Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why check process.env.NODE_ENV? #29

Open
coolaj86 opened this issue Oct 7, 2015 · 1 comment
Open

Why check process.env.NODE_ENV? #29

coolaj86 opened this issue Oct 7, 2015 · 1 comment

Comments

@coolaj86
Copy link
Contributor

coolaj86 commented Oct 7, 2015

I'd like to be able to casually run my own tests and examples without explicitly setting NODE_ENV.

I don't see a security benefit to this.

If the user of this library is somehow exposing the options object to a client they can already arbitrary adjust the window size to something like 100,000 which is just as insecure, so there's no security benefit.

In fact, I just tested with a window of 100,000 and an arbitrary token 957 124 and in in 5 out of 10 trials each taking about 2 seconds I was able to verify.
coolaj86 pushed a commit to coolaj86/notp that referenced this issue Oct 7, 2015
Don't check for NODE_ENV
070c777 
As discussed in guyht#29 there is no advantage to disallowing the manipulation of `opt._t` in any case where a client has arbitrary access to `opt.window`.
@coolaj86 coolaj86 mentioned this issue Oct 7, 2015
Closed
@guyht
Copy link
Owner

guyht commented Oct 8, 2015

This was intended as more of a warning. Rather than removing the error completely, how about just logging a warning message?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@coolaj86 @guyht