-
-
Notifications
You must be signed in to change notification settings - Fork 232
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix/typings: Remove Readonly<T> from AuthenticateHandler params #630
base: main
Are you sure you want to change the base?
fix/typings: Remove Readonly<T> from AuthenticateHandler params #630
Conversation
This commit removes the Readonly<T> wrappings around the `username` and `password` params to the `AuthenticateHandler` interface, which were added in moscajs#596. The motivation for this change is that when `password` is `Readonly<Buffer>`, the type is incompatible with `crypto.timingSafeEqual`, which is the function Aedes users should be using to compare raw, sensitive buffers with each other. Because `Readonly<Buffer>` is incompatible with `crypto.timingSafeEqual`, users end up having to cast with `password as Buffer`, which largely defeats the purpose of marking it `Readonly` in the first place and introduces casting in security-related areas of the code where it's not really needed in the first place. The error it gives is: No overload matches this call. Overload 1 of 2, '(a: ArrayBufferView, b: ArrayBufferView): boolean', gave the following error. Argument of type 'Readonly<Buffer>' is not assignable to parameter of type 'ArrayBufferView'. Type 'Readonly<Buffer>' is missing the following properties from type 'Float32Array': [Symbol.iterator], [Symbol.toStringTag] Overload 2 of 2, '(a: ArrayBufferView, b: ArrayBufferView): boolean', gave the following error. Argument of type 'Readonly<Buffer>' is not assignable to parameter of type 'ArrayBufferView'.ts(2769) Removing it from `username` has no effect, because strings are already immutable in JavaScript, and TypeScript will automatically treat it as if it were just `string`.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Pull Request Test Coverage Report for Build 793693562
💛 - Coveralls |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even though i understand the intent of marking them as Readonly, i also had the same typing problem.
I think @gnought introduced this type change few weeks ago, it would be nice to have his opinion before merging. |
@mcollina Thoughts? |
This commit removes the Readonly wrappings around the
username
andpassword
params to theAuthenticateHandler
interface, which were added in #596.The motivation for this change is that when
password
isReadonly<Buffer>
, the type is incompatible withcrypto.timingSafeEqual
, which is the function Aedes users should be using to compare raw, sensitive buffers with each other.Because
Readonly<Buffer>
is incompatible withcrypto.timingSafeEqual
, users end up having to cast withpassword as Buffer
, which largely defeats the purpose of marking itReadonly
in the first place and introduces casting in security-related areas of the code where it's not really needed in the first place.The error it gives is:
Removing it from
username
has no effect, because strings are already immutable in JavaScript, and TypeScript will automatically treat it as if it were juststring
.