Document digest nonce validation callback

[vphantom]

There is no example for DigestStrategy's nonce validation callback right now, which makes it difficult to understand how complete the module's implementation is and if we're less secure if we don't supply such a callback. Also, we don't know what we should actually be doing in that callback, because the only example just returns true.

• Around line 182 of lib/passport-http/strategies/digest.js we see that if a validation callback wasn't provided, success is implied, so it appears that some extra verification can be added by this?
• In the JSDoc, it's unclear whether params.opaque now will become params.nonce later or if they're two different concepts.
• Internal function nonce() does seem to generate something unique, so I speculate that we might be safe against replays without a custom validation callback, but it's just an educated guess.

[jaredhanson]

Feel free to create an example to satisfy your requirements and add to the documentation as needed. Submit a PR and I'll merge it

Sent from my iPhone

On Apr 27, 2016, at 5:03 AM, Stéphane Lavergne notifications@github.com wrote:

There is no example for DigestStrategy's nonce validation callback right now, which makes it difficult to understand how complete the module's implementation is and if we're less secure if we don't supply such a callback. Also, we don't know what we should actually be doing in that callback, because the only example just returns true.

Around line 182 of lib/passport-http/strategies/digest.js we see that if a validation callback wasn't provided, success is implied, so it appears that some extra verification can be added by this?

In the JSDoc, it's unclear whether params.opaque now will become params.nonce later or if they're two different concepts.

Internal function nonce() does seem to generate something unique, so I speculate that we might be safe against replays without a custom validation callback, but it's just an educated guess.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub

[vphantom]

I considered it, but currently I don't have a firm enough grasp on RFC 2617 to contribute this; my understanding of nonces is limited and I don't quite understand the presence of the validation callback in the first place. I'm just relieved that things do seem to change at every request without such a callback.

The one thing that could be really useful in the documentation, would be to state the purpose of the callback (I don't understand it) and to clarify that digests as implemented are already safe without providing one. This is my guess, not a fact though.