Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merging latest wip/api-modules changes #48

Merged
merged 5 commits into from
Jul 23, 2014
Merged

Merging latest wip/api-modules changes #48

merged 5 commits into from
Jul 23, 2014

Conversation

brianhanifin
Copy link
Contributor

No description provided.

@bewest
require API_SECRET to be at least 12 characters
ce8abe5 
This changes causes the server to crash if the API_SECRET environment
variable has a value whose length is less than MIN_PASSPHRASE_LENGTH
characters.
The default MIN_PASSPHRASE_LENGTH is 12, so if the API_SECRET variable
is set but less than 12 characters long, the server will crash.

security/privacy review needed
==============================
The API_SECRET is used as a pass phrase in order to generate a unique
token.

The api routes always try to mount themselves.  Before mounting
sensitive routes that allow modifying the application, the secret
token is required to validate the request, or denied.

When the secret token is absent, the sensitive routes should return
404, and should not be mounted.

This change attempts to eliminate some dangerous middle ground between
having a secured api, having a weakly secured api, believing a secure
api is mounted and working when none is, and not having a secure api
mounted.

The only choices available should be:

* secure api mounted
* secure api not mounted

This change hopefully constrains the possibilities to those two
options.
@bewest
throw err instead of process.exit
b8193bb 
Also some minor clean up of log output during tests.
@bewest
add tests for how API_SECRET affects the process
7a1996d
@bewest
hacky fix of js errors in test
b04ed1d
@bewest
try to debug travis testg
9999104
brianhanifin added a commit that referenced this pull request Jul 23, 2014
@brianhanifin
Merge pull request #48 from nightscout/wip/api-modules
b870117 
Merging latest wip/api-modules changes
@brianhanifin brianhanifin merged commit b870117 into feature/settings-ui Jul 23, 2014
@bewest bewest deleted the wip/api-modules branch July 23, 2014 00:35
sulkaharo pushed a commit that referenced this pull request Aug 28, 2019
@unsoluble
Merge pull request #48 from nightscout/dev
2379706 
Dev
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@brianhanifin @bewest