@carisls/sso-standard 1.1.5 → 1.2.0

package/.gitlab-ci.yml

@@ -3,9 +3,12 @@ stages:
 
 publish:
   stage: publish
-  image: node:22-alpine
-  before_script: 
-    - echo -e "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> .npmrc
+  image: node:24-alpine
+  id_tokens:
+    NPM_ID_TOKEN:
+      aud: "npm:registry.npmjs.org"
+    SIGSTORE_ID_TOKEN:
+      aud: sigstore
   script:
     - npm i
     - npm run build --if-present

package/README.md

@@ -0,0 +1,351 @@
+# @carisls/sso-standard
+
+A middleware implementing standard OIDC/OAuth2 authorization code flow SSO for Express.js applications. This package provides a complete, ready-to-use authentication solution with automatic token management, session handling, and user mapping.
+
+## Features
+
+- 🔐 Complete OIDC/OAuth2 authorization code flow implementation
+- 🍪 Automatic cookie-based session management with encryption
+- 🔄 Automatic token refresh handling
+- 👤 User token mapping and request injection
+- 🛡️ Built-in authorization middleware
+- 🌐 Multi-provider support (Keycloak, Okta, and other OIDC providers)
+- 🔑 JWKS-based public key validation with caching
+- 📦 Supports both ESM and CommonJS
+- 🎯 Customizable endpoints and paths
+- 🔒 Secure cookie handling with encryption
+
+## Installation
+
+```bash
+npm install @carisls/sso-standard
+```
+
+## Quick Start
+
+### ESM (ECMAScript Modules)
+
+```javascript
+import express from 'express';
+import { router } from '@carisls/sso-standard';
+
+const app = express();
+
+app.use(router({
+  clientId: 'your-client-id',
+  clientSecret: 'your-client-secret',
+  // Simple format: comma-separated string
+  providers: 'https://auth.example.com',
+  // Or array format: providers: [{ ssoUrl: 'https://auth.example.com' }],
+  encPassword: 'your-encryption-password'
+}));
+
+app.listen(3000);
+```
+
+### CommonJS
+
+```javascript
+const express = require('express');
+const { router } = require('@carisls/sso-standard');
+
+const app = express();
+
+app.use(router({
+  clientId: 'your-client-id',
+  clientSecret: 'your-client-secret',
+  // Simple format: comma-separated string
+  providers: 'https://auth.example.com',
+  // Or array format: providers: [{ ssoUrl: 'https://auth.example.com' }],
+  encPassword: 'your-encryption-password'
+}));
+
+app.listen(3000);
+```
+
+## API Reference
+
+### `router(options)`
+
+Creates and configures an Express router with complete SSO authentication flow.
+
+**Parameters:**
+
+- `options` (Object): Configuration object with the following properties:
+  - `clientId` (string, **required**): SSO Client ID registered with your identity provider
+  - `clientSecret` (string, **required**): SSO Client Secret
+  - `providers` (string | Array<Object>, **required**): Provider configuration(s). Can be:
+    - A comma-separated string of provider URLs (e.g., `'https://auth1.example.com,https://auth2.example.com'`)
+    - An array of provider configuration objects:
+      - `ssoUrl` (string): Base URL for the provider (usually equal to `iss`). Used to discover OpenID Connect configuration
+      - `iss` (string, optional): Issuer identifier. If not provided, defaults to `ssoUrl`
+      - `publicKey` (string, optional): Static public key in PEM format (if not using JWKS)
+  - `encPassword` (string, **required**): Password used for encrypting cookies
+  - `encPasswordSalt` (string, optional): Salt for password derivation (default: `'C5mp4Hl$X9wby#s5'`)
+  - `encIterationCount` (number, optional): Iteration count for key derivation (default: `123123`)
+  - `publicKeyCache` (number, optional): Public key caching expiration in seconds (default: `300`)
+  - `expOffset` (number, optional): Force renewal of tokens earlier (in seconds) to handle clock skew issues (default: `0`)
+  - `groups` (boolean, optional): Request groups scope from the provider (default: `true`)
+  - `userMapper` (function, optional): Custom function to map tokens to user object. Signature: `(token, idToken) => userObject`
+  - `paths` (Object, optional): Customize default endpoint paths
+    - `login` (string, default: `'/login'`): Login initiation endpoint
+    - `sso` (string, default: `'/sso'`): SSO callback endpoint
+    - `afterLogin` (string, default: `'/'`): Redirect after successful login
+    - `logout` (string, default: `'/logout'`): Logout initiation endpoint
+    - `afterLogout` (string, default: `'/'`): Redirect after successful logout
+
+**Returns:** Express Router instance with the following endpoints configured:
+- `GET /login` (or custom path): Initiates SSO login flow
+- `GET /sso` (or custom path): Handles SSO callback and token exchange
+- `GET /logout` (or custom path): Initiates logout flow
+- Automatic token refresh middleware
+- User injection middleware (adds `req.user` to authenticated requests)
+
+**Example:**
+
+```javascript
+import express from 'express';
+import { router } from '@carisls/sso-standard';
+
+const app = express();
+
+app.use(router({
+  clientId: 'my-app-client',
+  clientSecret: 'my-secret-key',
+  // Simple format: comma-separated string
+  providers: 'https://auth.example.com',
+  // Or detailed format: array of objects
+  // providers: [
+  //   {
+  //     ssoUrl: 'https://auth.example.com',
+  //     // iss defaults to ssoUrl if not provided
+  //   }
+  // ],
+  encPassword: 'my-encryption-password-123',
+  publicKeyCache: 600,
+  expOffset: 60,
+  groups: true,
+  paths: {
+    login: '/auth/login',
+    sso: '/auth/callback',
+    afterLogin: '/dashboard',
+    logout: '/auth/logout',
+    afterLogout: '/'
+  },
+  userMapper: (token, idToken) => {
+    return {
+      id: token.sub,
+      email: token.email,
+      name: token.name,
+      roles: token.roles || []
+    };
+  }
+}));
+
+// Protected route - user is automatically available via req.user
+app.get('/dashboard', (req, res) => {
+  res.json({
+    message: 'Welcome!',
+    user: req.user
+  });
+});
+
+app.listen(3000);
+```
+
+### `authorize(role, exceptions, redirectToLogin)`
+
+Express.js middleware for authorization filtering based on user roles. This middleware works in conjunction with the router to provide role-based access control.
+
+**Parameters:**
+
+- `role` (string | string[] | undefined, optional): Role(s) to filter by. If `undefined`, only checks for authenticated user.
+- `exceptions` (string[] | undefined, optional): Array of URL paths to skip authorization checks.
+- `redirectToLogin` (boolean, default: `false`): If `true`, redirects to login page instead of returning 401.
+
+**Returns:** Express middleware function `(req, res, next) => void`
+
+**Example:**
+
+```javascript
+import express from 'express';
+import { router, authorize } from '@carisls/sso-standard';
+
+const app = express();
+
+// Setup SSO router
+app.use(router({
+  clientId: 'my-client-id',
+  clientSecret: 'my-secret',
+  // Simple format: comma-separated string
+  providers: 'https://auth.example.com',
+  // Or array format: providers: [{ ssoUrl: 'https://auth.example.com' }],
+  encPassword: 'encryption-password'
+}));
+
+// Require any authenticated user
+app.use(authorize());
+
+// Require specific role
+app.get('/admin', authorize('admin'), (req, res) => {
+  res.json({ message: 'Admin access granted', user: req.user });
+});
+
+// Require one of multiple roles
+app.get('/dashboard', authorize(['admin', 'user']), (req, res) => {
+  res.json({ message: 'Dashboard access', user: req.user });
+});
+
+// With exceptions and redirect
+app.use(authorize('user', ['/public', '/health'], true));
+
+app.listen(3000);
+```
+
+## Complete Example
+
+```javascript
+import express from 'express';
+import { router, authorize } from '@carisls/sso-standard';
+
+const app = express();
+
+// Configure SSO middleware
+app.use(router({
+  clientId: process.env.SSO_CLIENT_ID,
+  clientSecret: process.env.SSO_CLIENT_SECRET,
+  // Simple format: comma-separated string (iss defaults to ssoUrl)
+  providers: process.env.SSO_URL,
+  // Or array format with custom iss:
+  // providers: [
+  //   {
+  //     ssoUrl: process.env.SSO_URL,
+  //     iss: process.env.SSO_ISSUER // optional, defaults to ssoUrl
+  //   }
+  // ],
+  encPassword: process.env.ENCRYPTION_PASSWORD,
+  publicKeyCache: 600,
+  paths: {
+    login: '/login',
+    sso: '/sso',
+    afterLogin: '/dashboard',
+    logout: '/logout',
+    afterLogout: '/'
+  }
+}));
+
+// Public routes
+app.get('/', (req, res) => {
+  res.send('Welcome! <a href="/login">Login</a>');
+});
+
+// Protected routes - require authentication
+app.get('/dashboard', authorize(), (req, res) => {
+  res.json({
+    message: 'Dashboard',
+    user: req.user
+  });
+});
+
+// Admin routes - require admin role
+app.get('/admin', authorize('admin'), (req, res) => {
+  res.json({
+    message: 'Admin panel',
+    user: req.user
+  });
+});
+
+// API routes with role-based access
+app.get('/api/users', authorize(['admin', 'user-manager']), (req, res) => {
+  res.json({ users: [] });
+});
+
+app.listen(3000, () => {
+  console.log('Server running on http://localhost:3000');
+});
+```
+
+## How It Works
+
+1. **Login Flow**: When a user visits `/login`, they are redirected to the identity provider's authorization endpoint with the appropriate OAuth2 parameters.
+
+2. **Callback Handling**: After authentication, the provider redirects back to `/sso` with an authorization code. The middleware exchanges this code for access, refresh, and ID tokens.
+
+3. **Token Storage**: Tokens are encrypted and stored in HTTP-only cookies:
+   - `x-session`: Encrypted access token
+   - `x-session-sso`: Encrypted refresh token
+   - `x-session-id`: Encrypted ID token (used for logout)
+
+4. **User Injection**: On each request, the middleware decrypts tokens, validates them, and injects a `req.user` object containing user information.
+
+5. **Token Refresh**: The middleware automatically refreshes access tokens when they expire using the stored refresh token.
+
+6. **Logout**: Visiting `/logout` clears all cookies and redirects to the identity provider's logout endpoint.
+
+## Supported Providers
+
+This package works with any OIDC-compliant identity provider, including:
+
+- **Keycloak**
+- **Okta**
+- **Auth0**
+- **Azure AD**
+- **Google Identity Platform**
+- Any other OIDC/OAuth2 provider
+
+## User Object Structure
+
+By default, the `req.user` object follows this structure (can be customized with `userMapper`):
+
+```typescript
+{
+  iss: string;              // Issuer
+  id: string;               // User ID (from 'sub')
+  sid?: string;             // Session ID
+  sa: boolean;              // Service account flag
+  azp?: string;             // Authorized party
+  name?: {                  // Name object (if available)
+    full: string;
+    familyName: string;
+    givenName: string;
+  };
+  email?: string;           // Email (if available)
+  roles: string[];          // User roles
+}
+```
+
+## Environment Variables
+
+For production use, store sensitive values in environment variables:
+
+```bash
+SSO_CLIENT_ID=your-client-id
+SSO_CLIENT_SECRET=your-client-secret
+SSO_URL=https://auth.example.com
+SSO_ISSUER=https://auth.example.com
+ENCRYPTION_PASSWORD=your-strong-encryption-password
+```
+
+## Security Considerations
+
+- **Cookie Encryption**: All tokens are encrypted before being stored in cookies
+- **HTTP-Only Cookies**: Prevents XSS attacks by making cookies inaccessible to JavaScript
+- **Secure Cookies**: Automatically enabled when using HTTPS
+- **Token Validation**: All tokens are validated using JWKS before use
+- **Automatic Refresh**: Tokens are refreshed before expiration to prevent service interruption
+
+## Dependencies
+
+- `@carisls/sso-core`: Core SSO utilities (token validation, encryption, etc.)
+- `express`: Web framework
+- `cookie-parser`: Cookie parsing middleware
+- `debug`: Debug logging utility
+
+## License
+
+MIT
+
+## Author
+
+Mihovil Strujic <mstrujic@carisls.com>
+

package/cjs/authorize.cjs

@@ -6,19 +6,17 @@ function checkException (url, exceptions) {
     return false;
 
   for (let i = 0; i < exceptions.length; i++) {
-    if (url.length === exceptions[i].length)
-      return true;
-    else if (url.length > exceptions[i].length && url.substr(0, exceptions[i].length) === exceptions[i])
+    if (url.startsWith(exceptions[i]))
       return true;
   }
   return false;
 }
 /**
  * @description A helper middleware to perform authorization filtering
- * @param {*} role Role (string) or an array of roles to filter by (optional)
- * @param {*} exceptions Array of urls to skip
- * @param {*} redirectToLogin If user needs to be redirected to login in case of unsuccessful validation
- * @returns
+ * @param {string|string[]} role Role (string) or an array of roles to filter by (optional)
+ * @param {string[]} exceptions Array of urls to skip
+ * @param {boolean} redirectToLogin If user needs to be redirected to login in case of unsuccessful validation
+ * @returns {import('express').RequestHandler} Express middleware function
  */
 
 function authorize (role, exceptions, redirectToLogin = false) {
@@ -26,13 +24,13 @@ function authorize (role, exceptions, redirectToLogin = false) {
   // Check if this is login or sso url
     if (req.url.match(/^\/login/i) || req.url.match(/^\/sso/i)) {
       debug(`Url ${req.url} is exception from default authorization rules`);
-      next();
+      return next();
     }
 
     // Apply exceptions
     if (checkException(req.url, exceptions)) {
       debug(`Url ${req.url} is exception from authorization rules`);
-      next();
+      return next();
     }
 
     // If there is no known user, return 401

package/cjs/index.cjs

@@ -6,14 +6,14 @@ const authorize = require('./authorize.cjs');
 /**
  *
  * @param {Object} options Options for this router
- * @param {string} options.ssoUrl Base url for provider (usually equal to iss)
  * @param {string} options.clientId SSO Client ID
+ * @param {string} options.clientSecret SSO Client Secret
  * @param {number} options.publicKeyCache Public key caching expiration (in seconds)
  * @param {number} options.expOffset Force nenewal of tokens a bit earlier (in case of problems)
- * @param {Object[]} options.providers An array of different providers
- * @param {Object[]} options.providers[].ssoUrl Base url for provider (usually equal to iss)
- * @param {Object[]} options.providers[].iss If different than ssoUrl
- * @param {Object[]} options.providers[].publicKey If different than ssoUrl
+ * @param {string|Object[]} options.providers Provider configuration(s). Can be a comma-separated string of provider URLs or an array of provider objects
+ * @param {string} options.providers[].ssoUrl Base url for provider (usually equal to iss). Used to discover OpenID Connect configuration
+ * @param {string} [options.providers[].iss] Issuer identifier. If not provided, defaults to ssoUrl
+ * @param {string} [options.providers[].publicKey] Static public key in PEM format (if not using JWKS)
  * @param {string} options.encPassword Password to be used for cookies encryption
  * @param {string} options.encPasswordSalt Password salt to be used for cookies encription (optional)
  * @param {string} options.encIterationCount Iteration Count to be used for cookies encription (optional)
@@ -25,22 +25,27 @@ const authorize = require('./authorize.cjs');
  * @param {string} options.paths.logout Change default logout init endpoint from /logout
  * @param {string} options.paths.afterLogout Change default logout final endpoint after a successful logout from /
  * @param {boolean} options.groups To request groups scope (default is true)
- * @returns
+ * @returns {import('express').Router} Express router instance
  */
 const router = (options) => {
   // Check options
   if (!options)
     throw Error('You need to set options parameter');
 
+  if (!options.providers)
+    throw Error('providers is always required');
+
   // Extract providers
-  const providers = options.providers?.split ? options.providers.split(',').map(i => ({ ssoUrl: i })) : options.providers;
+  const providers = typeof options.providers === 'string'
+    ? options.providers.split(',').map(i => ({ ssoUrl: i.trim() }))
+    : options.providers;
+
+  if (!Array.isArray(providers) || providers.length === 0)
+    throw Error('providers must be a non-empty array or comma-separated string');
 
   // Pick the first provider
   providers.splice(1);
 
-  if (!options.providers)
-    throw Error('providers is always required');
-
   if (!options.clientId || !options.clientSecret)
     throw Error('clientId and clientSecret are required');
 

package/cjs/shared/cookies/cookieParser.cjs

@@ -1,7 +1,7 @@
 const cookieParserModule = require('cookie-parser');
 function cookieParser (router) {
   router.use((req, res, next) => {
-    if (req.cookie)
+    if (req.cookies)
       next(); // Cookie parser is already attached
     else
       cookieParserModule()(req, res, next); // Cookie parser is needed

package/cjs/standard/index.cjs

@@ -18,7 +18,10 @@ function index (router, clientId, clientSecret, issuerSelector, encryptor, userM
   cookieParserModule(router);
 
   // Issuer Selector
-  const tokenValidator = issuerSelector.providers[Object.keys(issuerSelector.providers)[0]].validator;
+  const providerKeys = Object.keys(issuerSelector.providers);
+  if (providerKeys.length === 0)
+    throw new Error('No providers configured in issuerSelector');
+  const tokenValidator = issuerSelector.providers[providerKeys[0]].validator;
 
   // Instantiate client
   const client = {
@@ -26,7 +29,7 @@ function index (router, clientId, clientSecret, issuerSelector, encryptor, userM
       client_id: clientId,
       client_secret: clientSecret
     },
-    issuer: issuerSelector.providers[Object.keys(issuerSelector.providers)[0]].issuer
+    issuer: issuerSelector.providers[providerKeys[0]].issuer
   };
 
   // Instantiate token modules

package/cjs/standard/refreshRequest.cjs

@@ -21,9 +21,9 @@ function refreshRequest (router, client, encryptor, accessTokenModule, refreshTo
         idTokenModule(res, tokens.id_token, req.protocol === 'https'),
         refreshTokenModule(res, tokens.refresh_token, req.protocol === 'https')
       ]))
-      .then(([{ token }, { idToken }]) => {
-        req.token = token;
-        req.idToken = idToken;
+      .then((results) => {
+        if (results[0]?.token) req.token = results[0].token;
+        if (results[1]?.idToken) req.idToken = results[1].idToken;
       })
       .catch((err) => {
         console.error(err);

package/esm/authorize.js

@@ -6,19 +6,17 @@ function checkException (url, exceptions) {
     return false;
 
   for (let i = 0; i < exceptions.length; i++) {
-    if (url.length === exceptions[i].length)
-      return true;
-    else if (url.length > exceptions[i].length && url.substr(0, exceptions[i].length) === exceptions[i])
+    if (url.startsWith(exceptions[i]))
       return true;
   }
   return false;
 }
 /**
  * @description A helper middleware to perform authorization filtering
- * @param {*} role Role (string) or an array of roles to filter by (optional)
- * @param {*} exceptions Array of urls to skip
- * @param {*} redirectToLogin If user needs to be redirected to login in case of unsuccessful validation
- * @returns
+ * @param {string|string[]} role Role (string) or an array of roles to filter by (optional)
+ * @param {string[]} exceptions Array of urls to skip
+ * @param {boolean} redirectToLogin If user needs to be redirected to login in case of unsuccessful validation
+ * @returns {import('express').RequestHandler} Express middleware function
  */
 
 function authorize (role, exceptions, redirectToLogin = false) {
@@ -26,13 +24,13 @@ function authorize (role, exceptions, redirectToLogin = false) {
   // Check if this is login or sso url
     if (req.url.match(/^\/login/i) || req.url.match(/^\/sso/i)) {
       debug(`Url ${req.url} is exception from default authorization rules`);
-      next();
+      return next();
     }
 
     // Apply exceptions
     if (checkException(req.url, exceptions)) {
       debug(`Url ${req.url} is exception from authorization rules`);
-      next();
+      return next();
     }
 
     // If there is no known user, return 401

package/esm/index.js

@@ -1,19 +1,19 @@
 import { Router } from 'express';
 import { issuerSelectorModule, encryptorModule, HttpError } from '@carisls/sso-core';
 import standardRouterModule from './standard/index.js';
-import authorize from '../cjs/authorize.cjs';
+import authorize from './authorize.js';
 
 /**
  *
  * @param {Object} options Options for this router
- * @param {string} options.ssoUrl Base url for provider (usually equal to iss)
  * @param {string} options.clientId SSO Client ID
+ * @param {string} options.clientSecret SSO Client Secret
  * @param {number} options.publicKeyCache Public key caching expiration (in seconds)
  * @param {number} options.expOffset Force nenewal of tokens a bit earlier (in case of problems)
- * @param {Object[]} options.providers An array of different providers
- * @param {Object[]} options.providers[].ssoUrl Base url for provider (usually equal to iss)
- * @param {Object[]} options.providers[].iss If different than ssoUrl
- * @param {Object[]} options.providers[].publicKey If different than ssoUrl
+ * @param {string|Object[]} options.providers Provider configuration(s). Can be a comma-separated string of provider URLs or an array of provider objects
+ * @param {string} options.providers[].ssoUrl Base url for provider (usually equal to iss). Used to discover OpenID Connect configuration
+ * @param {string} [options.providers[].iss] Issuer identifier. If not provided, defaults to ssoUrl
+ * @param {string} [options.providers[].publicKey] Static public key in PEM format (if not using JWKS)
  * @param {string} options.encPassword Password to be used for cookies encryption
  * @param {string} options.encPasswordSalt Password salt to be used for cookies encription (optional)
  * @param {string} options.encIterationCount Iteration Count to be used for cookies encription (optional)
@@ -24,24 +24,28 @@ import authorize from '../cjs/authorize.cjs';
  * @param {string} options.paths.afterLogin Change default final endpoint after successful login from /
  * @param {string} options.paths.logout Change default logout init endpoint from /logout
  * @param {string} options.paths.afterLogout Change default logout final endpoint after a successful logout from /
- * @param {boolean} options.useCachedSession Whether or not to store access token to cache instead of a cookie (if larger than 4096)
  * @param {boolean} options.groups To request groups scope (default is true)
- * @returns
+ * @returns {import('express').Router} Express router instance
  */
 const router = (options) => {
   // Check options
   if (!options)
     throw Error('You need to set options parameter');
 
+  if (!options.providers)
+    throw Error('providers is always required');
+
   // Extract providers
-  const providers = options.providers?.split ? options.providers.split(',').map(i => ({ ssoUrl: i })) : options.providers;
+  const providers = typeof options.providers === 'string'
+    ? options.providers.split(',').map(i => ({ ssoUrl: i.trim() }))
+    : options.providers;
+
+  if (!Array.isArray(providers) || providers.length === 0)
+    throw Error('providers must be a non-empty array or comma-separated string');
 
   // Pick the first provider
   providers.splice(1);
 
-  if (!options.providers)
-    throw Error('providers is always required');
-
   if (!options.clientId || !options.clientSecret)
     throw Error('clientId and clientSecret are required');
 

package/esm/shared/cookies/cookieParser.js

@@ -1,7 +1,7 @@
 import cookieParserModule from 'cookie-parser';
 function cookieParser (router) {
   router.use((req, res, next) => {
-    if (req.cookie)
+    if (req.cookies)
       next(); // Cookie parser is already attached
     else
       cookieParserModule()(req, res, next); // Cookie parser is needed

package/esm/standard/index.js

@@ -18,7 +18,10 @@ function index (router, clientId, clientSecret, issuerSelector, encryptor, userM
   cookieParserModule(router);
 
   // Issuer Selector
-  const tokenValidator = issuerSelector.providers[Object.keys(issuerSelector.providers)[0]].validator;
+  const providerKeys = Object.keys(issuerSelector.providers);
+  if (providerKeys.length === 0)
+    throw new Error('No providers configured in issuerSelector');
+  const tokenValidator = issuerSelector.providers[providerKeys[0]].validator;
 
   // Instantiate client
   const client = {
@@ -26,7 +29,7 @@ function index (router, clientId, clientSecret, issuerSelector, encryptor, userM
       client_id: clientId,
       client_secret: clientSecret
     },
-    issuer: issuerSelector.providers[Object.keys(issuerSelector.providers)[0]].issuer
+    issuer: issuerSelector.providers[providerKeys[0]].issuer
   };
 
   // Instantiate token modules

package/esm/standard/refreshRequest.js

@@ -21,9 +21,9 @@ function refreshRequest (router, client, encryptor, accessTokenModule, refreshTo
         idTokenModule(res, tokens.id_token, req.protocol === 'https'),
         refreshTokenModule(res, tokens.refresh_token, req.protocol === 'https')
       ]))
-      .then(([{ token }, { idToken }]) => {
-        req.token = token;
-        req.idToken = idToken;
+      .then((results) => {
+        if (results[0]?.token) req.token = results[0].token;
+        if (results[1]?.idToken) req.idToken = results[1].idToken;
       })
       .catch((err) => {
         console.error(err);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@carisls/sso-standard",
-  "version": "1.1.5",
+  "version": "1.2.0",
   "description": "A middleware implementing standard flow SSO",
   "main": "cjs/index.cjs",
   "module": "esm/index.js",
@@ -25,13 +25,13 @@
   "author": "Mihovil Strujic <mstrujic@carisls.com>",
   "license": "MIT",
   "dependencies": {
-    "@carisls/sso-core": "1.1.3",
+    "@carisls/sso-core": "1.2.0",
     "cookie-parser": "^1.4.7",
-    "debug": "^4.4.0",
-    "express": "^5.1.0"
+    "debug": "^4.4.3",
+    "express": "^5.2.1"
   },
   "devDependencies": {
-    "eslint": "^9.24.0",
-    "neostandard": "^0.12.1"
+    "eslint": "^9.39.2",
+    "neostandard": "^0.12.2"
   }
 }