Comments (2)
Feel free to create an example to satisfy your requirements and add to the documentation as needed. Submit a PR and I'll merge it
Sent from my iPhone
On Apr 27, 2016, at 5:03 AM, Stéphane Lavergne [email protected] wrote:
There is no example for DigestStrategy's nonce validation callback right now, which makes it difficult to understand how complete the module's implementation is and if we're less secure if we don't supply such a callback. Also, we don't know what we should actually be doing in that callback, because the only example just returns true.
Around line 182 of lib/passport-http/strategies/digest.js we see that if a validation callback wasn't provided, success is implied, so it appears that some extra verification can be added by this?
In the JSDoc, it's unclear whether params.opaque now will become params.nonce later or if they're two different concepts.
Internal function nonce() does seem to generate something unique, so I speculate that we might be safe against replays without a custom validation callback, but it's just an educated guess.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub
from passport-http.
I considered it, but currently I don't have a firm enough grasp on RFC 2617 to contribute this; my understanding of nonces is limited and I don't quite understand the presence of the validation callback in the first place. I'm just relieved that things do seem to change at every request without such a callback.
The one thing that could be really useful in the documentation, would be to state the purpose of the callback (I don't understand it) and to clarify that digests as implemented are already safe without providing one. This is my guess, not a fact though.
from passport-http.
Related Issues (20)
- Passwords containing ':' are not read properly HOT 5
- When express app is mounted at non-root endpoint, passport-http returns 400 HOT 4
- Basic auth does not accept Authentication header. HOT 1
- User not logged-out when trying to log-in with incorrect password (BasicStrategy)
- Custom error code HOT 4
- passReqToCallback support missing from Digest strategy
- Two different basic strategies HOT 1
- New location for examples (multi)
- Strategy naming for basic auth HOT 1
- HTTP digest on router
- Session not saved after login using passport-http
- How to login from HTML form? HOT 1
- Digest: How to validate nonces without user? HOT 2
- Digest: return algorithm in response header
- BasicStrategy not found HOT 2
- [Documentation] Should mention passport.initialize() HOT 1
- PLEASE NOMINATE MAINTAINERS HOT 2
- Digest still not working in nested routes in Express 4 HOT 1
- Future of this project HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from passport-http.