Document digest nonce validation callback #57
Comments
|
Feel free to create an example to satisfy your requirements and add to the documentation as needed. Submit a PR and I'll merge it Sent from my iPhone
|
|
I considered it, but currently I don't have a firm enough grasp on RFC 2617 to contribute this; my understanding of nonces is limited and I don't quite understand the presence of the validation callback in the first place. I'm just relieved that things do seem to change at every request without such a callback. The one thing that could be really useful in the documentation, would be to state the purpose of the callback (I don't understand it) and to clarify that digests as implemented are already safe without providing one. This is my guess, not a fact though. |
There is no example for DigestStrategy's nonce validation callback right now, which makes it difficult to understand how complete the module's implementation is and if we're less secure if we don't supply such a callback. Also, we don't know what we should actually be doing in that callback, because the only example just returns true.
lib/passport-http/strategies/digest.jswe see that if a validation callback wasn't provided, success is implied, so it appears that some extra verification can be added by this?params.opaquenow will becomeparams.noncelater or if they're two different concepts.nonce()does seem to generate something unique, so I speculate that we might be safe against replays without a custom validation callback, but it's just an educated guess.The text was updated successfully, but these errors were encountered: