IsaacSteadman
commented
1 year ago - add lock upgrading to mitigate DoS attack
- before: if a bunch of clients are calling a mutating route that would keep holding the lock in exclusive mode denying any legitimate user from being able to modify their own vault
- after: all authenticating routes initially acquire in shared read mode to read data required to evaluate authenticity of the request and only after the evaluation passes is the lock upgraded to exclusive which high priority (forcing any new shared readers to wait)
- refactor GetUserDataBufferV2 into WrapUserOperation which allows the operation to be more flexible without requiring special cases to specifically implemented in WrapUserOperation like ConditionalHeaders and evaluating policy before opening the writable and acquiring and upgrading the lock
- fix conditional headers not matching spec (single digit dates needed to be padded with a leading 0)
- add testing using jest
- unit testing of the ConditionalHeaders file
- end to end testing of the entire password manager stack using puppeteer
- still need to explicitly test delete password
- still need to test changing password (there is no UI for this yet)
- separate project to avoid cluttering the node_modules needed to just build the app to simplify installation, deployment and security audit