DataDog · simon-id · Feb 3, 2025 · Dec 24, 2024 · Dec 24, 2024 · Dec 24, 2024
@@ -42,7 +42,7 @@ refs:
   - &ref_5_27_0 '>=5.27.0 || ^4.51.0'
   - &ref_5_29_0 '>=5.29.0 || ^4.53.0' # express 5 support
   - &ref_5_30_0 '>=5.30.0 || ^4.54.0'
-  - &ref_5_32_0 '>=5.32.0'
+  - &ref_5_32_0 '>=5.32.0'  # keep the anchor as we may backport stuff to v4 later
   - &ref_5_33_0 '>=5.33.0'
 
 tests/:
@@ -530,21 +530,25 @@ tests/:
       Test_V2_Login_Events_RC: irrelevant
       Test_V3_Auto_User_Instrum_Mode_Capability: *ref_5_29_0
       Test_V3_Login_Events:
-          '*': *ref_5_29_0
-          nextjs: missing_feature
+        '*': *ref_5_29_0
+        nextjs: missing_feature
       Test_V3_Login_Events_Anon:
-          '*': *ref_5_29_0
-          nextjs: missing_feature
+        '*': *ref_5_29_0
+        nextjs: missing_feature
       Test_V3_Login_Events_Blocking:
-          '*': *ref_5_29_0
-          nextjs: missing_feature
+        '*': *ref_5_29_0
+        nextjs: missing_feature
       Test_V3_Login_Events_RC:
-          '*': *ref_5_29_0
-          nextjs: missing_feature
+        '*': *ref_5_29_0
+        nextjs: missing_feature
     test_automated_user_and_session_tracking.py:
       Test_Automated_Session_Blocking: missing_feature
-      Test_Automated_User_Blocking: missing_feature
-      Test_Automated_User_Tracking: missing_feature
+      Test_Automated_User_Blocking:
+        '*': *ref_5_33_0
+        nextjs: missing_feature
+      Test_Automated_User_Tracking:
+        '*': *ref_5_33_0
+        nextjs: missing_feature
     test_blocking_addresses.py:
       Test_BlockingGraphqlResolvers:
         '*': *ref_4_22_0
@@ -660,15 +664,15 @@ tests/:
       Test_Debugger_Expression_Language: missing_feature (feature not implented)
     test_debugger_pii.py:
       Test_Debugger_PII_Redaction:
-        "*": irrelevant
+        '*': irrelevant
         express4: v5.32.0
     test_debugger_probe_snapshot.py:
       Test_Debugger_Probe_Snaphots:
-        "*": irrelevant
+        '*': irrelevant
         express4: v5.32.0
     test_debugger_probe_status.py:
       Test_Debugger_Probe_Statuses:
-        "*": irrelevant
+        '*': irrelevant
         express4: v5.32.0
     test_debugger_symdb.py:
       Test_Debugger_SymDb: missing_feature (feature not implented)

@@ -5,11 +5,12 @@ const tracer = require('dd-trace').init({
   flushInterval: 5000
 })
 
+require('./iast/exclusions')
+
 const { promisify } = require('util')
 const app = require('express')()
 const axios = require('axios')
 const fs = require('fs')
-const passport = require('passport')
 const crypto = require('crypto')
 const pino = require('pino')
 
@@ -42,8 +43,16 @@ app.use(require('body-parser').json())
 app.use(require('body-parser').urlencoded({ extended: true }))
 app.use(require('express-xml-bodyparser')())
 app.use(require('cookie-parser')())
+app.use(require('express-session')({
+  secret: 'secret',
+  resave: false,
+  rolling: true,
+  saveUninitialized: true
+}))
 iast.initMiddlewares(app)
 
+require('./auth')(app, tracer)
+
 app.get('/', (req, res) => {
   console.log('Received a request')
   res.send('Hello\n')
@@ -458,8 +467,6 @@ iast.initRoutes(app, tracer)
 
 di.initRoutes(app)
 
-require('./auth')(app, passport, tracer)
-
 // try to flush as much stuff as possible from the library
 app.get('/flush', (req, res) => {
   // doesn't have a callback :(

@@ -1,5 +1,6 @@
 'use strict'
 
+const passport = require('passport')
 const { Strategy: LocalStrategy } = require('passport-local')
 const { BasicStrategy } = require('passport-http')
 
@@ -18,81 +19,110 @@ const users = [
   }
 ]
 
-module.exports = function (app, passport, tracer) {
-  passport.use(new LocalStrategy({ usernameField: 'username', passwordField: 'password' },
-    (username, password, done) => {
-      const user = users.find(user => (user.username === username) && (user.password === password))
-      if (!user) {
-        return done(null, false)
-      } else {
-        return done(null, user)
-      }
-    })
-  )
-
-  passport.use(new BasicStrategy((username, password, done) => {
-    const user = users.find(user => (user.username === username) && (user.password === password))
-    if (!user) {
-      return done(null, false)
-    } else {
-      return done(null, user)
-    }
-  }
-  ))
+function findUser (fields) {
+  return users.find((user) => {
+    return Object.entries(fields).every(([field, value]) => user[field] === value)
+  })
+}
 
-  function handleAuthentication (req, res, next, err, user, info) {
+module.exports = function (app, tracer) {
+  function shouldSdkBlock (req, res) {
     const event = req.query.sdk_event
     const userId = req.query.sdk_user || 'sdk_user'
     const userMail = req.query.sdk_mail || 'system_tests_user@system_tests_user.com'
     const exists = req.query.sdk_user_exists === 'true'
 
-    if (err) {
-      console.error('unexpected login error', err)
-      return next(err)
-    }
-    if (!user) {
-      if (event === 'failure') {
-        tracer.appsec.trackUserLoginFailureEvent(userId, exists, { metadata0: 'value0', metadata1: 'value1' })
-      }
+    res.statusCode = req.user ? 200 : 401
 
-      res.sendStatus(401)
+    if (event === 'failure') {
+      tracer.appsec.trackUserLoginFailureEvent(userId, exists, { metadata0: 'value0', metadata1: 'value1' })
+
+      res.statusCode = 401
     } else if (event === 'success') {
-      tracer.appsec.trackUserLoginSuccessEvent(
-        {
-          id: userId,
-          email: userMail,
-          name: 'system_tests_user'
-        },
-        {
-          metadata0: 'value0',
-          metadata1: 'value1'
-        }
-      )
-
-      res.sendStatus(200)
-    } else {
-      res.sendStatus(200)
+      const sdkUser = {
+        id: userId,
+        email: userMail,
+        name: 'system_tests_user'
+      }
+
+      tracer.appsec.trackUserLoginSuccessEvent(sdkUser, { metadata0: 'value0', metadata1: 'value1' })
+
+      const isUserBlocked = tracer.appsec.isUserBlocked(sdkUser)
+      if (isUserBlocked && tracer.appsec.blockRequest(req, res)) {
+        return true
+      }
+
+      res.statusCode = 200
     }
   }
 
-  function getStrategy (req, res, next) {
-    const auth = req.query && req.query.auth
-    if (auth === 'local') {
-      return passport.authenticate('local', { session: false }, function (err, user, info) {
-        handleAuthentication(req, res, next, err, user, info)
-      })(req, res, next)
+  app.use(passport.initialize())
+  app.use(passport.session())
+
+  passport.serializeUser((user, done) => {
+    done(null, user.id)
+  })
+
+  passport.deserializeUser((id, done) => {
+    const user = findUser({ id })
+
+    done(null, user)
+  })
+
+  passport.use(new LocalStrategy((username, password, done) => {
+    const user = findUser({ username, password })
+
+    done(null, user)
+  }))
+
+  passport.use(new BasicStrategy((username, password, done) => {
+    const user = findUser({ username, password })
+
+    done(null, user)
+  }))
+
+  // rewrite url depending on which strategy to use
+  app.all('/login', (req, res, next) => {
+    if (req.query.sdk_trigger === 'before' && shouldSdkBlock(req, res)) {
+      return
+    }
+
+    let newRoute
+
+    switch (req.query?.auth) {
+      case 'basic':
+        newRoute = '/login/basic'
+        break
+
+      case 'local':
+      default:
+        newRoute = '/login/local'
+    }
+
+    req.url = req.url.replace('/login', newRoute)
+
+    next()
+  })
+
+  app.use('/login/local', passport.authenticate('local', { failWithError: true }), handleError)
+  app.use('/login/basic', passport.authenticate('basic', { failWithError: true }), handleError)
+
+  // only stop if unexpected error
+  function handleError (err, req, res, next) {
+    if (err?.name !== 'AuthenticationError') {
+      console.error('unexpected login error', err)
+      next(err)
     } else {
-      return passport.authenticate('basic', { session: false }, function (err, user, info) {
-        handleAuthentication(req, res, next, err, user, info)
-      })(req, res, next)
+      next()
     }
   }
 
-  app.use(passport.initialize())
-  app.all('/login',
-    getStrategy,
-    (req, res, next) => {
-      res.sendStatus(200)
+  // callback for all strategies to run SDK
+  app.all('/login/*', (req, res) => {
+    if (req.query.sdk_trigger !== 'before' && shouldSdkBlock(req, res)) {
+      return
     }
-  )
+
+    res.sendStatus(res.statusCode || 200)
+  })
 }
diff --git a/utils/build/docker/nodejs/express/iast/exclusions.js b/utils/build/docker/nodejs/express/iast/exclusions.js
@@ -0,0 +1,14 @@
+'use strict'
+
+const semver = require('semver')
+const version = require('dd-trace/package.json').version
+
+if (semver.satisfies(version, '<5.33.0')) {
+  const WeakHashAnalyzer = require('dd-trace/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js')
+  const original = WeakHashAnalyzer._isExcluded
+
+  WeakHashAnalyzer._isExcluded = function wrappedIsExcluded (location) {
+    if (location.path.includes('express-session/index.js')) return true
+    else return original.apply(this, arguments)
+  }
+}