Rewrite and test Github auth logic, separating standard and search quota #1205
Conversation
paulmelnikow
added
bug
# Conflicts: # lib/github-auth.js # package-lock.json # package.json # server.js
# Conflicts: # package-lock.json # package.json
# Conflicts: # package-lock.json
paulmelnikow
changed the title
# Conflicts: # lib/github-auth.js
# Conflicts: # lib/github-auth.js # package-lock.json # package.json # server.js
|
I'm eager to get this shipped, though I'm hesitant to do it until I get access to logs… |
lib/github-auth/acceptor.js
Outdated
| })); | ||
| } | ||
|
|
||
| function constEq(a, b) { |
There was a problem hiding this comment.
I'm new to node in general but why not use crypto.timingSafeEqual(a, b) instead?
There was a problem hiding this comment.
I didn't write this, just moved it. Yes, happy to switch that over. It seems like that solves the same problem.
This was designed as part of a rewrite of the Github auth code in #1205 which is stalled because I don't want to deploy it without access to server logs. The need for token rotation came up recently in #541, so I picked up this code, removed the github-specific bits, and pulled it in. Ordinarily I wouldn't merge helper code without a use, though sadly it seems like the best way to move forward this rewrite.
|
Since we have access to errors through Sentry, I think I will revive this and see if we can't nudge it forward. |
paulmelnikow
removed
the
on-hold
| @@ -23,21 +22,28 @@ class FsTokenPersistence extends TokenPersistence { | |||
| } | |||
|
|
|||
| const tokens = JSON.parse(contents) | |||
| tokens.forEach(tokenString => { | |||
| githubAuth.addGithubToken(tokenString) | |||
| }) | |||
There was a problem hiding this comment.
My first time looking at this part of the code, but it looks like this change here decouples this persistence engine from github specifics, which creates the possibility of this being reusable for other services?
I've no idea if there's a similar need in other services, but 👍 either way!
| expected.push(newToken) | ||
|
|
||
| await persistence.initialize() | ||
| githubAuth.addGithubToken(newToken) | ||
| await persistence.noteTokenAdded(newToken) |
There was a problem hiding this comment.
i know that the function name noteTokenAdded here wasn't something modified in this PR, but it felt a little strange to me. seeing this for the first time I wasn't clear what exactly the function does from the name
There was a problem hiding this comment.
Should we change it to add()?
There was a problem hiding this comment.
Yeah I'd vote for add() or addToken() (and definitely add() if we can/will add things other than tokens)
|
I've made it through my first pass and added some inline comments. Although beware, there are more questions for my own understanding than there is useful feedback for you 😁 |
Avoiding knowledge bottlenecks is fully half of why we do this :) |
|
I think this is good to go, will do another pass here in a bit and approve |
| body: { shieldsSecret: fakeShieldsSecret, token: fakeAccessToken }, | ||
| }) | ||
|
|
||
| expect(onTokenAccepted).to.have.been.calledWith(fakeAccessToken) |
|
Thanks so much! Will be glad to close this out… and see if it really works. Let’s one of us tackle the renames in a follow-on. |
|
I'll merge and deploy this in the afternoon when we get past peak usage time, in case anything breaks. |
The TokenProvider abstraction was refactored away during #1205 and is now obsolete. Other users of token pooling should use TokenPool and TokenPersistence directly.
The TokenProvider abstraction was refactored away during #1205 and is now obsolete. Other users of token pooling should use TokenPool and TokenPersistence directly.
Summary:
Todo:
lib/github-auth.jsTo handle in follow on work:
Token