fauno
commented
3 months ago I can't comment on whether this is idiomatic or safe :)
you mean what i asked about using an empty string?
Closed fauno closed 3 months ago
fauno
commented
3 months ago I can't comment on whether this is idiomatic or safe :)
you mean what i asked about using an empty string?
catdevnull
commented
3 months ago I can't comment on whether this is idiomatic or safe :)
you mean what i asked about using an empty string?
Yes, I can't really comment on whether the change itself is OK and/or makes sense.
feels weird to do it like this, but i noticed the function throws an error when the signature header is missing, so any check that comes afterwards isn't reachable. for instance, now the followers collection can show totalItems when the request isn't signed, instead of the matchAll error (because activitypub-http-signatures doesn't check headers.signature is undefined).
the idea with the empty string is to return an actor that doesn't match anything, but being an empty string returned by a promise is what feels weird (and probably open to vulnerabiities)
ping @catdevnull, couldn't find you on the reviewers list