Create a way to only process Sandstorm headers if Sandstorm environment variable is set

Question

Create a way to only process Sandstorm headers if Sandstorm environment variable is set

paulproteus opened this issue 9 years ago · 4 comments

paulproteus commented 9 years ago

Steps to reproduce:

Find some app that has this package installed, but is deployed on appname.meteor.com
Send the X-Sandstorm-User-Id header to the app along with other Sandstorm auth headers

Expected behavior:

Nothing, since the app is not on Sandstorm.

Actual behavior:

The app would create a new account, even though it's not running within Sandstorm, which is very likely not what the person using this Meteor package intended.

Suggested fix:

Adjust meteor-accounts-sandstorm so that it checks if (process.env.SANDSTORM === "1") before respecting Sandstorm headers.
Bump the major version number to indicate backwards incompatible change.

I can't think of another way to fail-closed, but happy to hear other options. @kentonv looking for your +1 or -1.

(NOTE: Earlier this said === 'Y' but that was a typo! I fixed the code above.)

Answer 1 · 2015-11-21T00:28:33.000Z

We set SANDSTORM to "1", not "Y", but otherwise, sounds good.

Perhaps we can also then enable "highlander" mode where we kill all the other accounts packages.

Answer 2 · 2015-11-21T00:37:32.000Z

+1 to both of your remarks.

Answer 3 · 2016-04-18T07:24:06.000Z

I have made a pull request for this in #20.

Answer 4 · 2016-04-21T03:33:48.000Z

I think it is better to go by setting __meteor_runtime_config__.SANDSTORM to true when in Sandstorm based on the environment variable. I am updating my pull request so.

In this way settings is something users can configure, while fact that runtime runs inside Sandstorm is a constant.