curityio · gary-archer · Jan 2, 2026 · Jan 2, 2026 · Jan 2, 2026
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:20-bookworm-slim
+FROM node:22-bookworm-slim
 
 RUN groupadd --gid 10000 apiuser \
   && useradd --uid 10001 --gid apiuser --shell /bin/bash --create-home apiuser

diff --git a/doc/Setup.md b/doc/Setup.md
@@ -6,7 +6,7 @@ Follow the below steps to get set up for developing and testing the OAuth Agent
 
 Ensure that these tools are installed locally:
 
-- [Node.js 20+](https://nodejs.org/en/download/)
+- [Node.js 22+](https://nodejs.org/en/download/)
 - [Docker](https://www.docker.com/products/docker-desktop)
 - [jq](https://stedolan.github.io/jq/download/)
 

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -12,33 +12,27 @@
     "license": "Apache-2.0",
     "type": "module",
     "engines": {
-        "node": ">=20"
+        "node": ">=22"
     },
     "dependencies": {
-        "base64url": "^3.0.1",
-        "cookie": "^1.0.1",
+        "cookie": "^1.1.1",
         "cookie-parser": "^1.4.6",
         "cors": "^2.8.5",
-        "express": "^4.21.2",
-        "jose": "^6.0.10",
-        "node-fetch": "^3.3.2",
-        "url-parse": "^1.5.10"
+        "express": "^5.2.1",
+        "jose": "^6.1.3"
     },
     "devDependencies": {
-        "@types/chai": "^4.3.11",
-        "@types/cookie": "^0.6.0",
+        "@types/chai": "^4.3.20",
         "@types/cookie-parser": "^1.4.6",
         "@types/cors": "^2.8.17",
-        "@types/express": "^4.17.21",
-        "@types/mocha": "^10.0.6",
-        "@types/node-fetch": "^2.6.9",
-        "@types/set-cookie-parser": "^2.4.7",
-        "@types/url-parse": "^1.4.11",
-        "chai": "^4.3.10",
-        "mocha": "^10.5.2",
-        "set-cookie-parser": "^2.6.0",
-        "tsx": "^4.19.3",
-        "typescript": "^5.8.3",
-        "wiremock": "^3.8.0"
+        "@types/express": "^5.0.6",
+        "@types/mocha": "^10.0.10",
+        "@types/set-cookie-parser": "^2.4.10",
+        "chai": "^4.5.0",
+        "mocha": "^11.7.5",
+        "set-cookie-parser": "^2.7.2",
+        "tsx": "^4.21.0",
+        "typescript": "^5.9.3",
+        "wiremock": "^3.13.2"
     }
 }
diff --git a/src/controller/ClaimsController.ts b/src/controller/ClaimsController.ts
@@ -19,13 +19,12 @@ import {getIDCookieName, getIDTokenClaims, ValidateRequestOptions} from '../lib/
 import {config} from '../config.js'
 import validateExpressRequest from '../validateExpressRequest.js'
 import {InvalidCookieException} from '../lib/exceptions/index.js'
-import {asyncCatch} from '../middleware/exceptionMiddleware.js';
 
 class ClaimsController {
     public router = express.Router()
 
     constructor() {
-        this.router.get('/', asyncCatch(this.getClaims))
+        this.router.get('/', this.getClaims)
     }
 
     getClaims = async (req: express.Request, res: express.Response, next: express.NextFunction) => {

diff --git a/src/controller/LoginController.ts b/src/controller/LoginController.ts
@@ -31,14 +31,13 @@ import {
 } from '../lib/index.js'
 import {config} from '../config.js'
 import validateExpressRequest from '../validateExpressRequest.js'
-import {asyncCatch} from '../middleware/exceptionMiddleware.js';
 
 class LoginController {
     public router = express.Router()
 
     constructor() {
-        this.router.post('/start', asyncCatch(this.startLogin))
-        this.router.post('/end', asyncCatch(this.handlePageLoad))
+        this.router.post('/start', this.startLogin)
+        this.router.post('/end', this.handlePageLoad)
     }
 
     /*

diff --git a/src/controller/LogoutController.ts b/src/controller/LogoutController.ts
@@ -19,13 +19,12 @@ import {config} from '../config.js'
 import {getATCookieName, getCookiesForUnset, getLogoutURL, ValidateRequestOptions} from '../lib/index.js'
 import {InvalidCookieException} from '../lib/exceptions/index.js'
 import validateExpressRequest from '../validateExpressRequest.js'
-import {asyncCatch} from '../middleware/exceptionMiddleware.js';
 
 class LogoutController {
     public router = express.Router()
 
     constructor() {
-        this.router.post('/', asyncCatch(this.logoutUser))
+        this.router.post('/', this.logoutUser)
     }
 
     logoutUser = async (req: express.Request, res: express.Response, next: express.NextFunction) => {

diff --git a/src/controller/RefreshTokenController.ts b/src/controller/RefreshTokenController.ts
@@ -21,13 +21,12 @@ import {
 } from '../lib/index.js'
 import {InvalidCookieException} from '../lib/exceptions/index.js'
 import validateExpressRequest from '../validateExpressRequest.js'
-import {asyncCatch} from '../middleware/exceptionMiddleware.js';
 
 class RefreshTokenController {
     public router = express.Router()
 
     constructor() {
-        this.router.post('/', asyncCatch(this.RefreshTokenFromCookie))
+        this.router.post('/', this.RefreshTokenFromCookie)
     }
 
     RefreshTokenFromCookie = async (req: express.Request, res: express.Response, next: express.NextFunction) => {

diff --git a/src/controller/UserInfoController.ts b/src/controller/UserInfoController.ts
@@ -19,13 +19,12 @@ import {getATCookieName, getUserInfo, ValidateRequestOptions} from '../lib/index
 import {config} from '../config.js'
 import validateExpressRequest from '../validateExpressRequest.js'
 import {InvalidCookieException} from '../lib/exceptions/index.js'
-import {asyncCatch} from '../middleware/exceptionMiddleware.js';
 
 class UserInfoController {
     public router = express.Router()
 
     constructor() {
-        this.router.get('/', asyncCatch(this.getUserInfo))
+        this.router.get('/', this.getUserInfo)
     }
 
     getUserInfo = async (req: express.Request, res: express.Response, next: express.NextFunction) => {

diff --git a/src/lib/base64url.ts b/src/lib/base64url.ts
@@ -0,0 +1,39 @@
+/*
+ *  Copyright 2022 Curity AB
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+export class Base64Url {
+
+    public static encode(input: Buffer): string {
+
+        return input.toString('base64')
+            .replace(/\+/g, '-')
+            .replace(/\//g, '_')
+            .replace(/=+$/g, '')
+    }
+
+    public static decode(input: string): Buffer {
+
+        const base64 = input
+            .replace(/-/g, '+')
+            .replace(/_/g, '/')
+
+        return Buffer.from(base64, 'base64')
+    }
+
+    public static decodeToString(input: string): string {
+        return Base64Url.decode(input).toString()
+    }
+}
diff --git a/src/lib/cookieEncrypter.ts b/src/lib/cookieEncrypter.ts
@@ -15,9 +15,9 @@
  */
 
 import crypto from 'crypto'
-import base64url from 'base64url';
 import {SerializeOptions, serialize} from 'cookie'
 import {CookieDecryptionException, InvalidCookieException} from '../lib/exceptions/index.js'
+import {Base64Url} from './base64url.js'
 
 const VERSION_SIZE = 1;
 const GCM_IV_SIZE = 12;
@@ -40,12 +40,12 @@ function encryptCookie(encKeyHex: string, plaintext: string): string {
 
     const allBytes = Buffer.concat([versionBytes, ivBytes, ciphertextBytes, tagBytes])
 
-    return base64url.encode(allBytes)
+    return Base64Url.encode(allBytes)
 }
 
 function decryptCookie(encKeyHex: string, encryptedbase64value: string): string {
 
-    const allBytes = base64url.toBuffer(encryptedbase64value)
+    const allBytes = Base64Url.decode(encryptedbase64value)
 
     const minSize = VERSION_SIZE + GCM_IV_SIZE + 1 + GCM_TAG_SIZE
     if (allBytes.length < minSize) {

diff --git a/src/lib/getToken.ts b/src/lib/getToken.ts
@@ -14,7 +14,6 @@
  *  limitations under the License.
  */
 
-import fetch from 'node-fetch'
 import {decryptCookie} from './cookieEncrypter.js'
 import {Grant} from './grant.js'
 import OAuthAgentConfiguration from './oauthAgentConfiguration.js'

diff --git a/src/lib/getUserInfo.ts b/src/lib/getUserInfo.ts
@@ -14,7 +14,6 @@
  *  limitations under the License.
  */
 
-import fetch from 'node-fetch'
 import {decryptCookie} from './cookieEncrypter.js'
 import {Grant} from './grant.js'
 import OAuthAgentConfiguration from './oauthAgentConfiguration.js'

diff --git a/src/lib/loginHandler.ts b/src/lib/loginHandler.ts
@@ -14,7 +14,6 @@
  *  limitations under the License.
  */
 
-import urlparse from 'url-parse'
 import {ClientOptions} from './clientOptions.js';
 import OAuthAgentConfiguration from './oauthAgentConfiguration.js';
 import {generateHash, generateRandomString} from './pkce.js';
@@ -51,37 +50,41 @@ export function createAuthorizationRequest(config: OAuthAgentConfiguration, opti
 
 export async function handleAuthorizationResponse(pageUrl?: string): Promise<any> {
 
-    const data = getUrlParts(pageUrl)
-
-    if (data.state && data.code) {
-
-        return {
-            code: data.code,
-            state: data.state,
-        }
+    const args = parseUrl(pageUrl)
+    if (!args) {
+        return {}
     }
 
-    if (data.state && data.error) {
+    const state = args.get('state') || ''
+    const code = args.get('code') || ''
+    const error = args.get('error') || ''
+
+    if (state && error) {
 
-        throw new AuthorizationResponseException(
-            data.error,
-            data.error_description || 'Login failed at the Authorization Server')
+        const errorDescription = args.get('error_description') || 'Login failed at the Authorization Server'
+        throw new AuthorizationResponseException(error, errorDescription)
     }
 
     return {
-        code: null,
-        state: null,
+        code,
+        state,
     }
 }
 
-function getUrlParts(url?: string): any {
-
-    if (url) {
-        const urlData = urlparse(url, true)
-        if (urlData.query) {
-            return urlData.query
+function parseUrl(urlString?: string): URLSearchParams | null {
+
+    try {
+
+        if (urlString) {
+
+            const url = new URL(urlString)
+            return new URLSearchParams(url.search)
         }
+
+    } catch {
+
+        console.log('Invalid URL received')
     }
 
-    return {}
+    return null
 }
diff --git a/src/middleware/exceptionMiddleware.ts b/src/middleware/exceptionMiddleware.ts
@@ -52,19 +52,3 @@ export default function exceptionMiddleware(
     }
     response.send(data)
 }
-
-/*
- * Unhandled promise rejections may not be caught properly
- * https://medium.com/@Abazhenov/using-async-await-in-express-with-node-8-b8af872c0016
- */
-export function asyncCatch(fn: any): any {
-
-    return (request: Request, response: Response, next: NextFunction) => {
-
-        Promise
-            .resolve(fn(request, response, next))
-            .catch((e) => {
-                exceptionMiddleware(e, request, response, next)
-            })
-    };
-}
diff --git a/src/server.ts b/src/server.ts
@@ -42,9 +42,8 @@ if (config.corsEnabled) {
 }
 
 app.use(cookieParser())
-app.use('*', express.json())
-app.use('*', loggingMiddleware)
-app.use('*', exceptionMiddleware)
+app.use('*_', express.json())
+app.use('*_', loggingMiddleware)
 app.set('etag', false)
 
 const controllers = {
@@ -59,6 +58,8 @@ for (const [path, controller] of Object.entries(controllers)) {
     app.use(config.endpointsPrefix + path, controller.router)
 }
 
+app.use('*_', exceptionMiddleware)
+
 if (config.serverCertPath) {
 
     const pfx = fs.readFileSync(config.serverCertPath);

diff --git a/test/end-to-end/idsvr/docker-compose.yml b/test/end-to-end/idsvr/docker-compose.yml
@@ -4,7 +4,7 @@ services:
   # A SQL database used by the Curity Identity Server
   #
   curity-data:
-    image: postgres:15.3
+    image: postgres:18.1
     hostname: dbserver
     volumes:
       - ./data-backup.sql:/docker-entrypoint-initdb.d/data-backup.sql

diff --git a/test/integration/claimsControllerTests.ts b/test/integration/claimsControllerTests.ts
@@ -1,5 +1,4 @@
 import {assert, expect} from 'chai';
-import fetch from 'node-fetch';
 import {config} from '../../src/config.js';
 import {performLogin} from './testUtils.js'
 import {OAuthAgentClaimsResponse, OAuthAgentErrorResponse} from "./responses.js";

diff --git a/test/integration/extensibilityTests.ts b/test/integration/extensibilityTests.ts
@@ -1,5 +1,4 @@
 import {assert, expect} from 'chai'
-import fetch from 'node-fetch'
 import {config} from '../../src/config.js'
 import {OauthAgentStartResponse} from "./responses.js";
 

diff --git a/test/integration/loginControllerTests.ts b/test/integration/loginControllerTests.ts
@@ -1,5 +1,4 @@
 import {assert, expect} from 'chai'
-import fetch, {RequestInit} from 'node-fetch';
 import {config} from '../../src/config.js'
 import {fetchStubbedResponse, performLogin, startLogin} from './testUtils.js'
 import {OAuthAgentEndResponse, OAuthAgentErrorResponse, OauthAgentStartResponse} from "./responses.js";

diff --git a/test/integration/logoutControllerTests.ts b/test/integration/logoutControllerTests.ts
@@ -1,5 +1,4 @@
 import {assert, expect} from 'chai'
-import fetch, {RequestInit} from 'node-fetch'
 import {config} from '../../src/config.js'
 import {getCookieString, performLogin} from './testUtils.js'
 import {OAuthAgentErrorResponse, OAuthAgentLogoutResponse} from "./responses.js";

diff --git a/test/integration/refreshTokenControllerTests.ts b/test/integration/refreshTokenControllerTests.ts
@@ -1,5 +1,4 @@
 import {assert, expect} from 'chai'
-import fetch, {RequestInit} from 'node-fetch'
 import {config} from '../../src/config.js'
 import {fetchStubbedResponse, getCookieString, performLogin} from './testUtils.js'
 import {OAuthAgentErrorResponse} from "./responses.js";