Not compatible with express-jwt 6

[krazyjakee]

express-jwt 6 requires an algorithm to be explicitly specified.

See here: https://stackoverflow.com/questions/62665636/if-options-algorithms-throw-new-erroralgorithms-should-be-set-error-alg

[Wenish]

@krazyjakee can you maybe write a little bit more about youre issue then just a stackoverflow link?

[krazyjakee]

@Wenish wow, what a terrible ticket! I'm sorry, it was late, that's the only excuse I have 😄

I see you have a dependency (and peer dependency) of "express-jwt": "^5.3.1". There is a critical severity security issue on all versions prior to 5.3.3 here: GHSA-6g6m-m6h5-w9gf
It's patched in v6.0.0, however, that version explicitly requires you to supply an algorithm like so...

expressJwt({ secret:  process.env.JWT_SECRET, algorithms: ['SHA256'] });

This is missing currently:

colyseus-social/express/index.ts

Lines 32 to 43 in 7f56f3e

	const jwtMiddleware = jwt({
	secret: JWT_SECRET,
	userProperty: "cauth",
	getToken: function (req) {
	if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer') {
	return req.headers.authorization.split(' ')[1];
	} else if (req.query && req.query.token) {
	return req.query.token;
	}
	return null;
	}
	});