Question: is it safe to forward {:error, message} from parse_token to the HTTP client?
Closed this issue · 2 comments
mfilej commented
Apologies for opening an issue just for a question.
When using parse_token inside a Plug, I'm wondering whether I need to match on the message returned in an {:error, message} tuple, or is it safe to just forward the message as part of the HTTP response? Would I be giving away too much in this case?
Ianleeclark commented
Realistically they're not going to be able to do anything with the information given the strength of the algorithms, but I personally wouldn't do it. I would just throw it in a with statement, and, on exception/error tuple thing, just return "Authorization failed."
A lot of the errors will be impenetrable for the user:
* "Signing Failure" -- the hell is that?
* "Only v1 or v2 version allowed" -- what are versions?
* etc.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Miha Filej ***@***.***> schrieb am Dienstag, 21. Dezember 2021 um 08:46:
… Apologies for opening an issue just for a question.
When using parse_token inside a Plug, I'm wondering whether I need to match on the message returned in an {:error, message} tuple, or is it safe to just forward the message as part of the HTTP response? Would I be giving away too much in this case?
—
Reply to this email directly, [view it on GitHub](#59), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AAPVZTGY63B6U7HT2TAVBK3USAWEVANCNFSM5KPP3VAA).
Triage notifications on the go with GitHub Mobile for [iOS](https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675) or [Android](https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub).
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
mfilej commented
Thanks for the quick response, I appreaciate your help.
I was being too vague -- in our case the user is a developer coding against our API, so seeing "wrong version" might actually be helpful here. If there are no significant downsides then I'm leaning towards returning the message together with a 401 response.
In either case I'm closing this issue since it was just a question. 🙂