URGENT ISSUE NPM 0.5.1 BREAKING CHANGE PUBLISHED!??! (Error seen: 'middleware not in use')

[jfstephe]

Hi,

Maximum strangeness. The latest version on npm is 0.5.1 with breaking changes (e.g. req._passport isn't defined, and therefore we got 'middleware not in use' related errors as-of-today's recent builds).

Can someone take a look at this urgently please, before more people are affected?

Thanks,
John

[jaredhanson]

Can you please provide more details? The error message you are seeing ("middleware not in use") is not present in passport@0.5.1. It is present in prior releases of passport (0.5.0 and earlier). If you are seeing this error, it suggests that perhaps you have removed the initialize() middleware, but are still installing a prior release of passport which required it. Perhaps you have a package-lock.json pinned to an earlier release?

I am unable to reproduce this on my own environment. Any further details or stack traces you could provide would help diagnose the potential issue. Thanks.

[jfstephe]

Hi @jaredhanson, if you take a look at the 'versions' tab on npm at https://www.npmjs.com/package/passport you will see the following:

0.5.1 was published 16 hours ago. could this have been published by mistake. I'll look into this a bit more but the fact that this was published and github package.json is on v0.5.0 is strange.

[nprail]

I'm seeing this issue as well. The issue occurs on passport 0.5.1 but not in 0.5.0. The initialize() middleware has not been removed. It looks like passport-accesstoken, which I have installed, depends on passport 0.1.18.

passport.initialize() middleware not in use

[nprail]

I switched from passport-accesstoken to passport-unique-token and that resolves the issue for me.

[jfstephe]

Yeah... .... is this possible if an auth provider hasn't upgraded to 0.5.1. They have a version 0.5.0 of (with the 'middleware not in use') msg but 0.5.1 is being used in the app which doesn't set req._passport?

Dunno, clutching at straws....

[jfstephe]

Stack trace. Note: passport-azure-ad/node_modules/passport/lib/http/request.js being used.

ERROR: App/20 on 48bf62950546: passport.initialize() middleware not in use
Error: passport.initialize() middleware not in use
at IncomingMessage.req.login.req.logIn (/home/TheApp/node_modules/passport-azure-ad/node_modules/passport/lib/http/request.js:46:34)
at /home/TheApp/api/user/authentication/strategies/licenseKey/LicenseKeyStrategyRoutes.js:88:25
at Strategy.strategy.success (/home/TheApp/node_modules/passport/lib/middleware/authenticate.js:222:18)
at verified (/home/TheApp/node_modules/passport-unique-token/lib/strategy.js:102:10)
at Strategy.verifyUniqueToken [as _verify] (/home/TheApp/api/user/authentication/strategies/licenseKey/LicenseKeyStrategyRoutes.js:27:20)
at Strategy.authenticate (/home/TheApp/node_modules/passport-unique-token/lib/strategy.js:107:12)
at attempt (/home/TheApp/node_modules/passport/lib/middleware/authenticate.js:369:16)
at authenticate (/home/TheApp/node_modules/passport/lib/middleware/authenticate.js:370:7)
at authenticator (/home/TheApp/api/user/authentication/strategies/licenseKey/LicenseKeyStrategyRoutes.js:103:15)
at Layer.handle [as handle_request] (/home/TheApp/node_modules/express/lib/router/layer.js:95:5)

[jaredhanson]

0.5.1 was published 16 hours ago. could this have been published by mistake.

I know, I published it :) (and no, it wasn't a mistake...)

I'm confident there's no breaking changes here. @nprail's observation about passport-accesstoken is relevant here. Strategies should not be depending on _passport, since its a private internal variable. That said, if the do that will cause breakage. I don't believe that's a backwards compatibility issue with passport itself, but rather an unfortunate implementation detail in the strategy.

If we can pinpoint the strategies that are affected, we can make a plan to resolve.

[jaredhanson]

Stack trace. Note: passport-azure-ad/node_modules/passport/lib/http/request.js being used.

This is helpful, thanks. What version of passport-azure-ad is this?

[jfstephe]

https://github.com/AzureAD/passport-azure-ad - latest 4.3.1

[jaredhanson]

Could you paste the output of npm la | grep "passport" here? It would help to understand if older versions of passport are being pulled in and creating a potential conflict.

[jfstephe]

npm la | grep "passport"
├── @types/passport-azure-ad@4.3.1
│ TypeScript definitions for passport-azure-ad
├── @types/passport-local@1.0.33
│ TypeScript definitions for passport-local
├── @types/passport-oauth2@1.4.10
│ TypeScript definitions for passport-oauth2
├── @types/passport-unique-token@1.0.2
│ TypeScript definitions for passport-unique-token
├── @types/passport@1.0.7
├── passport-azure-ad@4.3.0
├── passport-http-bearer@1.0.1
├── passport-local@1.0.0
├── passport-oauth2@1.5.0
├── passport-unique-token@0.1.4
│ Unique Token authentication strategy for Passport - modified from passport-local.
├── passport@0.5.0

[jaredhanson]

Thanks for that info! I've set up a reproduction case, and can confirm that this error occurs when passport-azure-ad is a dependency. I'm working on a fix that restores compatibility.

[jfstephe]

Awesome! Thanks :-)

[jaredhanson]

I've published passport@0.5.2, which fixes these issues by merging #878. You'll need to continue using passport.initialize() middleware to have compatibility. Please let me know if this fixes the errors you are seeing, so I can close the bug. Thanks for reporting and providing the necessary details to reproduce!

[jfstephe]

Hi Jared,
Thanks for addressing this. Probably won't get chance to upgrade for a while now (Jan at the earliest). If you're happy to close I'm happy too (can raise another issue if problems arise in 0.5.2).

We had to go back to 0.5.0 to avoid the issue to get a release out. I just didn't want other to question their sanity like we did this morning :-).

Thanks for reacting so quickly, and not being annoyed when I didn't provide enough information initially :-).

[jaredhanson]

Thanks @jfstephe. I'll go ahead and close because both I and another developer have confirmed that 0.5.2 fixes the issue. Thanks for the report, and sorry about the causing your sanity to be questioned :). Enjoy the holiday, and if you run into anything else when upgrading, open another issue.