Is this a security issue?
No.
Despite being advertised as supporting Connect as well as Express middleware, there are a number of Express dependencies which should I believe be instead avoided or at least called out or made optional. For example, res.redirect is used (and in passport-local, req.query/req.body).
I thought I'd post here to get consensus on a general approach to the problem and then fix or document accordingly.
Is this a security issue?
No.
Despite being advertised as supporting Connect as well as Express middleware, there are a number of Express dependencies which should I believe be instead avoided or at least called out or made optional. For example,
res.redirectis used (and inpassport-local,req.query/req.body).I thought I'd post here to get consensus on a general approach to the problem and then fix or document accordingly.