• (nodebb)

    For those not familiar with .net, yes, there are free secret stores available for decades now. And a ton of commercial products for big enterprises. There's no need for hack like this.

  • Hanzito (unregistered)

    Idiots. Hard-coding secrets. They should have done it like real programmers.

    const fristSecret = "xxxxxxxx-xxxxxx+xxxxxxx+xxxxxx-xxxxxx-xxxxxx+xxxxx";
const sencodSecret = "yyyyyyy-yyyyyy+yyyyy+yyyyy-yyyyy-yyyyy+yyyy";
  • tee (unregistered) in reply to MaxiTB

    But how does one get stuff out of said free secret store? (Presumably using a hardcoded secret store secret)

  • (nodebb)

    It would still be offensive if the application read the token from a file - encoded or otherwise - but only slightly less so.

  • (nodebb)

    You'd rather it said return (token == a || token == b) ?

  • Joe (unregistered)

    They could have hard-coded date ranges over which those tokens are valid if they wanted the old token to work for a little while longer, since they're in the hard-coding mood. I get it, that only fixes one of the horrible WTFs, but I'm all about fixing one thing at a time.

  • Spencer (unregistered) in reply to davethepirate

    Most likely they want "return token.equals("xxxxxxxxxxxxxx")"

  • Iffy (unregistered)

    I don't mind the early-return pattern in small, select cases, but it bothers me that they used an else. If the first one matches, it will return, so successive lines are inherently an else clause. Of course, there's the other part - which annoys Remy more - if (cond) return true` or conditionals/ternaties? Of course, now the analyzers would recommend using a switch expression instead.

  • (nodebb) in reply to tee

    But how does one get stuff out of said free secret store? (Presumably using a hardcoded secret store secret)

    My CI pipeline gets secrets from the secret store by authenticating using it's Windows Active Directory account. We even limit that access to a list of IPs to add another layer of protection.

    For token authentication, we just use an RsaSecurityKey and the service is only configured with the public key. The private key lives only on the authentication infrastructure.

  • DigitalBits (unregistered)
    Comment held for moderation.
  • (nodebb) in reply to tee

    (Presumably using a hardcoded secret store secret) I imagine they need a secret store secret secreter to secrete the required secret store secret to then get the secrets stored by the secret store.

  • (nodebb)

    Bah. I give up on this Markdown nonsense / lack of preview / lack of ability to edit. Thought I had enough new lines in there.

  • Tinkle (unregistered)

    That is not a token, that is a string. A string that is being used as a password.

    A token should have a sender authentication mechanism.

    Now, being a password - why is it not being hashed? That would at least help a little.

  • supercodes.bgng.io (unregistered)
    Comment held for moderation.

Leave a comment on “IsValidToken”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article