Hi Ilya: This was fixed a while back in the mainline of Shindig, by explicitly casting params to Strings (in setAuthToken), then doing an exact comparison in process().
@see http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/rpc/rpc.js <http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/rpc/rpc.js>For the relevant snippets. --j On Thu, May 27, 2010 at 1:49 PM, Shtein, Ilya <[email protected]>wrote: > Just to clarify if it wasn't obvious from my first email: the > unscrambled version uses comparison with type coercion (which works) > while confirming this intent in the comments; and the scrambled version > uses exact comparison, which fails. > So - which one is right? And if the second one - what should I change > for the comparison to work? > > -----Original Message----- > From: Shtein, Ilya [mailto:[email protected]] > Sent: Thursday, May 27, 2010 3:41 PM > To: [email protected] > Subject: Security token comparison in rpc.js > > Hello, > > > > I am getting an "Invalid auth token" error when invoking function > process(rpc). The values of auth token being compared are the same, but > one is a number, and the other (previously stored) is a string. Here is > what I found by looking at rpc.js (full, unscrambled version) in the > version of Shindig we're using (shindig-1.1-BETA5-incubating): > > > > // Validate auth token. > > if (authToken[rpc.f]) { > > // We allow type coercion here because all the url params are strings. > > If (authToken[rpc.f] != rpc.t) { > > throw new Error("Invalid auth token."); > > } > > } > > > > Please note the comment about type coercion and the use of "!=" operator > - this should work, right? > > But in rpc.opt.js: > > if(J[j.f]){if(J[j.f]!==j.t){throw new Error("Invalid auth token. > "+J[j.f]+" vs "+j.t) > > And obviously, this fails (because that's what's used to render > gadgets)! > > Should I assume that rpc.js represents the intent properly (just by > looking at the comment) and the "!==" is in rpc.opt.js by some mistake? > > > > Thanks, > > Ilya > > _____________ > > The information contained in this message is proprietary and/or > confidential. If you are not the intended recipient, please: (i) delete > the message and all copies; (ii) do not disclose, distribute or use the > message in any manner; and (iii) notify the sender immediately. In > addition, please be aware that any message addressed to our domain is > subject to archiving and review by persons other than the intended > recipient. Thank you. > _____________ > > _____________ > > The information contained in this message is proprietary and/or > confidential. If you are not the intended recipient, please: (i) delete the > message and all copies; (ii) do not disclose, distribute or use the message > in any manner; and (iii) notify the sender immediately. In addition, please > be aware that any message addressed to our domain is subject to archiving > and review by persons other than the intended recipient. Thank you. > _____________ >
