Just to clarify if it wasn't obvious from my first email: the unscrambled version uses comparison with type coercion (which works) while confirming this intent in the comments; and the scrambled version uses exact comparison, which fails. So - which one is right? And if the second one - what should I change for the comparison to work?
-----Original Message----- From: Shtein, Ilya [mailto:[email protected]] Sent: Thursday, May 27, 2010 3:41 PM To: [email protected] Subject: Security token comparison in rpc.js Hello, I am getting an "Invalid auth token" error when invoking function process(rpc). The values of auth token being compared are the same, but one is a number, and the other (previously stored) is a string. Here is what I found by looking at rpc.js (full, unscrambled version) in the version of Shindig we're using (shindig-1.1-BETA5-incubating): // Validate auth token. if (authToken[rpc.f]) { // We allow type coercion here because all the url params are strings. If (authToken[rpc.f] != rpc.t) { throw new Error("Invalid auth token."); } } Please note the comment about type coercion and the use of "!=" operator - this should work, right? But in rpc.opt.js: if(J[j.f]){if(J[j.f]!==j.t){throw new Error("Invalid auth token. "+J[j.f]+" vs "+j.t) And obviously, this fails (because that's what's used to render gadgets)! Should I assume that rpc.js represents the intent properly (just by looking at the comment) and the "!==" is in rpc.opt.js by some mistake? Thanks, Ilya _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. _____________ _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. _____________
