chore: upgrade to express v5.x

[Tiuipuv]

PR Checklist

Please check if your PR fulfills the following requirements:

• The commit message follows our guidelines
• Tests for the changes have been added (for bug fixes / features)
• Docs have been added / updated (for bug fixes / features)

PR Type

What kind of change does this PR introduce?

• Bugfix
• Feature
• Code style update (formatting, local variables)
• Refactoring (no functional changes, no api changes)
• Adding Tests
• Build related changes
• CI related changes
• Documentation changes
• Other... Please describe:

What is the current behavior?

Currently, the package does not support express v5.

Issue Number: #89

What is the new behavior?

This allows installers to npm update express in their app to v5.X, resolving issues for all consumers who are working on (or have completed) the migration to the new version of express.

Does this PR introduce a breaking change?

• Yes
• No

Other information

Full breaking change checks were performed by running npx codemod@latest @expressjs/v5-migration-recipe (0 library files needed modification). Checked for remaining issues (not codemod fixable) from official express upgrade tutorial here.

After updating the e2e test server harness, Tests have fully passed for both v4.x and v5.x of express. Included 1 bug fix for authentication screens that require username to be submitted before the password prompt becomes available.

Reviewers

[Tiuipuv]

I have signed and submitted the cla to cla@okta.com. Should be all set!

[jaredperreault-okta]

@Tiuipuv Looking into this some more, I think for this change to make sense this needs to be a breaking change that moves express to a peer dependency

As written, this could cause npm to install version 5.x when the code written is expecting 4.x and could cause a unsuspected breakage

[Tiuipuv]

Yeah that's fair. Your core lib works with either, but your test harness depends on a specific version. I was thinking the lockfile has you covered there, but I could see it being dangerous/misleading for those who install w/o using the lockfile, or just maintaining the lockfile in general.

What are your thoughts on dropping express v4 and bumping this lib to 6.0.0?

[jaredperreault-okta]

What are your thoughts on dropping express v4 and bumping this lib to 6.0.0?

I'm in favor of this. This is pretty much what I was picturing

[Tiuipuv]

Ok cool, I'll work on that. Do you want me to update the Release status table in README.md to v6?

[jaredperreault-okta]

Yes, please

[Tiuipuv]

Alright, should be set. Restricted it down to just v5. Added a small blurb about migrating (almost no-one is affected unless they use removed features in the custom callback handlers), and also backfilled the migration guide for older versions based on what I saw in your git releases + old commit history.

[jaredperreault-okta]

@Tiuipuv I was picturing something like #99

[Tiuipuv]

Yeah makes sense. What are your thoughts on including the readme migration guide from this (v3 to v6) branch on yours? Adjusting the comment for v5 to v6 of course.

Following semver is quite helpful to have the migration guide to make sure a semver major is not breaking for my/a consumers app.

Also, it might be helpful for other contributors to add the await password field existence for e2e tests, as many tenants are configured to require a username submit first before the password field is shown on the dom.

Thanks for all your help and review on this!