Skip to content

Fix basic auth options type issue #584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thornjad merged 1 commit into from
Mar 24, 2020
Merged

Fix basic auth options type issue #584

thornjad merged 1 commit into from
Mar 24, 2020

Conversation

@swr1bm86
Copy link
Contributor

@swr1bm86 swr1bm86 commented Dec 3, 2019

Fixes #583

@swr1bm86 swr1bm86 force-pushed the basic-auth-options-compliance branch 2 times, most recently from 347d688 to 785e4f9 Compare December 3, 2019 20:17
@swr1bm86
Copy link
Contributor Author

swr1bm86 commented Dec 3, 2019

ping @thornjad

@thornjad thornjad added this to the v0.13.0 milestone Dec 11, 2019
@thornjad thornjad self-requested a review December 11, 2019 17:05
thornjad
thornjad requested changes Dec 13, 2019
View reviewed changes
Copy link
Member

@thornjad thornjad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great catch and fix! And great job with the tests!

lib/http-server.js
Comment on lines +111 to +115
var usernameEqual = secureCompare(options.username.toString(), credentials.name);
var passwordEqual = secureCompare(options.password.toString(), credentials.pass);
Copy link
Member

@thornjad thornjad Dec 13, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also convert the credentials to strings? If the server were given a numeric password, as in the tests you added, the user will likely expect numeric to work. Or are we guaranteed to receive a string as credentials?

Copy link
Contributor Author

@swr1bm86 swr1bm86 Dec 13, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

from the definition of basic-auth which we use here to parse credentials, I think, yes, the credentials are guaranteed to be string :)

Copy link
Member

@thornjad thornjad Dec 16, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, perfect, that looks like it will always be a string! Could we just add in a comment here saying the same and/or why we need to use .toString() here? It could be added to the comment above the if, or a new comment within the if block?

Copy link
Contributor Author

@swr1bm86 swr1bm86 Dec 25, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ping @thornjad , sorry for the late replay, the comment is added, pls review again :)

Copy link
Member

@thornjad thornjad Dec 26, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Coule we also mention in the comment that credentials.name and credentials.pass will be strings, so we don't need to convert them to strings?

@thornjad thornjad added the minor version non-breaking, non-trivial change label Dec 13, 2019
@thornjad thornjad modified the milestones: v0.13.0, v0.12.2 Dec 22, 2019
@swr1bm86 swr1bm86 force-pushed the basic-auth-options-compliance branch from 785e4f9 to eaf82a5 Compare December 25, 2019 10:05
@thornjad thornjad self-requested a review December 26, 2019 15:03
thornjad
thornjad requested changes Dec 26, 2019
View reviewed changes
lib/http-server.js
Comment on lines +111 to +115
var usernameEqual = secureCompare(options.username.toString(), credentials.name);
var passwordEqual = secureCompare(options.password.toString(), credentials.pass);
Copy link
Member

@thornjad thornjad Dec 26, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Coule we also mention in the comment that credentials.name and credentials.pass will be strings, so we don't need to convert them to strings?

@swr1bm86 swr1bm86 force-pushed the basic-auth-options-compliance branch from eaf82a5 to 1361eb9 Compare December 28, 2019 08:53
@thornjad thornjad self-requested a review December 31, 2019 13:31
@swr1bm86 swr1bm86 force-pushed the basic-auth-options-compliance branch from 1361eb9 to cde6e5b Compare January 16, 2020 16:28
@swr1bm86
Copy link
Contributor Author

swr1bm86 commented Jan 16, 2020

ping @thornjad

@swr1bm86 swr1bm86 force-pushed the basic-auth-options-compliance branch from cde6e5b to bd36f7b Compare January 17, 2020 17:43
@thornjad thornjad merged commit f5854a6 into http-party:master Mar 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thornjad thornjad thornjad approved these changes

Assignees

No one assigned

Labels

minor version non-breaking, non-trivial change

Projects

None yet

Milestone

v0.12.2

Development

Successfully merging this pull request may close these issues.

Compliance for basic auth credentials

2 participants

@swr1bm86 @thornjad