Code Monkey home page Code Monkey logo

Comments (2)

jaredhanson avatar jaredhanson commented on September 25, 2024

Feel free to create an example to satisfy your requirements and add to the documentation as needed. Submit a PR and I'll merge it

Sent from my iPhone

On Apr 27, 2016, at 5:03 AM, Stéphane Lavergne [email protected] wrote:

There is no example for DigestStrategy's nonce validation callback right now, which makes it difficult to understand how complete the module's implementation is and if we're less secure if we don't supply such a callback. Also, we don't know what we should actually be doing in that callback, because the only example just returns true.

Around line 182 of lib/passport-http/strategies/digest.js we see that if a validation callback wasn't provided, success is implied, so it appears that some extra verification can be added by this?

In the JSDoc, it's unclear whether params.opaque now will become params.nonce later or if they're two different concepts.

Internal function nonce() does seem to generate something unique, so I speculate that we might be safe against replays without a custom validation callback, but it's just an educated guess.


You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub

from passport-http.

vphantom avatar vphantom commented on September 25, 2024

I considered it, but currently I don't have a firm enough grasp on RFC 2617 to contribute this; my understanding of nonces is limited and I don't quite understand the presence of the validation callback in the first place. I'm just relieved that things do seem to change at every request without such a callback.

The one thing that could be really useful in the documentation, would be to state the purpose of the callback (I don't understand it) and to clarify that digests as implemented are already safe without providing one. This is my guess, not a fact though.

from passport-http.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.