
+        },
+        "parseurl": {
+          "version": "1.3.3",
+          "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
+          "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ=="
+        },
+        "uid-safe": {
+          "version": "2.1.5",
+          "resolved": "https://registry.npmjs.org/uid-safe/-/uid-safe-2.1.5.tgz",
+          "integrity": "sha512-KPHm4VL5dDXKz01UuEd88Df+KzynaohSL9fBh096KWAxSKZQDI2uBrVqtvRM4rwrIrRRKsdLNML/lnaaVSRioA==",
+          "requires": {
+            "random-bytes": "~1.0.0"
+          },
+          "dependencies": {
+            "random-bytes": {
+              "version": "1.0.0",
+              "resolved": "https://registry.npmjs.org/random-bytes/-/random-bytes-1.0.0.tgz",
+              "integrity": "sha512-iv7LhNVO047HzYR3InF6pUcUsPQiHTM1Qal51DcGSuZFBil1aBBWG5eHPNek7bvILMaYJ/8RU1e8w1AMdHmLQQ=="
+            }
+          }
+        }
+      }
+    },
     "express-xml-bodyparser": {
       "version": "0.3.0",
       "resolved": "https://registry.npmjs.org/express-xml-bodyparser/-/express-xml-bodyparser-0.3.0.tgz",
diff --git a/utils/build/docker/nodejs/express/package.json b/utils/build/docker/nodejs/express/package.json
index 15741334e9..42c77baea6 100644
--- a/utils/build/docker/nodejs/express/package.json
+++ b/utils/build/docker/nodejs/express/package.json
@@ -15,6 +15,7 @@
     "axios": "1.2.3",
     "body-parser": "^1.19.1",
     "cookie-parser": "^1.4.6",
+    "express-session": "^1.18.1",
     "express-xml-bodyparser": "^0.3.0",
     "glob": "^8.0.3",
     "graphql": "^15.8.0",

From 0310f6dbfcfeb80d5ce9fc17ecdf0c364ba356e7 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Tue, 24 Dec 2024 14:26:06 +0100
Subject: [PATCH 03/48] use express-session

---
 utils/build/docker/nodejs/express/app.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/utils/build/docker/nodejs/express/app.js b/utils/build/docker/nodejs/express/app.js
index 5f765627b7..186a3c5d82 100644
--- a/utils/build/docker/nodejs/express/app.js
+++ b/utils/build/docker/nodejs/express/app.js
@@ -37,6 +37,12 @@ app.use(require('body-parser').json())
 app.use(require('body-parser').urlencoded({ extended: true }))
 app.use(require('express-xml-bodyparser')())
 app.use(require('cookie-parser')())
+app.use(require('express-session')({
+  secret: 'secret',
+  resave: false,
+  rolling: true,
+  saveUninitialized: true
+}))
 iast.initMiddlewares(app)
 
 app.get('/', (req, res) => {

From 06fbb85194af16ef3d270d6848544ff9e888aa81 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Tue, 24 Dec 2024 15:27:37 +0100
Subject: [PATCH 04/48] rewrite auth.js

---
 utils/build/docker/nodejs/express/auth.js | 110 ++++++++++++----------
 1 file changed, 61 insertions(+), 49 deletions(-)

diff --git a/utils/build/docker/nodejs/express/auth.js b/utils/build/docker/nodejs/express/auth.js
index 0a0374efa7..ec683cf0ad 100644
--- a/utils/build/docker/nodejs/express/auth.js
+++ b/utils/build/docker/nodejs/express/auth.js
@@ -19,43 +19,76 @@ const users = [
 ]
 
 module.exports = function (app, passport, tracer) {
-  passport.use(new LocalStrategy({ usernameField: 'username', passwordField: 'password' },
-    (username, password, done) => {
-      const user = users.find(user => (user.username === username) && (user.password === password))
-      if (!user) {
-        return done(null, false)
-      } else {
-        return done(null, user)
-      }
-    })
-  )
+  app.use(passport.initialize())
+  app.use(passport.session())
+
+  passport.serializeUser((user, done) => {
+    done(null, user.id)
+  })
+
+  passport.deserializeUser((userId, done) => {
+    const user = users.find(user => user.id === userId)
+
+    done(null, user)
+  })
+
+  passport.use(new LocalStrategy((username, password, done) => {
+    const user = users.find(user => user.username === username && user.password === password)
+
+    done(null, user)
+  }))
 
   passport.use(new BasicStrategy((username, password, done) => {
-    const user = users.find(user => (user.username === username) && (user.password === password))
-    if (!user) {
-      return done(null, false)
+    const user = users.find(user => user.username === username && user.password === password)
+
+    done(null, user)
+  }))
+
+  // rewrite url depending on which strategy to use
+  app.all('/login', (req, res, next) => {
+    let newRoute
+
+    switch (req.query?.auth) {
+      case 'basic':
+        newRoute = '/login/basic'
+        break
+
+      case 'local':
+      default:
+        newRoute = '/login/local'
+    }
+
+    req.url = req.url.replace('/login', newRoute)
+
+    next()
+  })
+
+  app.use('/login/local', passport.authenticate('local', { failWithError: true }), handleError)
+  app.use('/login/basic', passport.authenticate('basic', { failWithError: true }), handleError)
+
+  // only stop if unexpected error
+  function handleError (err, req, res, next) {
+    if (err?.name !== 'AuthenticationError') {
+      console.error('unexpected login error', err)
+      next(err)
     } else {
-      return done(null, user)
+      next()
     }
   }
-  ))
 
-  function handleAuthentication (req, res, next, err, user, info) {
+  // callback for all strategies to run SDK
+  app.all('/login/*', (req, res) => {
     const event = req.query.sdk_event
     const userId = req.query.sdk_user || 'sdk_user'
     const userMail = req.query.sdk_mail || 'system_tests_user@system_tests_user.com'
     const exists = req.query.sdk_user_exists === 'true'
 
-    if (err) {
-      console.error('unexpected login error', err)
-      return next(err)
-    }
-    if (!user) {
-      if (event === 'failure') {
-        tracer.appsec.trackUserLoginFailureEvent(userId, exists, { metadata0: 'value0', metadata1: 'value1' })
-      }
+    let statusCode = req.user ? 200 : 401
 
-      res.sendStatus(401)
+    if (event === 'failure') {
+      tracer.appsec.trackUserLoginFailureEvent(userId, exists, { metadata0: 'value0', metadata1: 'value1' })
+
+      statusCode = 401
     } else if (event === 'success') {
       tracer.appsec.trackUserLoginSuccessEvent(
         {
@@ -69,30 +102,9 @@ module.exports = function (app, passport, tracer) {
         }
       )
 
-      res.sendStatus(200)
-    } else {
-      res.sendStatus(200)
+      statusCode = 200
     }
-  }
 
-  function getStrategy (req, res, next) {
-    const auth = req.query && req.query.auth
-    if (auth === 'local') {
-      return passport.authenticate('local', { session: false }, function (err, user, info) {
-        handleAuthentication(req, res, next, err, user, info)
-      })(req, res, next)
-    } else {
-      return passport.authenticate('basic', { session: false }, function (err, user, info) {
-        handleAuthentication(req, res, next, err, user, info)
-      })(req, res, next)
-    }
-  }
-
-  app.use(passport.initialize())
-  app.all('/login',
-    getStrategy,
-    (req, res, next) => {
-      res.sendStatus(200)
-    }
-  )
+    res.sendStatus(statusCode)
+  })
 }

From ec84141e768d2062e45d84b3452dd37c2376c5ee Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Thu, 26 Dec 2024 11:22:39 +0100
Subject: [PATCH 05/48] move auth middleware up

---
 utils/build/docker/nodejs/express/app.js  | 5 ++---
 utils/build/docker/nodejs/express/auth.js | 3 ++-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/utils/build/docker/nodejs/express/app.js b/utils/build/docker/nodejs/express/app.js
index 186a3c5d82..b44f9c9795 100644
--- a/utils/build/docker/nodejs/express/app.js
+++ b/utils/build/docker/nodejs/express/app.js
@@ -9,7 +9,6 @@ const { promisify } = require('util')
 const app = require('express')()
 const axios = require('axios')
 const fs = require('fs')
-const passport = require('passport')
 const crypto = require('crypto')
 
 const iast = require('./iast')
@@ -45,6 +44,8 @@ app.use(require('express-session')({
 }))
 iast.initMiddlewares(app)
 
+require('./auth')(app, tracer)
+
 app.get('/', (req, res) => {
   console.log('Received a request')
   res.send('Hello\n')
@@ -442,8 +443,6 @@ app.get('/createextraservice', (req, res) => {
 
 iast.initRoutes(app, tracer)
 
-require('./auth')(app, passport, tracer)
-
 // try to flush as much stuff as possible from the library
 app.get('/flush', (req, res) => {
   // doesn't have a callback :(
diff --git a/utils/build/docker/nodejs/express/auth.js b/utils/build/docker/nodejs/express/auth.js
index ec683cf0ad..cb512d884b 100644
--- a/utils/build/docker/nodejs/express/auth.js
+++ b/utils/build/docker/nodejs/express/auth.js
@@ -1,5 +1,6 @@
 'use strict'
 
+const passport = require('passport')
 const { Strategy: LocalStrategy } = require('passport-local')
 const { BasicStrategy } = require('passport-http')
 
@@ -18,7 +19,7 @@ const users = [
   }
 ]
 
-module.exports = function (app, passport, tracer) {
+module.exports = function (app, tracer) {
   app.use(passport.initialize())
   app.use(passport.session())
 

From 00f237a29e6be9b15355135538921e145083f4e9 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Thu, 26 Dec 2024 12:13:52 +0100
Subject: [PATCH 06/48] use feature branch

---
 utils/scripts/load-binary.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/scripts/load-binary.sh b/utils/scripts/load-binary.sh
index 743f23bb54..f427de3313 100755
--- a/utils/scripts/load-binary.sh
+++ b/utils/scripts/load-binary.sh
@@ -215,7 +215,7 @@ elif [ "$TARGET" = "agent" ]; then
 elif [ "$TARGET" = "nodejs" ]; then
     assert_version_is_dev
     # NPM builds the package, so we put a trigger file that tells install script to get package from github#master
-    echo "DataDog/dd-trace-js#master" > nodejs-load-from-npm
+    echo "DataDog/dd-trace-js#automatic_userid_blocking" > nodejs-load-from-npm
 
 elif [ "$TARGET" = "waf_rule_set_v1" ]; then
     exit 1

From d808ea5d9f78445d383a2d6087bea5b23380fc83 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Fri, 27 Dec 2024 15:45:48 +0100
Subject: [PATCH 07/48] update manifest

---
 manifests/nodejs.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manifests/nodejs.yml b/manifests/nodejs.yml
index 46d3efdad9..0691efc221 100644
--- a/manifests/nodejs.yml
+++ b/manifests/nodejs.yml
@@ -527,7 +527,7 @@ tests/:
         '*': *ref_5_29_0
         nextjs: missing_feature
     test_automated_user_and_session_tracking.py:
-      Test_Automated_Session_Blocking: *ref_5_31_0
+      Test_Automated_Session_Blocking: missing_feature
       Test_Automated_User_Blocking: *ref_5_31_0
       Test_Automated_User_Tracking: *ref_5_31_0
     test_blocking_addresses.py:

From 552262670f7aa2fad43e38f598d572bfbd8ea299 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Fri, 27 Dec 2024 16:33:21 +0100
Subject: [PATCH 08/48] use ASM_DATA instead of ASM_DD for blacklists

---
 ...est_automated_user_and_session_tracking.py | 20 ++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/tests/appsec/test_automated_user_and_session_tracking.py b/tests/appsec/test_automated_user_and_session_tracking.py
index fe9a27ab3c..e2b5eb4450 100644
--- a/tests/appsec/test_automated_user_and_session_tracking.py
+++ b/tests/appsec/test_automated_user_and_session_tracking.py
@@ -98,6 +98,12 @@ def test_user_tracking_sdk_overwrite(self):
                 "on_match": ["block"],
             }
         ],
+    },
+)
+
+BLOCK_USER_DATA = (
+    "datadog/2/ASM_DATA/blocked_users/config",
+    {
         "rules_data": [
             {
                 "id": "blocked_users",
@@ -120,6 +126,7 @@ def setup_user_blocking_auto(self):
         self.r_login = weblog.post("/login?auth=local", data=login_data(context, USER, PASSWORD))
 
         self.config_state_2 = rc.rc_state.set_config(*BLOCK_USER).apply()
+        self.config_state_3 = rc.rc_state.set_config(*BLOCK_USER_DATA).apply()
         self.r_home_blocked = weblog.get(
             "/",
             cookies=self.r_login.cookies,
@@ -130,6 +137,7 @@ def test_user_blocking_auto(self):
         assert self.r_login.status_code == 200
 
         assert self.config_state_2[rc.RC_STATE] == rc.ApplyState.ACKNOWLEDGED
+        assert self.config_state_3[rc.RC_STATE] == rc.ApplyState.ACKNOWLEDGED
         interfaces.library.assert_waf_attack(self.r_home_blocked, rule="block-users")
         assert self.r_home_blocked.status_code == 403
 
@@ -138,6 +146,7 @@ def setup_user_blocking_sdk(self):
 
         self.config_state_1 = rc.rc_state.set_config(*CONFIG_ENABLED).apply()
         self.config_state_2 = rc.rc_state.set_config(*BLOCK_USER).apply()
+        self.config_state_3 = rc.rc_state.set_config(*BLOCK_USER_DATA).apply()
         self.r_login = weblog.post("/login?auth=local", data=login_data(context, UUID_USER, PASSWORD))
         self.r_login_blocked = weblog.post(
             "/login?auth=local&sdk_event=success&sdk_user=sdkUser", data=login_data(context, UUID_USER, PASSWORD)
@@ -146,6 +155,7 @@ def setup_user_blocking_sdk(self):
     def test_user_blocking_sdk(self):
         assert self.config_state_1[rc.RC_STATE] == rc.ApplyState.ACKNOWLEDGED
         assert self.config_state_2[rc.RC_STATE] == rc.ApplyState.ACKNOWLEDGED
+        assert self.config_state_3[rc.RC_STATE] == rc.ApplyState.ACKNOWLEDGED
 
         assert self.r_login.status_code == 200
 
@@ -173,6 +183,12 @@ def test_user_blocking_sdk(self):
                 "on_match": ["block"],
             }
         ],
+    },
+)
+
+BLOCK_SESSION_DATA = (
+    "datadog/2/ASM_DATA/blocked_sessions/config",
+    {
         "rules_data": [
             {"id": "blocked_sessions", "type": "data_with_expiration", "data": []},
         ],
@@ -191,8 +207,9 @@ def setup_session_blocking(self):
         self.r_create_session = weblog.get("/session/new")
         self.session_id = self.r_create_session.text
 
-        BLOCK_SESSION[1]["rules_data"][0]["data"].append({"value": self.session_id, "expiration": 0})
+        BLOCK_SESSION_DATA[1]["rules_data"][0]["data"].append({"value": self.session_id, "expiration": 0})
         self.config_state_2 = rc.rc_state.set_config(*BLOCK_SESSION).apply()
+        self.config_state_3 = rc.rc_state.set_config(*BLOCK_SESSION_DATA).apply()
         self.r_home_blocked = weblog.get(
             "/",
             cookies=self.r_create_session.cookies,
@@ -203,5 +220,6 @@ def test_session_blocking(self):
         assert self.r_create_session.status_code == 200
 
         assert self.config_state_2[rc.RC_STATE] == rc.ApplyState.ACKNOWLEDGED
+        assert self.config_state_3[rc.RC_STATE] == rc.ApplyState.ACKNOWLEDGED
         interfaces.library.assert_waf_attack(self.r_home_blocked, pattern=self.session_id, rule="block-sessions")
         assert self.r_home_blocked.status_code == 403

From 64ec6ac5fd48fa70bbd88a5010ed6ec9cf443f2b Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Fri, 27 Dec 2024 16:44:33 +0100
Subject: [PATCH 09/48] add missing_feature

---
 tests/appsec/test_automated_user_and_session_tracking.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/appsec/test_automated_user_and_session_tracking.py b/tests/appsec/test_automated_user_and_session_tracking.py
index fe9a27ab3c..4eb73ad39a 100644
--- a/tests/appsec/test_automated_user_and_session_tracking.py
+++ b/tests/appsec/test_automated_user_and_session_tracking.py
@@ -9,6 +9,7 @@
 from utils import rfc
 from utils import scenarios
 from utils import weblog
+from utils import missing_feature
 
 # User entries in the internal DB:
 # users = [
@@ -143,6 +144,7 @@ def setup_user_blocking_sdk(self):
             "/login?auth=local&sdk_event=success&sdk_user=sdkUser", data=login_data(context, UUID_USER, PASSWORD)
         )
 
+    @missing_feature(context.library == "nodejs", reason="Blocking through the SDK is not supported")
     def test_user_blocking_sdk(self):
         assert self.config_state_1[rc.RC_STATE] == rc.ApplyState.ACKNOWLEDGED
         assert self.config_state_2[rc.RC_STATE] == rc.ApplyState.ACKNOWLEDGED

From 7a2cfbae9fc8f45e6cd6b0ba6e71e7d4d756d0a9 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Wed, 15 Jan 2025 16:09:09 +0100
Subject: [PATCH 10/48] add temp note

---
 docs/weblog/README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/weblog/README.md b/docs/weblog/README.md
index ffe38e60e5..b1c56ff685 100644
--- a/docs/weblog/README.md
+++ b/docs/weblog/README.md
@@ -611,6 +611,8 @@ Body fields accepted in POST method:
 - `username`: the login name for the user.
 - `password`: password for the user.
 
+SDK NEEDS TO BE CALLED AFTER AUTOMATION
+
 It also supports HTTP authentication by using GET method and the authorization header.
 Additionally, both methods support the following query parameters to use the sdk functions along with the authentication framework:
 - `sdk_event`: login event type: `success` or `failure`.

From a474386f88ae30f014a4c732189b32a8106202ac Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Fri, 17 Jan 2025 17:08:35 +0100
Subject: [PATCH 11/48] add sdk blocking to weblog

---
 ...est_automated_user_and_session_tracking.py |  1 -
 utils/build/docker/nodejs/express/auth.js     | 23 ++++++++++---------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/tests/appsec/test_automated_user_and_session_tracking.py b/tests/appsec/test_automated_user_and_session_tracking.py
index 4c5d9678ea..cba54c2cd3 100644
--- a/tests/appsec/test_automated_user_and_session_tracking.py
+++ b/tests/appsec/test_automated_user_and_session_tracking.py
@@ -153,7 +153,6 @@ def setup_user_blocking_sdk(self):
             "/login?auth=local&sdk_event=success&sdk_user=sdkUser", data=login_data(context, UUID_USER, PASSWORD)
         )
 
-    @missing_feature(context.library == "nodejs", reason="Blocking through the SDK is not supported")
     def test_user_blocking_sdk(self):
         assert self.config_state_1[rc.RC_STATE] == rc.ApplyState.ACKNOWLEDGED
         assert self.config_state_2[rc.RC_STATE] == rc.ApplyState.ACKNOWLEDGED
diff --git a/utils/build/docker/nodejs/express/auth.js b/utils/build/docker/nodejs/express/auth.js
index cb512d884b..c6565832e9 100644
--- a/utils/build/docker/nodejs/express/auth.js
+++ b/utils/build/docker/nodejs/express/auth.js
@@ -91,17 +91,18 @@ module.exports = function (app, tracer) {
 
       statusCode = 401
     } else if (event === 'success') {
-      tracer.appsec.trackUserLoginSuccessEvent(
-        {
-          id: userId,
-          email: userMail,
-          name: 'system_tests_user'
-        },
-        {
-          metadata0: 'value0',
-          metadata1: 'value1'
-        }
-      )
+      const sdkUser = {
+        id: userId,
+        email: userMail,
+        name: 'system_tests_user'
+      }
+
+      tracer.appsec.trackUserLoginSuccessEvent(sdkUser, { metadata0: 'value0', metadata1: 'value1' })
+
+      const isUserBlocked = tracer.appsec.isUserBlocked(sdkUser)
+      if (isUserBlocked && tracer.appsec.blockRequest(req, res)) {
+        return
+      }
 
       statusCode = 200
     }

From 14c176fa447628a5f290392a3a755f0dd032e9a1 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Sat, 18 Jan 2025 18:41:36 +0100
Subject: [PATCH 12/48] cleanup

---
 tests/appsec/test_automated_user_and_session_tracking.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tests/appsec/test_automated_user_and_session_tracking.py b/tests/appsec/test_automated_user_and_session_tracking.py
index 186fdce184..1f0de5d2fc 100644
--- a/tests/appsec/test_automated_user_and_session_tracking.py
+++ b/tests/appsec/test_automated_user_and_session_tracking.py
@@ -9,7 +9,6 @@
 from utils import rfc
 from utils import scenarios
 from utils import weblog
-from utils import missing_feature
 
 # User entries in the internal DB:
 # users = [

From 7de4a0bd4e5709cd34cee28d8f637e9dab82e69b Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Sat, 18 Jan 2025 18:44:12 +0100
Subject: [PATCH 13/48] session endpoints

---
 utils/build/docker/nodejs/express/app.js | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/utils/build/docker/nodejs/express/app.js b/utils/build/docker/nodejs/express/app.js
index c189b0dd69..b3ce94e6a0 100644
--- a/utils/build/docker/nodejs/express/app.js
+++ b/utils/build/docker/nodejs/express/app.js
@@ -115,6 +115,16 @@ app.get('/identify', (req, res) => {
   res.send('OK')
 })
 
+app.get('/session/new', (req, res) => {
+  res.send(req.sessionID)
+})
+
+app.get('/session/user', (req, res) => {
+  const userId = req.query.sdk_user || 'sdk_user'
+  tracer.appsec.trackUserLoginSuccessEvent({ id: userId })
+  res.send('OK')
+})
+
 app.get('/status', (req, res) => {
   res.status(parseInt(req.query.code)).send('OK')
 })

From f805ac04ddb68c823c400252eb51c2776ecf4641 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Sat, 18 Jan 2025 18:45:02 +0100
Subject: [PATCH 14/48] enable fingerptint tests

---
 manifests/nodejs.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/manifests/nodejs.yml b/manifests/nodejs.yml
index 40d188c0c0..86deb28f9a 100644
--- a/manifests/nodejs.yml
+++ b/manifests/nodejs.yml
@@ -572,8 +572,8 @@ tests/:
       Test_Fingerprinting_Header_And_Network: *ref_5_24_0
       Test_Fingerprinting_Header_Capability: *ref_5_24_0
       Test_Fingerprinting_Network_Capability: *ref_5_24_0
-      Test_Fingerprinting_Session: missing_feature
-      Test_Fingerprinting_Session_Capability: missing_feature
+      Test_Fingerprinting_Session: *ref_5_31_0
+      Test_Fingerprinting_Session_Capability: *ref_5_31_0
     test_identify.py:
       Test_Basic: v2.4.0
     test_ip_blocking_full_denylist.py:

From 373c08f38080d5cc78a9adf7c710a34302068e95 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Sat, 18 Jan 2025 18:53:50 +0100
Subject: [PATCH 15/48] wrong PR

---
 manifests/nodejs.yml                     |  8 ++++----
 utils/build/docker/nodejs/express/app.js | 10 ----------
 2 files changed, 4 insertions(+), 14 deletions(-)

diff --git a/manifests/nodejs.yml b/manifests/nodejs.yml
index 86deb28f9a..3ead9a8c91 100644
--- a/manifests/nodejs.yml
+++ b/manifests/nodejs.yml
@@ -572,8 +572,8 @@ tests/:
       Test_Fingerprinting_Header_And_Network: *ref_5_24_0
       Test_Fingerprinting_Header_Capability: *ref_5_24_0
       Test_Fingerprinting_Network_Capability: *ref_5_24_0
-      Test_Fingerprinting_Session: *ref_5_31_0
-      Test_Fingerprinting_Session_Capability: *ref_5_31_0
+      Test_Fingerprinting_Session: missing_feature
+      Test_Fingerprinting_Session_Capability: missing_feature
     test_identify.py:
       Test_Basic: v2.4.0
     test_ip_blocking_full_denylist.py:
@@ -628,14 +628,14 @@ tests/:
       Test_Debugger_Expression_Language: missing_feature (feature not implented)
     test_debugger_pii.py:
       Test_Debugger_PII_Redaction:
-        "*": irrelevant
+        '*': irrelevant
         express4: v5.31.0
         express4-typescript: v5.31.0
     test_debugger_probe_snapshot.py:
       Test_Debugger_Probe_Snaphots: missing_feature (feature not implented)
     test_debugger_probe_status.py:
       Test_Debugger_Probe_Statuses:
-        "*": irrelevant
+        '*': irrelevant
         express4: v5.32.0
         express4-typescript: v5.32.0
   integrations/:
diff --git a/utils/build/docker/nodejs/express/app.js b/utils/build/docker/nodejs/express/app.js
index b3ce94e6a0..c189b0dd69 100644
--- a/utils/build/docker/nodejs/express/app.js
+++ b/utils/build/docker/nodejs/express/app.js
@@ -115,16 +115,6 @@ app.get('/identify', (req, res) => {
   res.send('OK')
 })
 
-app.get('/session/new', (req, res) => {
-  res.send(req.sessionID)
-})
-
-app.get('/session/user', (req, res) => {
-  const userId = req.query.sdk_user || 'sdk_user'
-  tracer.appsec.trackUserLoginSuccessEvent({ id: userId })
-  res.send('OK')
-})
-
 app.get('/status', (req, res) => {
   res.status(parseInt(req.query.code)).send('OK')
 })

From 2b9616cfdeb8b925bdc82cdff8626214bbcc0382 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Mon, 20 Jan 2025 15:54:36 +0100
Subject: [PATCH 16/48] cleanup

---
 docs/weblog/README.md | 2 --
 manifests/nodejs.yml  | 5 ++---
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/docs/weblog/README.md b/docs/weblog/README.md
index 9e9584cdc5..9b81faab33 100644
--- a/docs/weblog/README.md
+++ b/docs/weblog/README.md
@@ -663,8 +663,6 @@ Body fields accepted in POST method:
 - `username`: the login name for the user.
 - `password`: password for the user.
 
-SDK NEEDS TO BE CALLED AFTER AUTOMATION
-
 It also supports HTTP authentication by using GET method and the authorization header.
 Additionally, both methods support the following query parameters to use the sdk functions along with the authentication framework:
 - `sdk_event`: login event type: `success` or `failure`.
diff --git a/manifests/nodejs.yml b/manifests/nodejs.yml
index 3ead9a8c91..c4d641df75 100644
--- a/manifests/nodejs.yml
+++ b/manifests/nodejs.yml
@@ -42,7 +42,6 @@ refs:
   - &ref_5_27_0 '>=5.27.0 || ^4.51.0'
   - &ref_5_29_0 '>=5.29.0 || ^4.53.0' # express 5 support
   - &ref_5_30_0 '>=5.30.0 || ^4.54.0'
-  - &ref_5_31_0 '>=5.31.0 || ^4.55.0'
   - &ref_5_32_0 '>=5.32.0 || ^4.56.0'
 
 tests/:
@@ -511,8 +510,8 @@ tests/:
         nextjs: missing_feature
     test_automated_user_and_session_tracking.py:
       Test_Automated_Session_Blocking: missing_feature
-      Test_Automated_User_Blocking: *ref_5_31_0
-      Test_Automated_User_Tracking: *ref_5_31_0
+      Test_Automated_User_Blocking: *ref_5_32_0
+      Test_Automated_User_Tracking: *ref_5_32_0
     test_blocking_addresses.py:
       Test_BlockingGraphqlResolvers:
         '*': *ref_4_22_0

From 841e41d101b5ead1f5161996ca2db1408ca9a552 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Mon, 20 Jan 2025 16:23:44 +0100
Subject: [PATCH 17/48] cleanup

---
 utils/build/docker/nodejs/express/auth.js | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/utils/build/docker/nodejs/express/auth.js b/utils/build/docker/nodejs/express/auth.js
index c6565832e9..401e92f702 100644
--- a/utils/build/docker/nodejs/express/auth.js
+++ b/utils/build/docker/nodejs/express/auth.js
@@ -19,6 +19,12 @@ const users = [
   }
 ]
 
+function findUser (fields) {
+  return users.find((user) => {
+    return Object.entries(fields).every(([field, value]) => user[field] === value)
+  })
+}
+
 module.exports = function (app, tracer) {
   app.use(passport.initialize())
   app.use(passport.session())
@@ -27,20 +33,20 @@ module.exports = function (app, tracer) {
     done(null, user.id)
   })
 
-  passport.deserializeUser((userId, done) => {
-    const user = users.find(user => user.id === userId)
+  passport.deserializeUser((id, done) => {
+    const user = findUser({ id })
 
     done(null, user)
   })
 
   passport.use(new LocalStrategy((username, password, done) => {
-    const user = users.find(user => user.username === username && user.password === password)
+    const user = findUser({ username, password })
 
     done(null, user)
   }))
 
   passport.use(new BasicStrategy((username, password, done) => {
-    const user = users.find(user => user.username === username && user.password === password)
+    const user = findUser({ username, password })
 
     done(null, user)
   }))

From 7348164691119f6556ed78e931c62b105092a527 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Thu, 23 Jan 2025 02:10:56 +0100
Subject: [PATCH 18/48] Update utils/scripts/load-binary.sh

---
 utils/scripts/load-binary.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/scripts/load-binary.sh b/utils/scripts/load-binary.sh
index 6fe85da688..e9acd68826 100755
--- a/utils/scripts/load-binary.sh
+++ b/utils/scripts/load-binary.sh
@@ -215,7 +215,7 @@ elif [ "$TARGET" = "agent" ]; then
 elif [ "$TARGET" = "nodejs" ]; then
     assert_version_is_dev
     # NPM builds the package, so we put a trigger file that tells install script to get package from github#master
-    echo "DataDog/dd-trace-js#automatic_userid_blocking" > nodejs-load-from-npm
+    echo "DataDog/dd-trace-js#master" > nodejs-load-from-npm
 
 elif [ "$TARGET" = "waf_rule_set_v1" ]; then
     exit 1

From 39c9734737de51769b705e9b7d6d8fb52543b6cb Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Thu, 23 Jan 2025 02:12:29 +0100
Subject: [PATCH 19/48] add before/after sdk call param

---
 utils/build/docker/nodejs/express/auth.js | 64 +++++++++++++----------
 1 file changed, 37 insertions(+), 27 deletions(-)

diff --git a/utils/build/docker/nodejs/express/auth.js b/utils/build/docker/nodejs/express/auth.js
index 401e92f702..1c6c6f15ee 100644
--- a/utils/build/docker/nodejs/express/auth.js
+++ b/utils/build/docker/nodejs/express/auth.js
@@ -26,6 +26,36 @@ function findUser (fields) {
 }
 
 module.exports = function (app, tracer) {
+  function shouldSdkBlock (req, res) {
+    const event = req.query.sdk_event
+    const userId = req.query.sdk_user || 'sdk_user'
+    const userMail = req.query.sdk_mail || 'system_tests_user@system_tests_user.com'
+    const exists = req.query.sdk_user_exists === 'true'
+
+    res.statusCode = req.user ? 200 : 401
+
+    if (event === 'failure') {
+      tracer.appsec.trackUserLoginFailureEvent(userId, exists, { metadata0: 'value0', metadata1: 'value1' })
+
+      res.statusCode = 401
+    } else if (event === 'success') {
+      const sdkUser = {
+        id: userId,
+        email: userMail,
+        name: 'system_tests_user'
+      }
+
+      tracer.appsec.trackUserLoginSuccessEvent(sdkUser, { metadata0: 'value0', metadata1: 'value1' })
+
+      const isUserBlocked = tracer.appsec.isUserBlocked(sdkUser)
+      if (isUserBlocked && tracer.appsec.blockRequest(req, res)) {
+        return true
+      }
+
+      res.statusCode = 200
+    }
+  }
+
   app.use(passport.initialize())
   app.use(passport.session())
 
@@ -53,6 +83,10 @@ module.exports = function (app, tracer) {
 
   // rewrite url depending on which strategy to use
   app.all('/login', (req, res, next) => {
+    if (req.query.sdk_trigger === 'before' && shouldSdkBlock(req, res)) {
+      return
+    }
+
     let newRoute
 
     switch (req.query?.auth) {
@@ -85,34 +119,10 @@ module.exports = function (app, tracer) {
 
   // callback for all strategies to run SDK
   app.all('/login/*', (req, res) => {
-    const event = req.query.sdk_event
-    const userId = req.query.sdk_user || 'sdk_user'
-    const userMail = req.query.sdk_mail || 'system_tests_user@system_tests_user.com'
-    const exists = req.query.sdk_user_exists === 'true'
-
-    let statusCode = req.user ? 200 : 401
-
-    if (event === 'failure') {
-      tracer.appsec.trackUserLoginFailureEvent(userId, exists, { metadata0: 'value0', metadata1: 'value1' })
-
-      statusCode = 401
-    } else if (event === 'success') {
-      const sdkUser = {
-        id: userId,
-        email: userMail,
-        name: 'system_tests_user'
-      }
-
-      tracer.appsec.trackUserLoginSuccessEvent(sdkUser, { metadata0: 'value0', metadata1: 'value1' })
-
-      const isUserBlocked = tracer.appsec.isUserBlocked(sdkUser)
-      if (isUserBlocked && tracer.appsec.blockRequest(req, res)) {
-        return
-      }
-
-      statusCode = 200
+    if (req.query.sdk_trigger !== 'before' && shouldSdkBlock(req, res)) {
+      return
     }
 
-    res.sendStatus(statusCode)
+    res.sendStatus(res.statusCode || 200)
   })
 }

From adaae795f95eeabadf431ee027c2f82560cd5684 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Fri, 24 Jan 2025 10:00:26 +0100
Subject: [PATCH 20/48] add IAST retroactive exclusion for express-session weak
 hash vuln

---
 utils/build/docker/nodejs/express/app.js           |  2 ++
 .../build/docker/nodejs/express/iast/exclusions.js | 14 ++++++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 utils/build/docker/nodejs/express/iast/exclusions.js

diff --git a/utils/build/docker/nodejs/express/app.js b/utils/build/docker/nodejs/express/app.js
index c7263695e3..3b0ed309c4 100644
--- a/utils/build/docker/nodejs/express/app.js
+++ b/utils/build/docker/nodejs/express/app.js
@@ -5,6 +5,8 @@ const tracer = require('dd-trace').init({
   flushInterval: 5000
 })
 
+require('./iast/exclusions')
+
 const { promisify } = require('util')
 const app = require('express')()
 const axios = require('axios')
diff --git a/utils/build/docker/nodejs/express/iast/exclusions.js b/utils/build/docker/nodejs/express/iast/exclusions.js
new file mode 100644
index 0000000000..f3e0bf3f44
--- /dev/null
+++ b/utils/build/docker/nodejs/express/iast/exclusions.js
@@ -0,0 +1,14 @@
+'use strict'
+
+const semver = require('semver')
+const version = require('dd-trace/package.json').version
+
+if (semver.match(version, '<5.33.0')) {
+  const WeakHashAnalyzer = require('dd-trace/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js')
+  const original = WeakHashAnalyzer._isExcluded
+
+  WeakHashAnalyzer._isExcluded = function wrappedIsExcluded (location) {
+    if (location.path.includes('express-session/index.js')) return true
+    else return original.apply(this, arguments)
+  }
+}

From 302e2cc80f75e4d7e4a9ebcb9dcafee45a1c1f04 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Fri, 24 Jan 2025 10:04:25 +0100
Subject: [PATCH 21/48] update manifest

---
 manifests/nodejs.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/manifests/nodejs.yml b/manifests/nodejs.yml
index 07e7770725..a4b6466636 100644
--- a/manifests/nodejs.yml
+++ b/manifests/nodejs.yml
@@ -43,6 +43,7 @@ refs:
   - &ref_5_29_0 '>=5.29.0 || ^4.53.0' # express 5 support
   - &ref_5_30_0 '>=5.30.0 || ^4.54.0'
   - &ref_5_32_0 '>=5.32.0 || ^4.56.0'
+  - &ref_5_33_0 '>=5.33.0' # keep the anchor as we may backport stuff to v4 later
 
 tests/:
   apm_tracing_e2e/:
@@ -510,8 +511,8 @@ tests/:
         nextjs: missing_feature
     test_automated_user_and_session_tracking.py:
       Test_Automated_Session_Blocking: missing_feature
-      Test_Automated_User_Blocking: *ref_5_32_0
-      Test_Automated_User_Tracking: *ref_5_32_0
+      Test_Automated_User_Blocking: *ref_5_33_0
+      Test_Automated_User_Tracking: *ref_5_33_0
     test_blocking_addresses.py:
       Test_BlockingGraphqlResolvers:
         '*': *ref_4_22_0
@@ -631,7 +632,7 @@ tests/:
         express4: v5.32.0
     test_debugger_probe_snapshot.py:
       Test_Debugger_Probe_Snaphots:
-        "*": irrelevant
+        '*': irrelevant
         express4: v5.32.0
     test_debugger_probe_status.py:
       Test_Debugger_Probe_Statuses:

From 20b20500e89eacfb43650ac26ff1b6b7fb2ce9e9 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Fri, 24 Jan 2025 14:37:49 +0100
Subject: [PATCH 22/48] fix semver method

---
 utils/build/docker/nodejs/express/iast/exclusions.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/build/docker/nodejs/express/iast/exclusions.js b/utils/build/docker/nodejs/express/iast/exclusions.js
index f3e0bf3f44..4c29d5145c 100644
--- a/utils/build/docker/nodejs/express/iast/exclusions.js
+++ b/utils/build/docker/nodejs/express/iast/exclusions.js
@@ -3,7 +3,7 @@
 const semver = require('semver')
 const version = require('dd-trace/package.json').version
 
-if (semver.match(version, '<5.33.0')) {
+if (semver.satisfies(version, '<5.33.0')) {
   const WeakHashAnalyzer = require('dd-trace/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js')
   const original = WeakHashAnalyzer._isExcluded
 

From a7429d62797c1b64758bbbef337d855c987aca8b Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Sun, 26 Jan 2025 18:26:56 +0100
Subject: [PATCH 23/48] put back feature branch

---
 utils/scripts/load-binary.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/scripts/load-binary.sh b/utils/scripts/load-binary.sh
index e9acd68826..6fe85da688 100755
--- a/utils/scripts/load-binary.sh
+++ b/utils/scripts/load-binary.sh
@@ -215,7 +215,7 @@ elif [ "$TARGET" = "agent" ]; then
 elif [ "$TARGET" = "nodejs" ]; then
     assert_version_is_dev
     # NPM builds the package, so we put a trigger file that tells install script to get package from github#master
-    echo "DataDog/dd-trace-js#master" > nodejs-load-from-npm
+    echo "DataDog/dd-trace-js#automatic_userid_blocking" > nodejs-load-from-npm
 
 elif [ "$TARGET" = "waf_rule_set_v1" ]; then
     exit 1

From 8bba8a74490910356ab63e16fa9500300b750537 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Sun, 26 Jan 2025 18:33:12 +0100
Subject: [PATCH 24/48] add express-session dep to typescript weblog

---
 .../express4-typescript/package-lock.json     | 59 +++++++++++++++++++
 .../nodejs/express4-typescript/package.json   |  1 +
 2 files changed, 60 insertions(+)

diff --git a/utils/build/docker/nodejs/express4-typescript/package-lock.json b/utils/build/docker/nodejs/express4-typescript/package-lock.json
index e9bac58235..3dd5b0ba74 100644
--- a/utils/build/docker/nodejs/express4-typescript/package-lock.json
+++ b/utils/build/docker/nodejs/express4-typescript/package-lock.json
@@ -17,6 +17,7 @@
         "express": "^4.18.2",
         "express-graphql": "^0.12.0",
         "express-mongo-sanitize": "^2.2.0",
+        "express-session": "^1.18.1",
         "express-xml-bodyparser": "^0.3.0",
         "glob": "^8.0.3",
         "graphql": "^15.8.0",
@@ -1044,6 +1045,64 @@
         "node": ">=10"
       }
     },
+    "node_modules/express-session": {
+      "version": "1.18.1",
+      "resolved": "https://registry.npmjs.org/express-session/-/express-session-1.18.1.tgz",
+      "integrity": "sha512-a5mtTqEaZvBCL9A9aqkrtfz+3SMDhOVUnjafjo+s7A9Txkq+SVX2DLvSp1Zrv4uCXa3lMSK3viWnh9Gg07PBUA==",
+      "dependencies": {
+        "cookie": "0.7.2",
+        "cookie-signature": "1.0.7",
+        "debug": "2.6.9",
+        "depd": "~2.0.0",
+        "on-headers": "~1.0.2",
+        "parseurl": "~1.3.3",
+        "safe-buffer": "5.2.1",
+        "uid-safe": "~2.1.5"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/express-session/node_modules/cookie": {
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/express-session/node_modules/cookie-signature": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.7.tgz",
+      "integrity": "sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA=="
+    },
+    "node_modules/express-session/node_modules/on-headers": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz",
+      "integrity": "sha512-pZAE+FJLoyITytdqK0U5s+FIpjN0JP3OzFi/u8Rx+EV5/W+JTWGXG8xFzevE7AjBfDqHv/8vL8qQsIhHnqRkrA==",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/express-session/node_modules/uid-safe": {
+      "version": "2.1.5",
+      "resolved": "https://registry.npmjs.org/uid-safe/-/uid-safe-2.1.5.tgz",
+      "integrity": "sha512-KPHm4VL5dDXKz01UuEd88Df+KzynaohSL9fBh096KWAxSKZQDI2uBrVqtvRM4rwrIrRRKsdLNML/lnaaVSRioA==",
+      "dependencies": {
+        "random-bytes": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/express-session/node_modules/uid-safe/node_modules/random-bytes": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/random-bytes/-/random-bytes-1.0.0.tgz",
+      "integrity": "sha512-iv7LhNVO047HzYR3InF6pUcUsPQiHTM1Qal51DcGSuZFBil1aBBWG5eHPNek7bvILMaYJ/8RU1e8w1AMdHmLQQ==",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
     "node_modules/express-xml-bodyparser": {
       "version": "0.3.0",
       "resolved": "https://registry.npmjs.org/express-xml-bodyparser/-/express-xml-bodyparser-0.3.0.tgz",
diff --git a/utils/build/docker/nodejs/express4-typescript/package.json b/utils/build/docker/nodejs/express4-typescript/package.json
index eddd5bf12b..bd4cea5948 100644
--- a/utils/build/docker/nodejs/express4-typescript/package.json
+++ b/utils/build/docker/nodejs/express4-typescript/package.json
@@ -19,6 +19,7 @@
     "express": "^4.18.2",
     "express-graphql": "^0.12.0",
     "express-mongo-sanitize": "^2.2.0",
+    "express-session": "^1.18.1",
     "express-xml-bodyparser": "^0.3.0",
     "glob": "^8.0.3",
     "graphql": "^15.8.0",

From d6f7a3be83514217c1cbdd4b164d4536db5a50c1 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Sun, 26 Jan 2025 18:35:42 +0100
Subject: [PATCH 25/48] Update manifests/nodejs.yml

---
 manifests/nodejs.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/manifests/nodejs.yml b/manifests/nodejs.yml
index 34a0851495..9653b5da02 100644
--- a/manifests/nodejs.yml
+++ b/manifests/nodejs.yml
@@ -543,8 +543,12 @@ tests/:
         nextjs: missing_feature
     test_automated_user_and_session_tracking.py:
       Test_Automated_Session_Blocking: missing_feature
-      Test_Automated_User_Blocking: *ref_5_33_0
-      Test_Automated_User_Tracking: *ref_5_33_0
+      Test_Automated_User_Blocking:
+        '*': *ref_5_33_0
+        nextjs: missing_feature
+      Test_Automated_User_Tracking:
+        '*': *ref_5_33_0
+        nextjs: missing_feature
     test_blocking_addresses.py:
       Test_BlockingGraphqlResolvers:
         '*': *ref_4_22_0

From 27c7d0ad00000e6ccd3303ced49c75f593abdb02 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Sun, 26 Jan 2025 19:03:27 +0100
Subject: [PATCH 26/48] mirror changes in typescript weblog

---
 .../docker/nodejs/express4-typescript/app.ts  |  10 +-
 .../docker/nodejs/express4-typescript/auth.ts | 158 +++++++++++-------
 .../express4-typescript/iast/exclusions.js    |  16 ++
 3 files changed, 119 insertions(+), 65 deletions(-)
 create mode 100644 utils/build/docker/nodejs/express4-typescript/iast/exclusions.js

diff --git a/utils/build/docker/nodejs/express4-typescript/app.ts b/utils/build/docker/nodejs/express4-typescript/app.ts
index 9dc6356aaa..9b3b3295a6 100644
--- a/utils/build/docker/nodejs/express4-typescript/app.ts
+++ b/utils/build/docker/nodejs/express4-typescript/app.ts
@@ -4,10 +4,11 @@ import { Request, Response } from "express";
 
 const tracer = require('dd-trace').init({ debug: true, flushInterval: 5000 });
 
+require('./iast/exclusions.js')
+
 const { promisify } = require('util')
 const app = require('express')()
 const axios = require('axios')
-const passport = require('passport')
 const { Kafka } = require("kafkajs")
 const { spawnSync } = require('child_process')
 const crypto = require('crypto')
@@ -23,10 +24,17 @@ app.use(require('body-parser').json());
 app.use(require('body-parser').urlencoded({ extended: true }));
 app.use(require('express-xml-bodyparser')());
 app.use(require('cookie-parser')());
+app.use(require('express-session')({
+  secret: 'secret',
+  resave: false,
+  rolling: true,
+  saveUninitialized: true
+}))
 
 iast.initMiddlewares(app)
 
 require('./auth')(app, passport, tracer)
+
 iast.initRoutes(app)
 
 app.get('/', (req: Request, res: Response) => {
diff --git a/utils/build/docker/nodejs/express4-typescript/auth.ts b/utils/build/docker/nodejs/express4-typescript/auth.ts
index c6a9b9ff98..e04a743b8b 100644
--- a/utils/build/docker/nodejs/express4-typescript/auth.ts
+++ b/utils/build/docker/nodejs/express4-typescript/auth.ts
@@ -3,6 +3,8 @@
 import type { Express, Request, Response, NextFunction } from "express";
  // @ts-ignore
 import type { Tracer } from "dd-trace";
+
+const passport = require('passport')
 const { Strategy: LocalStrategy } = require('passport-local')
 const { BasicStrategy } = require('passport-http')
 
@@ -21,82 +23,110 @@ const users = [
   }
 ]
 
-module.exports = function (app: Express, passport: any, tracer: Tracer) {
-  passport.use(new LocalStrategy({ usernameField: 'username', passwordField: 'password' },
-    (username: string, password: string, done: any) => {
-      const user = users.find(user => (user.username === username) && (user.password === password))
-      if (!user) {
-        return done(null, false)
-      } else {
-        return done(null, user)
+function findUser (fields: {[key: string]: string}) : any {
+  return users.find((user) => {
+    return Object.entries(fields).every(([field, value]) => user[field] === value)
+  })
+}
+
+module.exports = function (app: Express, tracer: Tracer) {
+  function shouldSdkBlock (req: Request, res: Response) : boolean {
+      const event = req.query.sdk_event
+      const userId: string = req.query.sdk_user as string || 'sdk_user'
+      const userMail = req.query.sdk_mail as  string || 'system_tests_user@system_tests_user.com'
+      const exists = req.query.sdk_user_exists === 'true'
+
+    res.statusCode = req.user ? 200 : 401
+  
+    if (event === 'failure') {
+      tracer.appsec.trackUserLoginFailureEvent(userId, exists, { metadata0: "value0", metadata1: "value1" });
+
+      res.statusCode = 401
+    } else if (event === 'success') {
+      const sdkUser = {
+        id: userId,
+        email: userMail,
+        name: "system_tests_user"
       }
-    })
-  )
 
-  passport.use(new BasicStrategy((username: string, password: string, done: any) => {
-    const user = users.find(user => (user.username === username) && (user.password === password))
-    if (!user) {
-      return done(null, false)
-    } else {
-      return done(null, user)
+      tracer.appsec.trackUserLoginSuccessEvent(sdkUser, { metadata0: "value0", metadata1: "value1" })
+
+      const isUserBlocked: boolean = tracer.appsec.isUserBlocked(sdkUser)
+      if (isUserBlocked && tracer.appsec.blockRequest(req, res)) {
+        return true
+      }
+
+      res.statusCode = 200
     }
   }
-  ))
 
-  function handleAuthentication (req: Request, res: Response, next: NextFunction, err: any, user: any, info: any) {
-    const event = req.query.sdk_event
-    const userId: string = req.query.sdk_user as string || 'sdk_user'
-    const userMail = req.query.sdk_mail as  string || 'system_tests_user@system_tests_user.com'
-    const exists = req.query.sdk_user_exists === 'true'
+  app.use(passport.initialize())
+  app.use(passport.session())
+
+  passport.serializeUser((user: object, done: Function) => {
+    done(null, user.id)
+  })
 
-    if (err) {
-      console.error('unexpected login error', err)
-      return next(err)
+  passport.deserializeUser((id: string, done: Function) => {
+    const user: any = findUser({ id })
+
+    done(null, user)
+  })
+
+  passport.use(new LocalStrategy((username: string, password: string, done: Function) => {
+    const user: any = findUser({ username, password })
+
+    done(null, user)
+  }))
+
+  passport.use(new BasicStrategy((username: string, password: string, done: Function) => {
+    const user = findUser({ username, password })
+
+    done(null, user)
+  }))
+
+  // rewrite url depending on which strategy to use
+  app.all('/login', (req: Request, res: Response, next: NextFunction) => {
+    if (req.query.sdk_trigger === 'before' && shouldSdkBlock(req, res)) {
+      return
     }
-    if (!user) {
-      if (event === 'failure') {
-        tracer.appsec.trackUserLoginFailureEvent(userId, exists, { metadata0: "value0", metadata1: "value1" });
-      }
 
-      res.sendStatus(401)
-    } else if (event === 'success') {
-        tracer.appsec.trackUserLoginSuccessEvent(
-          {
-            id: userId,
-            email: userMail,
-            name: "system_tests_user"
-          },
-          {
-            metadata0: "value0",
-            metadata1: "value1"
-          }
-        )
-
-        res.sendStatus(200)
-      } else {
-        res.sendStatus(200)
-      }
-  }
+    let newRoute: string = ''
+
+    switch (req.query?.auth) {
+      case 'basic':
+        newRoute = '/login/basic'
+        break
+
+      case 'local':
+      default:
+        newRoute = '/login/local'
+    }
+
+    req.url = req.url.replace('/login', newRoute)
+
+    next()
+  })
+
+  app.use('/login/local', passport.authenticate('local', { failWithError: true }), handleError)
+  app.use('/login/basic', passport.authenticate('basic', { failWithError: true }), handleError)
 
-  function getStrategy (req: Request, res: Response, next: NextFunction) {
-    const auth = req.query && req.query.auth
-    if (auth === 'local') {
-      return passport.authenticate('local', { session: false }, function (err: any, user: any, info: any) {
-        handleAuthentication(req, res, next, err, user, info)
-      })(req, res, next)
+  // only stop if unexpected error
+  function handleError (err: any, req: Request, res: Response, next: NextFunction) : void {
+    if (err?.name !== 'AuthenticationError') {
+      console.error('unexpected login error', err)
+      next(err)
     } else {
-      return passport.authenticate('basic', { session: false }, function (err: any, user: any, info: any) {
-        handleAuthentication(req, res, next, err, user, info)
-      })(req, res, next)
+      next()
     }
   }
 
-
-  app.use(passport.initialize())
-  app.all('/login',
-    getStrategy,
-    (req: Request, res: Response, next: NextFunction) => {
-      res.sendStatus(200)
+  // callback for all strategies to run SDK
+  app.all('/login/*', (req: Request, res: Response) => {
+    if (req.query.sdk_trigger !== 'before' && shouldSdkBlock(req, res)) {
+      return
     }
-  )
+
+    res.sendStatus(res.statusCode || 200)
+  })
 }
diff --git a/utils/build/docker/nodejs/express4-typescript/iast/exclusions.js b/utils/build/docker/nodejs/express4-typescript/iast/exclusions.js
new file mode 100644
index 0000000000..b59020398c
--- /dev/null
+++ b/utils/build/docker/nodejs/express4-typescript/iast/exclusions.js
@@ -0,0 +1,16 @@
+'use strict'
+
+// this file is in javascript as it's not part of the weblog app, it's a backport of a fix
+
+const semver = require('semver')
+const version = require('dd-trace/package.json').version
+
+if (semver.satisfies(version, '<5.33.0')) {
+  const WeakHashAnalyzer = require('dd-trace/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js')
+  const original = WeakHashAnalyzer._isExcluded
+
+  WeakHashAnalyzer._isExcluded = function wrappedIsExcluded (location) {
+    if (location.path.includes('express-session/index.js')) return true
+    else return original.apply(this, arguments)
+  }
+}

From 6943a8a3b5e79fc7c99a1e88979d4d0ef28df02d Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Sun, 26 Jan 2025 19:21:46 +0100
Subject: [PATCH 27/48] lint

---
 utils/build/docker/nodejs/express4-typescript/auth.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/build/docker/nodejs/express4-typescript/auth.ts b/utils/build/docker/nodejs/express4-typescript/auth.ts
index e04a743b8b..fb92b6786d 100644
--- a/utils/build/docker/nodejs/express4-typescript/auth.ts
+++ b/utils/build/docker/nodejs/express4-typescript/auth.ts
@@ -37,7 +37,7 @@ module.exports = function (app: Express, tracer: Tracer) {
       const exists = req.query.sdk_user_exists === 'true'
 
     res.statusCode = req.user ? 200 : 401
-  
+
     if (event === 'failure') {
       tracer.appsec.trackUserLoginFailureEvent(userId, exists, { metadata0: "value0", metadata1: "value1" });
 

From 51fd22b763bce27daf4f3f2548bb1a829338131b Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Sun, 26 Jan 2025 19:37:58 +0100
Subject: [PATCH 28/48] add passportjs types

---
 .../docker/nodejs/express4-typescript/package-lock.json  | 9 +++++++++
 .../build/docker/nodejs/express4-typescript/package.json | 1 +
 2 files changed, 10 insertions(+)

diff --git a/utils/build/docker/nodejs/express4-typescript/package-lock.json b/utils/build/docker/nodejs/express4-typescript/package-lock.json
index 3dd5b0ba74..d1beee85a5 100644
--- a/utils/build/docker/nodejs/express4-typescript/package-lock.json
+++ b/utils/build/docker/nodejs/express4-typescript/package-lock.json
@@ -10,6 +10,7 @@
       "license": "ISC",
       "dependencies": {
         "@types/ldapjs": "^3.0.6",
+        "@types/passport": "^1.0.17",
         "apollo-server-express": "^3.13.0",
         "axios": "1.2.3",
         "body-parser": "^1.20.1",
@@ -452,6 +453,14 @@
       "resolved": "https://registry.npmjs.org/@types/node/-/node-17.0.19.tgz",
       "integrity": "sha512-PfeQhvcMR4cPFVuYfBN4ifG7p9c+Dlh3yUZR6k+5yQK7wX3gDgVxBly4/WkBRs9x4dmcy1TVl08SY67wwtEvmA=="
     },
+    "node_modules/@types/passport": {
+      "version": "1.0.17",
+      "resolved": "https://registry.npmjs.org/@types/passport/-/passport-1.0.17.tgz",
+      "integrity": "sha512-aciLyx+wDwT2t2/kJGJR2AEeBz0nJU4WuRX04Wu9Dqc5lSUtwu0WERPHYsLhF9PtseiAMPBGNUOtFjxZ56prsg==",
+      "dependencies": {
+        "@types/express": "*"
+      }
+    },
     "node_modules/@types/qs": {
       "version": "6.9.7",
       "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.9.7.tgz",
diff --git a/utils/build/docker/nodejs/express4-typescript/package.json b/utils/build/docker/nodejs/express4-typescript/package.json
index bd4cea5948..e7158622ad 100644
--- a/utils/build/docker/nodejs/express4-typescript/package.json
+++ b/utils/build/docker/nodejs/express4-typescript/package.json
@@ -12,6 +12,7 @@
   "license": "ISC",
   "dependencies": {
     "@types/ldapjs": "^3.0.6",
+    "@types/passport": "^1.0.17",
     "apollo-server-express": "^3.13.0",
     "axios": "1.2.3",
     "body-parser": "^1.20.1",

From d4a59066cd0ba31be94b82b567b8e302a6f19567 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Sun, 26 Jan 2025 19:38:32 +0100
Subject: [PATCH 29/48] fix

---
 utils/build/docker/nodejs/express4-typescript/app.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/build/docker/nodejs/express4-typescript/app.ts b/utils/build/docker/nodejs/express4-typescript/app.ts
index 9b3b3295a6..476d542caa 100644
--- a/utils/build/docker/nodejs/express4-typescript/app.ts
+++ b/utils/build/docker/nodejs/express4-typescript/app.ts
@@ -33,7 +33,7 @@ app.use(require('express-session')({
 
 iast.initMiddlewares(app)
 
-require('./auth')(app, passport, tracer)
+require('./auth')(app, tracer)
 
 iast.initRoutes(app)
 

From 1635dfafda79dad3abfe8235d9a888cffa67749d Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Sun, 26 Jan 2025 19:39:04 +0100
Subject: [PATCH 30/48] fix types

---
 .../docker/nodejs/express4-typescript/auth.ts  | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/utils/build/docker/nodejs/express4-typescript/auth.ts b/utils/build/docker/nodejs/express4-typescript/auth.ts
index fb92b6786d..361ecf6649 100644
--- a/utils/build/docker/nodejs/express4-typescript/auth.ts
+++ b/utils/build/docker/nodejs/express4-typescript/auth.ts
@@ -23,18 +23,18 @@ const users = [
   }
 ]
 
-function findUser (fields: {[key: string]: string}) : any {
-  return users.find((user) => {
-    return Object.entries(fields).every(([field, value]) => user[field] === value)
+function findUser (fields: any) : any {
+  return users.find((user: any) => {
+    return Object.entries(fields).every(([field: string, value: any]) => user[field] === value)
   })
 }
 
 module.exports = function (app: Express, tracer: Tracer) {
   function shouldSdkBlock (req: Request, res: Response) : boolean {
-      const event = req.query.sdk_event
-      const userId: string = req.query.sdk_user as string || 'sdk_user'
-      const userMail = req.query.sdk_mail as  string || 'system_tests_user@system_tests_user.com'
-      const exists = req.query.sdk_user_exists === 'true'
+    const event = req.query.sdk_event
+    const userId: string = req.query.sdk_user as string || 'sdk_user'
+    const userMail = req.query.sdk_mail as  string || 'system_tests_user@system_tests_user.com'
+    const exists = req.query.sdk_user_exists === 'true'
 
     res.statusCode = req.user ? 200 : 401
 
@@ -58,12 +58,14 @@ module.exports = function (app: Express, tracer: Tracer) {
 
       res.statusCode = 200
     }
+
+    return false
   }
 
   app.use(passport.initialize())
   app.use(passport.session())
 
-  passport.serializeUser((user: object, done: Function) => {
+  passport.serializeUser((user: any, done: Function) => {
     done(null, user.id)
   })
 

From 6e92bed197b66ce76ba12c66575a9ee8371c2e6e Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Sun, 26 Jan 2025 20:10:20 +0100
Subject: [PATCH 31/48] fix

---
 utils/build/docker/nodejs/express4-typescript/auth.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/build/docker/nodejs/express4-typescript/auth.ts b/utils/build/docker/nodejs/express4-typescript/auth.ts
index 361ecf6649..23b268e958 100644
--- a/utils/build/docker/nodejs/express4-typescript/auth.ts
+++ b/utils/build/docker/nodejs/express4-typescript/auth.ts
@@ -25,7 +25,7 @@ const users = [
 
 function findUser (fields: any) : any {
   return users.find((user: any) => {
-    return Object.entries(fields).every(([field: string, value: any]) => user[field] === value)
+    return Object.entries(fields).every(([field, value]) => user[field] === value)
   })
 }
 

From d3b4991a87f147ff50b45995097352f99c3917ce Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Sun, 26 Jan 2025 23:02:41 +0100
Subject: [PATCH 32/48] fix for express5

---
 utils/build/docker/nodejs/express/auth.js            |  3 ++-
 .../build/docker/nodejs/express4-typescript/auth.ts  | 12 ++++++------
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/utils/build/docker/nodejs/express/auth.js b/utils/build/docker/nodejs/express/auth.js
index 1c6c6f15ee..ca205752d7 100644
--- a/utils/build/docker/nodejs/express/auth.js
+++ b/utils/build/docker/nodejs/express/auth.js
@@ -118,7 +118,8 @@ module.exports = function (app, tracer) {
   }
 
   // callback for all strategies to run SDK
-  app.all('/login/*', (req, res) => {
+  // regex is required to be compatible with both express v4 and v5
+  app.all(/^\/login\/.*$/i, (req, res) => {
     if (req.query.sdk_trigger !== 'before' && shouldSdkBlock(req, res)) {
       return
     }
diff --git a/utils/build/docker/nodejs/express4-typescript/auth.ts b/utils/build/docker/nodejs/express4-typescript/auth.ts
index 23b268e958..bb1a90370a 100644
--- a/utils/build/docker/nodejs/express4-typescript/auth.ts
+++ b/utils/build/docker/nodejs/express4-typescript/auth.ts
@@ -1,7 +1,7 @@
 'use strict'
 
 import type { Express, Request, Response, NextFunction } from "express";
- // @ts-ignore
+// @ts-ignore
 import type { Tracer } from "dd-trace";
 
 const passport = require('passport')
@@ -23,17 +23,17 @@ const users = [
   }
 ]
 
-function findUser (fields: any) : any {
+function findUser (fields: any): any {
   return users.find((user: any) => {
     return Object.entries(fields).every(([field, value]) => user[field] === value)
   })
 }
 
 module.exports = function (app: Express, tracer: Tracer) {
-  function shouldSdkBlock (req: Request, res: Response) : boolean {
+  function shouldSdkBlock (req: Request, res: Response): boolean {
     const event = req.query.sdk_event
     const userId: string = req.query.sdk_user as string || 'sdk_user'
-    const userMail = req.query.sdk_mail as  string || 'system_tests_user@system_tests_user.com'
+    const userMail = req.query.sdk_mail as string || 'system_tests_user@system_tests_user.com'
     const exists = req.query.sdk_user_exists === 'true'
 
     res.statusCode = req.user ? 200 : 401
@@ -114,7 +114,7 @@ module.exports = function (app: Express, tracer: Tracer) {
   app.use('/login/basic', passport.authenticate('basic', { failWithError: true }), handleError)
 
   // only stop if unexpected error
-  function handleError (err: any, req: Request, res: Response, next: NextFunction) : void {
+  function handleError (err: any, req: Request, res: Response, next: NextFunction): void {
     if (err?.name !== 'AuthenticationError') {
       console.error('unexpected login error', err)
       next(err)
@@ -124,7 +124,7 @@ module.exports = function (app: Express, tracer: Tracer) {
   }
 
   // callback for all strategies to run SDK
-  app.all('/login/*', (req: Request, res: Response) => {
+  app.all(/^\/login\/.*$/i, (req: Request, res: Response) => {
     if (req.query.sdk_trigger !== 'before' && shouldSdkBlock(req, res)) {
       return
     }

From 7bb8044b587b32318d67910444e7caa32e53f07e Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Sun, 26 Jan 2025 23:12:39 +0100
Subject: [PATCH 33/48] ts fix

---
 utils/build/docker/nodejs/express4-typescript/app.ts          | 4 ++--
 .../express4-typescript/iast/{exclusions.js => exclusions.ts} | 0
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename utils/build/docker/nodejs/express4-typescript/iast/{exclusions.js => exclusions.ts} (100%)

diff --git a/utils/build/docker/nodejs/express4-typescript/app.ts b/utils/build/docker/nodejs/express4-typescript/app.ts
index 476d542caa..0754552ccb 100644
--- a/utils/build/docker/nodejs/express4-typescript/app.ts
+++ b/utils/build/docker/nodejs/express4-typescript/app.ts
@@ -4,7 +4,7 @@ import { Request, Response } from "express";
 
 const tracer = require('dd-trace').init({ debug: true, flushInterval: 5000 });
 
-require('./iast/exclusions.js')
+require('./iast/exclusions')
 
 const { promisify } = require('util')
 const app = require('express')()
@@ -332,7 +332,7 @@ require('./rasp')(app)
 
 require('./graphql')(app).then(() => {
   app.listen(7777, '0.0.0.0', () => {
-    tracer.trace('init.service', () => { })
+    tracer.trace('init.service', () => {})
     console.log('listening')
   })
 })
diff --git a/utils/build/docker/nodejs/express4-typescript/iast/exclusions.js b/utils/build/docker/nodejs/express4-typescript/iast/exclusions.ts
similarity index 100%
rename from utils/build/docker/nodejs/express4-typescript/iast/exclusions.js
rename to utils/build/docker/nodejs/express4-typescript/iast/exclusions.ts

From a5d7baa9b1ed3cac7085a45cf2e9d0b0f4bb417f Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Sun, 26 Jan 2025 23:38:13 +0100
Subject: [PATCH 34/48] another typescript fix

---
 .../docker/nodejs/express4-typescript/iast/exclusions.ts      | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/utils/build/docker/nodejs/express4-typescript/iast/exclusions.ts b/utils/build/docker/nodejs/express4-typescript/iast/exclusions.ts
index b59020398c..5e3d421f3b 100644
--- a/utils/build/docker/nodejs/express4-typescript/iast/exclusions.ts
+++ b/utils/build/docker/nodejs/express4-typescript/iast/exclusions.ts
@@ -1,7 +1,5 @@
 'use strict'
 
-// this file is in javascript as it's not part of the weblog app, it's a backport of a fix
-
 const semver = require('semver')
 const version = require('dd-trace/package.json').version
 
@@ -9,7 +7,7 @@ if (semver.satisfies(version, '<5.33.0')) {
   const WeakHashAnalyzer = require('dd-trace/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js')
   const original = WeakHashAnalyzer._isExcluded
 
-  WeakHashAnalyzer._isExcluded = function wrappedIsExcluded (location) {
+  WeakHashAnalyzer._isExcluded = function wrappedIsExcluded (location: any) {
     if (location.path.includes('express-session/index.js')) return true
     else return original.apply(this, arguments)
   }

From dcb74f79a285dced489d96271a45e31b398f3df4 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Sun, 26 Jan 2025 23:57:57 +0100
Subject: [PATCH 35/48] add semver dep to typescript weblog

---
 .../nodejs/express4-typescript/package-lock.json   | 14 +++++++++++++-
 .../docker/nodejs/express4-typescript/package.json |  3 ++-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/utils/build/docker/nodejs/express4-typescript/package-lock.json b/utils/build/docker/nodejs/express4-typescript/package-lock.json
index d1beee85a5..269218fa4e 100644
--- a/utils/build/docker/nodejs/express4-typescript/package-lock.json
+++ b/utils/build/docker/nodejs/express4-typescript/package-lock.json
@@ -31,7 +31,8 @@
         "passport-http": "^0.3.0",
         "passport-local": "^1.0.0",
         "pg": "^8.8.0",
-        "pug": "^3.0.3"
+        "pug": "^3.0.3",
+        "semver": "^7.6.3"
       },
       "devDependencies": {
         "@tsconfig/node16": "^1.0.4",
@@ -2613,6 +2614,17 @@
       "resolved": "https://registry.npmjs.org/sax/-/sax-1.2.4.tgz",
       "integrity": "sha512-NqVDv9TpANUjFm0N8uM5GxL36UgKi9/atZw+x7YFnQ8ckwFGKrl4xX4yWtrey3UJm5nP1kUbnYgLopqWNSRhWw=="
     },
+    "node_modules/semver": {
+      "version": "7.6.3",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.3.tgz",
+      "integrity": "sha512-oVekP1cKtI+CTDvHWYFUcMtsK/00wmAEfyqKfNdARm8u1wNVhSgaX7A8d4UuIlUI5e84iEwOhs7ZPYRmzU9U6A==",
+      "bin": {
+        "semver": "bin/semver.js"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
     "node_modules/send": {
       "version": "0.18.0",
       "resolved": "https://registry.npmjs.org/send/-/send-0.18.0.tgz",
diff --git a/utils/build/docker/nodejs/express4-typescript/package.json b/utils/build/docker/nodejs/express4-typescript/package.json
index e7158622ad..80607506bc 100644
--- a/utils/build/docker/nodejs/express4-typescript/package.json
+++ b/utils/build/docker/nodejs/express4-typescript/package.json
@@ -33,7 +33,8 @@
     "passport-http": "^0.3.0",
     "passport-local": "^1.0.0",
     "pg": "^8.8.0",
-    "pug": "^3.0.3"
+    "pug": "^3.0.3",
+    "semver": "^7.6.3"
   },
   "devDependencies": {
     "@tsconfig/node16": "^1.0.4",

From 1b2f5eba5756c513dfb4602da18fe183f56521cd Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Wed, 29 Jan 2025 11:27:38 +0100
Subject: [PATCH 36/48] fix for misdesigned test

---
 utils/build/docker/nodejs/express/auth.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/utils/build/docker/nodejs/express/auth.js b/utils/build/docker/nodejs/express/auth.js
index ca205752d7..a117256371 100644
--- a/utils/build/docker/nodejs/express/auth.js
+++ b/utils/build/docker/nodejs/express/auth.js
@@ -47,6 +47,9 @@ module.exports = function (app, tracer) {
 
       tracer.appsec.trackUserLoginSuccessEvent(sdkUser, { metadata0: 'value0', metadata1: 'value1' })
 
+      // temporary workaround to pass the test, i'll modify the test later
+      tracer.setUser(sdkUser)
+
       const isUserBlocked = tracer.appsec.isUserBlocked(sdkUser)
       if (isUserBlocked && tracer.appsec.blockRequest(req, res)) {
         return true

From 202d85302c99d1d0413914ffa890b175ad45e18f Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Thu, 30 Jan 2025 10:08:00 +0100
Subject: [PATCH 37/48] Update
 utils/build/docker/nodejs/express4-typescript/iast/exclusions.ts

---
 .../build/docker/nodejs/express4-typescript/iast/exclusions.ts  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/build/docker/nodejs/express4-typescript/iast/exclusions.ts b/utils/build/docker/nodejs/express4-typescript/iast/exclusions.ts
index 5e3d421f3b..5815747a4b 100644
--- a/utils/build/docker/nodejs/express4-typescript/iast/exclusions.ts
+++ b/utils/build/docker/nodejs/express4-typescript/iast/exclusions.ts
@@ -3,7 +3,7 @@
 const semver = require('semver')
 const version = require('dd-trace/package.json').version
 
-if (semver.satisfies(version, '<5.33.0')) {
+if (semver.satisfies(version, '<5.34.0')) {
   const WeakHashAnalyzer = require('dd-trace/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js')
   const original = WeakHashAnalyzer._isExcluded
 

From 08904d0ea92e00d3e29405d964d421bd0c1b328a Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Thu, 30 Jan 2025 10:08:30 +0100
Subject: [PATCH 38/48] Update manifests/nodejs.yml

---
 manifests/nodejs.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/manifests/nodejs.yml b/manifests/nodejs.yml
index 3034401aa8..5378675c3a 100644
--- a/manifests/nodejs.yml
+++ b/manifests/nodejs.yml
@@ -551,10 +551,10 @@ tests/:
     test_automated_user_and_session_tracking.py:
       Test_Automated_Session_Blocking: missing_feature
       Test_Automated_User_Blocking:
-        '*': *ref_5_33_0
+        '*': *ref_5_34_0
         nextjs: missing_feature
       Test_Automated_User_Tracking:
-        '*': *ref_5_33_0
+        '*': *ref_5_34_0
         nextjs: missing_feature
     test_blocking_addresses.py:
       Test_BlockingGraphqlResolvers:

From 92891410a5b0e20b89faf2664374404be0c448e4 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Thu, 30 Jan 2025 10:08:45 +0100
Subject: [PATCH 39/48] Update
 utils/build/docker/nodejs/express/iast/exclusions.js

---
 utils/build/docker/nodejs/express/iast/exclusions.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/build/docker/nodejs/express/iast/exclusions.js b/utils/build/docker/nodejs/express/iast/exclusions.js
index 4c29d5145c..fa36ec57fe 100644
--- a/utils/build/docker/nodejs/express/iast/exclusions.js
+++ b/utils/build/docker/nodejs/express/iast/exclusions.js
@@ -3,7 +3,7 @@
 const semver = require('semver')
 const version = require('dd-trace/package.json').version
 
-if (semver.satisfies(version, '<5.33.0')) {
+if (semver.satisfies(version, '<5.34.0')) {
   const WeakHashAnalyzer = require('dd-trace/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js')
   const original = WeakHashAnalyzer._isExcluded
 

From 44c376003fb54b4a375402c1df34c050d213318e Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Fri, 31 Jan 2025 11:15:35 +0100
Subject: [PATCH 40/48] increase DD_IAST_MAX_CONTEXT_OPERATIONS for all node
 weblogs

---
 utils/build/docker/nodejs/express4-typescript.Dockerfile | 2 ++
 utils/build/docker/nodejs/express4.Dockerfile            | 2 ++
 utils/build/docker/nodejs/express5.Dockerfile            | 2 ++
 utils/build/docker/nodejs/uds-express4.Dockerfile        | 2 ++
 4 files changed, 8 insertions(+)

diff --git a/utils/build/docker/nodejs/express4-typescript.Dockerfile b/utils/build/docker/nodejs/express4-typescript.Dockerfile
index 2658f3607e..35fcaad795 100644
--- a/utils/build/docker/nodejs/express4-typescript.Dockerfile
+++ b/utils/build/docker/nodejs/express4-typescript.Dockerfile
@@ -22,6 +22,8 @@ ENV PGPORT=5433
 
 ENV DD_DATA_STREAMS_ENABLED=true
 
+ENV DD_IAST_MAX_CONTEXT_OPERATIONS=5
+
 # docker startup
 COPY utils/build/docker/nodejs/app.sh app.sh
 RUN printf 'node dist/app.js' >> app.sh
diff --git a/utils/build/docker/nodejs/express4.Dockerfile b/utils/build/docker/nodejs/express4.Dockerfile
index c3be9cf563..054ea65176 100644
--- a/utils/build/docker/nodejs/express4.Dockerfile
+++ b/utils/build/docker/nodejs/express4.Dockerfile
@@ -26,6 +26,8 @@ ENV PGPORT=5433
 
 ENV DD_DATA_STREAMS_ENABLED=true
 
+ENV DD_IAST_MAX_CONTEXT_OPERATIONS=5
+
 # docker startup
 COPY utils/build/docker/nodejs/app.sh app.sh
 RUN chmod +x app.sh
diff --git a/utils/build/docker/nodejs/express5.Dockerfile b/utils/build/docker/nodejs/express5.Dockerfile
index c270082c1e..11dedbf9e9 100644
--- a/utils/build/docker/nodejs/express5.Dockerfile
+++ b/utils/build/docker/nodejs/express5.Dockerfile
@@ -26,6 +26,8 @@ ENV PGPORT=5433
 
 ENV DD_DATA_STREAMS_ENABLED=true
 
+ENV DD_IAST_MAX_CONTEXT_OPERATIONS=5
+
 # docker startup
 COPY utils/build/docker/nodejs/app.sh app.sh
 RUN chmod +x app.sh
diff --git a/utils/build/docker/nodejs/uds-express4.Dockerfile b/utils/build/docker/nodejs/uds-express4.Dockerfile
index 5a041a7922..96f7a989eb 100644
--- a/utils/build/docker/nodejs/uds-express4.Dockerfile
+++ b/utils/build/docker/nodejs/uds-express4.Dockerfile
@@ -29,6 +29,8 @@ ENV UDS_WEBLOG=1
 
 ENV DD_DATA_STREAMS_ENABLED=true
 
+ENV DD_IAST_MAX_CONTEXT_OPERATIONS=5
+
 # docker startup
 COPY utils/build/docker/nodejs/app.sh app.sh
 RUN printf 'node app.js' >> app.sh

From e23fcf4225742c89b8c4aea87104b472479d3307 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Fri, 31 Jan 2025 16:23:17 +0100
Subject: [PATCH 41/48] test saveUninitialized: false

---
 utils/build/docker/nodejs/express/app.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/build/docker/nodejs/express/app.js b/utils/build/docker/nodejs/express/app.js
index 09e34e467f..aa8a90d9e4 100644
--- a/utils/build/docker/nodejs/express/app.js
+++ b/utils/build/docker/nodejs/express/app.js
@@ -48,7 +48,7 @@ app.use(require('express-session')({
   secret: 'secret',
   resave: false,
   rolling: true,
-  saveUninitialized: true
+  saveUninitialized: false
 }))
 iast.initMiddlewares(app)
 

From ae7e0b7592effa8a900d5b317c4f97d8af79a18c Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Fri, 31 Jan 2025 17:22:39 +0100
Subject: [PATCH 42/48] mirror fix in ts weblog

---
 utils/build/docker/nodejs/express4-typescript/app.ts  | 2 +-
 utils/build/docker/nodejs/express4-typescript/auth.ts | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/utils/build/docker/nodejs/express4-typescript/app.ts b/utils/build/docker/nodejs/express4-typescript/app.ts
index 0754552ccb..94f695198f 100644
--- a/utils/build/docker/nodejs/express4-typescript/app.ts
+++ b/utils/build/docker/nodejs/express4-typescript/app.ts
@@ -28,7 +28,7 @@ app.use(require('express-session')({
   secret: 'secret',
   resave: false,
   rolling: true,
-  saveUninitialized: true
+  saveUninitialized: false
 }))
 
 iast.initMiddlewares(app)
diff --git a/utils/build/docker/nodejs/express4-typescript/auth.ts b/utils/build/docker/nodejs/express4-typescript/auth.ts
index bb1a90370a..ca897a8eb4 100644
--- a/utils/build/docker/nodejs/express4-typescript/auth.ts
+++ b/utils/build/docker/nodejs/express4-typescript/auth.ts
@@ -51,6 +51,9 @@ module.exports = function (app: Express, tracer: Tracer) {
 
       tracer.appsec.trackUserLoginSuccessEvent(sdkUser, { metadata0: "value0", metadata1: "value1" })
 
+      // temporary workaround to pass the test, i'll modify the test later
+      tracer.setUser(sdkUser)
+
       const isUserBlocked: boolean = tracer.appsec.isUserBlocked(sdkUser)
       if (isUserBlocked && tracer.appsec.blockRequest(req, res)) {
         return true

From d88616d6658ccb109467478564a7c204380cfc4a Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Fri, 31 Jan 2025 17:38:07 +0100
Subject: [PATCH 43/48] push all the fixes

---
 utils/build/docker/nodejs/express/app.js           |  8 --------
 utils/build/docker/nodejs/express/auth.js          | 14 +++++++++++++-
 .../build/docker/nodejs/express/iast/exclusions.js | 14 --------------
 .../build/docker/nodejs/express4-typescript/app.ts |  9 ---------
 .../docker/nodejs/express4-typescript/auth.ts      | 14 +++++++++++++-
 .../nodejs/express4-typescript/iast/exclusions.ts  | 14 --------------
 6 files changed, 26 insertions(+), 47 deletions(-)
 delete mode 100644 utils/build/docker/nodejs/express/iast/exclusions.js
 delete mode 100644 utils/build/docker/nodejs/express4-typescript/iast/exclusions.ts

diff --git a/utils/build/docker/nodejs/express/app.js b/utils/build/docker/nodejs/express/app.js
index aa8a90d9e4..440bff4fee 100644
--- a/utils/build/docker/nodejs/express/app.js
+++ b/utils/build/docker/nodejs/express/app.js
@@ -5,8 +5,6 @@ const tracer = require('dd-trace').init({
   flushInterval: 5000
 })
 
-require('./iast/exclusions')
-
 const { promisify } = require('util')
 const app = require('express')()
 const axios = require('axios')
@@ -44,12 +42,6 @@ app.use(require('body-parser').json())
 app.use(require('body-parser').urlencoded({ extended: true }))
 app.use(require('express-xml-bodyparser')())
 app.use(require('cookie-parser')())
-app.use(require('express-session')({
-  secret: 'secret',
-  resave: false,
-  rolling: true,
-  saveUninitialized: false
-}))
 iast.initMiddlewares(app)
 
 require('./auth')(app, tracer)
diff --git a/utils/build/docker/nodejs/express/auth.js b/utils/build/docker/nodejs/express/auth.js
index a117256371..61165ef2bb 100644
--- a/utils/build/docker/nodejs/express/auth.js
+++ b/utils/build/docker/nodejs/express/auth.js
@@ -1,5 +1,7 @@
 'use strict'
 
+const semver = require('semver')
+const libraryVersion = require('dd-trace/package.json').version
 const passport = require('passport')
 const { Strategy: LocalStrategy } = require('passport-local')
 const { BasicStrategy } = require('passport-http')
@@ -60,7 +62,17 @@ module.exports = function (app, tracer) {
   }
 
   app.use(passport.initialize())
-  app.use(passport.session())
+
+  if (semver.satisfies(libraryVersion, '>=5.34.0', { includePrerelease: true })) {
+    app.use(require('express-session')({
+      secret: 'secret',
+      resave: false,
+      rolling: true,
+      saveUninitialized: false
+    }))
+
+    app.use(passport.session())
+  }
 
   passport.serializeUser((user, done) => {
     done(null, user.id)
diff --git a/utils/build/docker/nodejs/express/iast/exclusions.js b/utils/build/docker/nodejs/express/iast/exclusions.js
deleted file mode 100644
index fa36ec57fe..0000000000
--- a/utils/build/docker/nodejs/express/iast/exclusions.js
+++ /dev/null
@@ -1,14 +0,0 @@
-'use strict'
-
-const semver = require('semver')
-const version = require('dd-trace/package.json').version
-
-if (semver.satisfies(version, '<5.34.0')) {
-  const WeakHashAnalyzer = require('dd-trace/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js')
-  const original = WeakHashAnalyzer._isExcluded
-
-  WeakHashAnalyzer._isExcluded = function wrappedIsExcluded (location) {
-    if (location.path.includes('express-session/index.js')) return true
-    else return original.apply(this, arguments)
-  }
-}
diff --git a/utils/build/docker/nodejs/express4-typescript/app.ts b/utils/build/docker/nodejs/express4-typescript/app.ts
index 94f695198f..6eddc9a02b 100644
--- a/utils/build/docker/nodejs/express4-typescript/app.ts
+++ b/utils/build/docker/nodejs/express4-typescript/app.ts
@@ -4,8 +4,6 @@ import { Request, Response } from "express";
 
 const tracer = require('dd-trace').init({ debug: true, flushInterval: 5000 });
 
-require('./iast/exclusions')
-
 const { promisify } = require('util')
 const app = require('express')()
 const axios = require('axios')
@@ -24,17 +22,10 @@ app.use(require('body-parser').json());
 app.use(require('body-parser').urlencoded({ extended: true }));
 app.use(require('express-xml-bodyparser')());
 app.use(require('cookie-parser')());
-app.use(require('express-session')({
-  secret: 'secret',
-  resave: false,
-  rolling: true,
-  saveUninitialized: false
-}))
 
 iast.initMiddlewares(app)
 
 require('./auth')(app, tracer)
-
 iast.initRoutes(app)
 
 app.get('/', (req: Request, res: Response) => {
diff --git a/utils/build/docker/nodejs/express4-typescript/auth.ts b/utils/build/docker/nodejs/express4-typescript/auth.ts
index ca897a8eb4..c00de08303 100644
--- a/utils/build/docker/nodejs/express4-typescript/auth.ts
+++ b/utils/build/docker/nodejs/express4-typescript/auth.ts
@@ -4,6 +4,8 @@ import type { Express, Request, Response, NextFunction } from "express";
 // @ts-ignore
 import type { Tracer } from "dd-trace";
 
+const semver = require('semver')
+const libraryVersion = require('dd-trace/package.json').version
 const passport = require('passport')
 const { Strategy: LocalStrategy } = require('passport-local')
 const { BasicStrategy } = require('passport-http')
@@ -66,7 +68,17 @@ module.exports = function (app: Express, tracer: Tracer) {
   }
 
   app.use(passport.initialize())
-  app.use(passport.session())
+
+  if (semver.satisfies(libraryVersion, '>=5.34.0', { includePrerelease: true })) {
+    app.use(require('express-session')({
+      secret: 'secret',
+      resave: false,
+      rolling: true,
+      saveUninitialized: false
+    }))
+
+    app.use(passport.session())
+  }
 
   passport.serializeUser((user: any, done: Function) => {
     done(null, user.id)
diff --git a/utils/build/docker/nodejs/express4-typescript/iast/exclusions.ts b/utils/build/docker/nodejs/express4-typescript/iast/exclusions.ts
deleted file mode 100644
index 5815747a4b..0000000000
--- a/utils/build/docker/nodejs/express4-typescript/iast/exclusions.ts
+++ /dev/null
@@ -1,14 +0,0 @@
-'use strict'
-
-const semver = require('semver')
-const version = require('dd-trace/package.json').version
-
-if (semver.satisfies(version, '<5.34.0')) {
-  const WeakHashAnalyzer = require('dd-trace/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js')
-  const original = WeakHashAnalyzer._isExcluded
-
-  WeakHashAnalyzer._isExcluded = function wrappedIsExcluded (location: any) {
-    if (location.path.includes('express-session/index.js')) return true
-    else return original.apply(this, arguments)
-  }
-}

From f50c0fa4174e9cdbbc65c920645cacb0f81e51ec Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Fri, 31 Jan 2025 17:40:30 +0100
Subject: [PATCH 44/48] remove unecessary fixes

---
 utils/build/docker/nodejs/express4-typescript.Dockerfile | 2 --
 utils/build/docker/nodejs/express4.Dockerfile            | 2 --
 utils/build/docker/nodejs/express5.Dockerfile            | 2 --
 utils/build/docker/nodejs/uds-express4.Dockerfile        | 2 --
 4 files changed, 8 deletions(-)

diff --git a/utils/build/docker/nodejs/express4-typescript.Dockerfile b/utils/build/docker/nodejs/express4-typescript.Dockerfile
index 35fcaad795..2658f3607e 100644
--- a/utils/build/docker/nodejs/express4-typescript.Dockerfile
+++ b/utils/build/docker/nodejs/express4-typescript.Dockerfile
@@ -22,8 +22,6 @@ ENV PGPORT=5433
 
 ENV DD_DATA_STREAMS_ENABLED=true
 
-ENV DD_IAST_MAX_CONTEXT_OPERATIONS=5
-
 # docker startup
 COPY utils/build/docker/nodejs/app.sh app.sh
 RUN printf 'node dist/app.js' >> app.sh
diff --git a/utils/build/docker/nodejs/express4.Dockerfile b/utils/build/docker/nodejs/express4.Dockerfile
index 054ea65176..c3be9cf563 100644
--- a/utils/build/docker/nodejs/express4.Dockerfile
+++ b/utils/build/docker/nodejs/express4.Dockerfile
@@ -26,8 +26,6 @@ ENV PGPORT=5433
 
 ENV DD_DATA_STREAMS_ENABLED=true
 
-ENV DD_IAST_MAX_CONTEXT_OPERATIONS=5
-
 # docker startup
 COPY utils/build/docker/nodejs/app.sh app.sh
 RUN chmod +x app.sh
diff --git a/utils/build/docker/nodejs/express5.Dockerfile b/utils/build/docker/nodejs/express5.Dockerfile
index 11dedbf9e9..c270082c1e 100644
--- a/utils/build/docker/nodejs/express5.Dockerfile
+++ b/utils/build/docker/nodejs/express5.Dockerfile
@@ -26,8 +26,6 @@ ENV PGPORT=5433
 
 ENV DD_DATA_STREAMS_ENABLED=true
 
-ENV DD_IAST_MAX_CONTEXT_OPERATIONS=5
-
 # docker startup
 COPY utils/build/docker/nodejs/app.sh app.sh
 RUN chmod +x app.sh
diff --git a/utils/build/docker/nodejs/uds-express4.Dockerfile b/utils/build/docker/nodejs/uds-express4.Dockerfile
index 96f7a989eb..5a041a7922 100644
--- a/utils/build/docker/nodejs/uds-express4.Dockerfile
+++ b/utils/build/docker/nodejs/uds-express4.Dockerfile
@@ -29,8 +29,6 @@ ENV UDS_WEBLOG=1
 
 ENV DD_DATA_STREAMS_ENABLED=true
 
-ENV DD_IAST_MAX_CONTEXT_OPERATIONS=5
-
 # docker startup
 COPY utils/build/docker/nodejs/app.sh app.sh
 RUN printf 'node app.js' >> app.sh

From 9a7fcf586acc5ffc7001983f475080bab26980c2 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Fri, 31 Jan 2025 18:07:25 +0100
Subject: [PATCH 45/48] turns out we actually need it

---
 utils/build/docker/nodejs/express4-typescript.Dockerfile | 2 ++
 utils/build/docker/nodejs/express4.Dockerfile            | 2 ++
 utils/build/docker/nodejs/express5.Dockerfile            | 2 ++
 utils/build/docker/nodejs/uds-express4.Dockerfile        | 2 ++
 4 files changed, 8 insertions(+)

diff --git a/utils/build/docker/nodejs/express4-typescript.Dockerfile b/utils/build/docker/nodejs/express4-typescript.Dockerfile
index 2658f3607e..35fcaad795 100644
--- a/utils/build/docker/nodejs/express4-typescript.Dockerfile
+++ b/utils/build/docker/nodejs/express4-typescript.Dockerfile
@@ -22,6 +22,8 @@ ENV PGPORT=5433
 
 ENV DD_DATA_STREAMS_ENABLED=true
 
+ENV DD_IAST_MAX_CONTEXT_OPERATIONS=5
+
 # docker startup
 COPY utils/build/docker/nodejs/app.sh app.sh
 RUN printf 'node dist/app.js' >> app.sh
diff --git a/utils/build/docker/nodejs/express4.Dockerfile b/utils/build/docker/nodejs/express4.Dockerfile
index c3be9cf563..054ea65176 100644
--- a/utils/build/docker/nodejs/express4.Dockerfile
+++ b/utils/build/docker/nodejs/express4.Dockerfile
@@ -26,6 +26,8 @@ ENV PGPORT=5433
 
 ENV DD_DATA_STREAMS_ENABLED=true
 
+ENV DD_IAST_MAX_CONTEXT_OPERATIONS=5
+
 # docker startup
 COPY utils/build/docker/nodejs/app.sh app.sh
 RUN chmod +x app.sh
diff --git a/utils/build/docker/nodejs/express5.Dockerfile b/utils/build/docker/nodejs/express5.Dockerfile
index c270082c1e..11dedbf9e9 100644
--- a/utils/build/docker/nodejs/express5.Dockerfile
+++ b/utils/build/docker/nodejs/express5.Dockerfile
@@ -26,6 +26,8 @@ ENV PGPORT=5433
 
 ENV DD_DATA_STREAMS_ENABLED=true
 
+ENV DD_IAST_MAX_CONTEXT_OPERATIONS=5
+
 # docker startup
 COPY utils/build/docker/nodejs/app.sh app.sh
 RUN chmod +x app.sh
diff --git a/utils/build/docker/nodejs/uds-express4.Dockerfile b/utils/build/docker/nodejs/uds-express4.Dockerfile
index 5a041a7922..96f7a989eb 100644
--- a/utils/build/docker/nodejs/uds-express4.Dockerfile
+++ b/utils/build/docker/nodejs/uds-express4.Dockerfile
@@ -29,6 +29,8 @@ ENV UDS_WEBLOG=1
 
 ENV DD_DATA_STREAMS_ENABLED=true
 
+ENV DD_IAST_MAX_CONTEXT_OPERATIONS=5
+
 # docker startup
 COPY utils/build/docker/nodejs/app.sh app.sh
 RUN printf 'node app.js' >> app.sh

From 2303435d06598bb430cbe6f3e621ac6750181909 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Fri, 31 Jan 2025 23:22:03 +0100
Subject: [PATCH 46/48] one last fix

---
 manifests/nodejs.yml                              |  7 ++++---
 utils/build/docker/nodejs/express/auth.js         | 15 ++++++++++++---
 .../docker/nodejs/express4-typescript/auth.ts     | 15 ++++++++++++---
 3 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/manifests/nodejs.yml b/manifests/nodejs.yml
index cc1f040aa8..81df5f0f8a 100644
--- a/manifests/nodejs.yml
+++ b/manifests/nodejs.yml
@@ -42,9 +42,10 @@ refs:
   - &ref_5_27_0 '>=5.27.0 || ^4.51.0'
   - &ref_5_29_0 '>=5.29.0 || ^4.53.0' # express 5 support
   - &ref_5_30_0 '>=5.30.0 || ^4.54.0'
-  - &ref_5_32_0 '>=5.32.0'  # keep the anchor as we may backport stuff to v4 later
+  - &ref_5_32_0 '>=5.32.0' # keep the anchor as we may backport stuff to v4 later
   - &ref_5_33_0 '>=5.33.0'
   - &ref_5_34_0 '>=5.34.0'
+  - &ref_5_35_0 '>=5.35.0'
 
 tests/:
   apm_tracing_e2e/:
@@ -551,10 +552,10 @@ tests/:
     test_automated_user_and_session_tracking.py:
       Test_Automated_Session_Blocking: missing_feature
       Test_Automated_User_Blocking:
-        '*': *ref_5_34_0
+        '*': *ref_5_35_0
         nextjs: missing_feature
       Test_Automated_User_Tracking:
-        '*': *ref_5_34_0
+        '*': *ref_5_35_0
         nextjs: missing_feature
     test_blocking_addresses.py:
       Test_BlockingGraphqlResolvers:
diff --git a/utils/build/docker/nodejs/express/auth.js b/utils/build/docker/nodejs/express/auth.js
index 61165ef2bb..5a87b346ef 100644
--- a/utils/build/docker/nodejs/express/auth.js
+++ b/utils/build/docker/nodejs/express/auth.js
@@ -2,6 +2,9 @@
 
 const semver = require('semver')
 const libraryVersion = require('dd-trace/package.json').version
+
+const shouldUseSession = semver.satisfies(libraryVersion, '>=5.35.0', { includePrerelease: true })
+
 const passport = require('passport')
 const { Strategy: LocalStrategy } = require('passport-local')
 const { BasicStrategy } = require('passport-http')
@@ -63,7 +66,7 @@ module.exports = function (app, tracer) {
 
   app.use(passport.initialize())
 
-  if (semver.satisfies(libraryVersion, '>=5.34.0', { includePrerelease: true })) {
+  if (shouldUseSession) {
     app.use(require('express-session')({
       secret: 'secret',
       resave: false,
@@ -119,8 +122,14 @@ module.exports = function (app, tracer) {
     next()
   })
 
-  app.use('/login/local', passport.authenticate('local', { failWithError: true }), handleError)
-  app.use('/login/basic', passport.authenticate('basic', { failWithError: true }), handleError)
+  app.use('/login/local', passport.authenticate('local', {
+    session: shouldUseSession,
+    failWithError: true
+  }), handleError)
+  app.use('/login/basic', passport.authenticate('basic', {
+    session: shouldUseSession,
+    failWithError: true
+  }), handleError)
 
   // only stop if unexpected error
   function handleError (err, req, res, next) {
diff --git a/utils/build/docker/nodejs/express4-typescript/auth.ts b/utils/build/docker/nodejs/express4-typescript/auth.ts
index c00de08303..f515b64de8 100644
--- a/utils/build/docker/nodejs/express4-typescript/auth.ts
+++ b/utils/build/docker/nodejs/express4-typescript/auth.ts
@@ -6,6 +6,9 @@ import type { Tracer } from "dd-trace";
 
 const semver = require('semver')
 const libraryVersion = require('dd-trace/package.json').version
+
+const shouldUseSession = semver.satisfies(libraryVersion, '>=5.35.0', { includePrerelease: true })
+
 const passport = require('passport')
 const { Strategy: LocalStrategy } = require('passport-local')
 const { BasicStrategy } = require('passport-http')
@@ -69,7 +72,7 @@ module.exports = function (app: Express, tracer: Tracer) {
 
   app.use(passport.initialize())
 
-  if (semver.satisfies(libraryVersion, '>=5.34.0', { includePrerelease: true })) {
+  if (shouldUseSession) {
     app.use(require('express-session')({
       secret: 'secret',
       resave: false,
@@ -125,8 +128,14 @@ module.exports = function (app: Express, tracer: Tracer) {
     next()
   })
 
-  app.use('/login/local', passport.authenticate('local', { failWithError: true }), handleError)
-  app.use('/login/basic', passport.authenticate('basic', { failWithError: true }), handleError)
+  app.use('/login/local', passport.authenticate('local', {
+    session: shouldUseSession,
+    failWithError: true
+  }), handleError)
+  app.use('/login/basic', passport.authenticate('basic', {
+    session: shouldUseSession,
+    failWithError: true
+  }), handleError)
 
   // only stop if unexpected error
   function handleError (err: any, req: Request, res: Response, next: NextFunction): void {

From a5b6271f6ab9356b339e35f8242ebc83ac5548a6 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Mon, 3 Feb 2025 09:44:22 +0100
Subject: [PATCH 47/48] trigger CI


From 04c4cacb7d1c01850ad60b70083232ad3eff4323 Mon Sep 17 00:00:00 2001
From: simon-id <simon.id@datadoghq.com>
Date: Mon, 3 Feb 2025 09:47:39 +0100
Subject: [PATCH 48/48] trigger CI