node-oauth2-jwt-bearer icon indicating copy to clipboard operation
node-oauth2-jwt-bearer copied to clipboard

Published 20 hours ago verified publisher icon auth0

Breaking changes from 1.6.1 to 1.7.1

Open stichiboi opened this issue 2 months ago • 3 comments

Checklist

  • [x] I have looked into the Readme and Examples, and have not found a suitable solution or answer.
  • [x] I have searched the issues and have not found a suitable solution or answer.
  • [x] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • [x] I agree to the terms within the Auth0 Code of Conduct.

Description

I tried updating to version 1.7.1 from 1.6.1, and my API started failing with error:

Request 'body' parameter must be a valid JSON object

I believe this is because a new validation was introduced

function isJsonObject(input) { 
return (typeof input === 'object' && input !== null && !Array.isArray(input) && !(input instanceof Map) && !(input instanceof Set)); 
}

which checks that the body of the requests is not and Array.

Could you either:

  1. Bump the major version instead of the minor
  2. Introduce a way to disable this validation

I am indeed passing arrays to my APIs

Is there a security reason for this validation? It's a pretty big breaking change to all my APIs if I cannot accept arrays anymore.

Reproduction

  1. Create a template NestJS app
  2. npm i [email protected]
  3. Setup auth middleware in the main.ts
  const authConfig: AuthOptions = {
    authRequired: true,
    // secret: configService.get("AUTH0_SECRET"),
    issuerBaseURL: configService.get("AUTH0_ISSUER_BASE_URL"),
    audience: configService.get("AUTH0_AUDIENCE"),
    tokenSigningAlg: "RS256",
  };

  app.use(/^(?!\/docs).*$/, auth(authConfig));
  1. Create an endpoint that accepts an Array of items -> this will work

As soon as you update to 1.7.1 it will return an error

Additional context

No response

express-oauth2-jwt-bearer version

1.7.1

Node.js version

22.14.0

stichiboi avatar Sep 24 '25 07:09 stichiboi

Spend 2 days debugging this :) That was very frustrating... If you are developing auth foundation packages used by libraries people pay for, that should not happen.

ErikGro avatar Sep 29 '25 12:09 ErikGro

I just spent a couple hours chasing this down. When I upgraded from 1.6.1 to 1.7.1 a request started failing with.

Request 'body' parameter must be a valid JSON object

The endpoint is like this, which should change the text on item 123 to 'Some Text'.

PATCH https://my.services/item/123/text
Content-Type: text/plain
Authorization: Bearer abcde12345
Some Text

An HTTP request body can be textual, a JSON object, or empty. Textual Content Types must be supported. Please fix this bug.

To stop https://my.services from throwing this error I rolled back to version 1.6.1 and the error is gone.

It is an Express 5.1.0 app running on NodeJS 22.20.0

thehabes avatar Oct 03 '25 17:10 thehabes

I also noticed that on that same PATCH https://my.services/item/123/text request, if I omit the Authorization header I get an InvalidRequestError with a status code of 400 instead of the usual UnauthorizedError with a status code of 401

thehabes avatar Oct 03 '25 17:10 thehabes