Passport v0.5.0

This release improves Passport’s internals to avoid monkey patching Node.js core modules. In prior versions of Passport, the IncomingMessage class of the HTTP module was patched, adding login(), logIn(), logout(), logOut(), isAuthenticated(), and isUnauthenticated() functions to the prototype. While this technique does not typically cause any problems, it isn’t behavior that is expected from well-behaved modules existing in a broader ecosystem.

Given that, this technique is no longer applied in v0.5.0. Instead, these functions are added directly to req as they pass through middleware — specifically passport.initialize() middleware. This follows the patterns established by other Express middleware, such ascsurf.

Unless you are in an unusual situation where your application require()s Passport, but doesn’t actually use its middleware, this shouldn’t be a breaking change.

This releases also fixes a potential race condition in situations where passport.initialize() is used multiple times within an application with different values for the userProperty option.