You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shindig.apache.org by "Shtein, Ilya" <Il...@fisglobal.com> on 2010/05/27 22:40:35 UTC

Security token comparison in rpc.js

Hello,

 

I am getting an "Invalid auth token" error when invoking function
process(rpc). The values of auth token being compared are the same, but
one is a number, and the other (previously stored) is a string. Here is
what I found by looking at rpc.js (full, unscrambled version) in the
version of Shindig we're using (shindig-1.1-BETA5-incubating):

 

// Validate auth token.

if (authToken[rpc.f]) {

// We allow type coercion here because all the url params are strings.

                                If (authToken[rpc.f] != rpc.t) {

                                throw new Error("Invalid auth token.");

}

}

 

Please note the comment about type coercion and the use of "!=" operator
- this should work, right?

But in rpc.opt.js:

if(J[j.f]){if(J[j.f]!==j.t){throw new Error("Invalid auth token.
"+J[j.f]+" vs "+j.t)

And obviously, this fails (because that's what's used to render
gadgets)!

Should I assume that rpc.js represents the intent properly (just by
looking at the comment) and the "!==" is in rpc.opt.js by some mistake?

 

Thanks,

Ilya

_____________

The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
_____________