patricknelson
commented
8 years ago Oh! I forgot to mention one of the most important security improvements. I changed this:
var valid = resolve.signatures.filter(sig => sig.valid).length > 0;to
// Consider the entire response invalid if any of the signatures are not valid.
var valid = data.signatures.filter(sig => sig.valid).length == data.signatures.length;I figured that made the most sense, since apparently GPG will return multiple possible signatures and, if we're going to be filtering out and counting them anyway, we should be buzzing the alarms if ANY of them aren't valid, not if at least one is valid.
Check this out, here's my stab at it. Basically I fixed a few minor redundancies, unused vars, tried newer approaches at things (since we're requiring modern [read: non-IE] browsers) and using HTML5, so we're free to use those dandy global ID's.
Also, biggest change (so far) was the revision of the
promise.then(...)in the mainsrs.load()method. That's the resolution of a promise, so that closure (in as thethen()param) is being passed the data processed by GPG, so I removed that extra "reject" parameter (since that's what you put into aPromiseconstructor anyway) and renamed it a bit. Also, more importantly, I had no way to handle errors, so I used promises as a return type forsrs.load(...)as well so that, if I wanted to, I could handle them. Otherwise, they will propagate up asError's anyway :+1:I might make more tweaks as I look at it but this is what I've got so far, so here's a PR!