Digest: How to validate nonces without user?

Question

Digest: How to validate nonces without user?

holotrek opened this issue 7 years ago · 2 comments

In the Digest constructor the 1st function passes in the username, which is where you validate the user exists and then pass back the decrypted password. In the 2nd function, you can validate nonces to avoid replay attacks, but the only parameter passed in, beside the done function, is the params object containing the nonce, cnonce, nc, and opaque values.

I'm not sure how we're supposed to determine which user we're dealing within the nonce validation function. I assume the functions are asynchronous, so theoretically if more than one user is authenticating at the same time, I can't assume that the functions will be synchronously called for the same user and save off the user in a static variable somewhere.

Am I missing something? Thanks.

Answer 1 · 2017-09-23T00:51:34.000Z

Why would nonces be user-specific?

Answer 2 · 2017-09-23T01:56:32.000Z

I was going to say checking the incrementing nc for that user, but I guess I could compare it to the cnonce if I store those as pairs. Am I understanding that properly? Sorry, I have a limited understanding based on research and the wiki. Thanks!

…

On Sep 22, 2017 8:51 PM, "Jared Hanson" ***@***.***> wrote: Why would nonces be user-specific? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#71 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAsxjb9VnaeA0yz3I9Gydmdfu6F_AQB6ks5slFYWgaJpZM4PhSE5> .