Upgrade to Express 4

[gvilarino]

Or higher. More precisely higher than 4.13.3, as we can see in david eariler versions have security issues.

For doing this, I'd advice reading this article on how to move to Express 4 from earlier versions, or more specificaly: migrating to Express 4 from Express 3

Alternatively, we can go to the latest 3.y.z version, since there are security patches there as well, and upgrading to 4 will imply redoing part of our boot module, since many middlewares are no longer bundled with express itself (although it shouldn't be too much of a hassle).

[sachalifs]

👍

we should test all https features as well with this change

[gvilarino]

Agree. One thig to keep in mind is the following:

Our https-forcing mechanism relies on express-sslify which, in turn, some consirations to keep in mind.

1. Express 4 will not work properly with redirection since express-sslify uses req.host instead of req.hostname to determine the URL for redirection and the url core module we use [uses on hostname as the property name]https://github.com/DemocracyOS/app/blob/1.0.0/lib/utils/index.js#L271). Double-check that before closing this issue.
2. There is an open pull request that -if merged- will change express-sslify's API (i.e.: it will remove the boolean trap. Keep this in mind if bumping the dep; our lib/server-factory/ssl-redirect.js should be updated as well.

[gvilarino]

The aforementioned pull request is now merged, so we should keep an eye out for a newer release of express-sslify that will break our current usage.

[sachalifs]

We'll upgrade on 2.0