Closed jwoertink closed 2 years ago
This is great @jwoertink. I agree with @matthewmcgarvey that detecting and rolling forward auth tokens would smooth out the release. Box it into a method that can be marked as deprecated and not forgotten. I'm sure even then some people will get an invalid token error when it is eventually removed, but that would help a ton.
This will now try to decode legacy tokens, and then basically fallback to new tokens. I've added the deprecation notice:
❯ crystal spec/
In src/lucky/support/message_verifier.cr:22:22
22 | data, digest = legacy_verified(signed_message)
^--------------
Warning: Deprecated Lucky::MessageVerifier#legacy_verified. Legacy token verification will be removed in the next release.
A total of 1 warnings were found.
Swapping the logic was a little weird, but specs passed. After we remove the deprecated legacy stuff, we should be able to clean this up more. Let me know if you guys have other suggestions for this.
Purpose
Fixes #1595
Description
We were using a magic
--
to split the data in the token generated by the message verifier. In some rare instances, the data on the left or the right of the magic character could also contain--
themselves. This caused issues when splitting on that.This fix removes the magic character completely and just uses some JSON instead.
/cc @robacarp
Checklist
crystal tool format spec src
./script/setup
./script/test