Skip to content

Update dependency on api-auth#18

Open
JoshCheek wants to merge 2 commits intoMifiel:developfrom
JoshCheek:update-api-auth
Open

Update dependency on api-auth#18
JoshCheek wants to merge 2 commits intoMifiel:developfrom
JoshCheek:update-api-auth

Conversation

@JoshCheek
Copy link

@JoshCheek JoshCheek commented Feb 9, 2022

Add pry to Gemfile

Add pry to Gemfile so you can bundle exec rspec (if you don't bundle exec, you could get random versions of the gems, but if you do, then it can't load pry as it's not specified as a development dependency)

Update ApiAuth to ~> 2.0

ApiAuth v1 has insecure defaults and uses deprecated Faraday features which lead to test spam. This bumps it to ~>2.0, because that allows for versions which use Faraday correctly, and fixes the security vulnerabilities.

Example of the Faraday deprecation warning from Mifiel's test suite:

Screen Shot 2022-02-08 at 4 09 42 PM

  • Link to v2.0 in the changelog (here)
  • Link to the security vulnearability (here)

Co-authored-by: Angel Malavar angel.malavar@gmail.com

JoshCheek and others added 2 commits February 8, 2022 16:07
@JoshCheek @Angel-Mu
Add pry to Gemfile so you can bundle exec rspec
cfab017 
Co-authored-by: Angel Malavar <angel.malavar@gmail.com>
@JoshCheek @Angel-Mu
Update dependency on api-auth from ~>1.4 to ~>2.0
db46347 
ApiAuth v1 has insecure defaults and uses deprecated Faraday features which lead to test spam.
This bumps it to ~>2.0, because that allows for versions which use Faraday correctly,
and fixes the security vulnerabilities.

Example of the Faraday deprecation warning:

```
WARNING: `Faraday::Request#method` is deprecated; use `#http_method` instead. It will be removed in or after version 2.0.
`Faraday::Request#method` called from /Users/josh/.gem/ruby/3.0.2/gems/api-auth-2.0.0/lib/api_auth/request_drivers/faraday.rb:24:in `populate_content_md5'
```

Link to v2.0 in the changelog:
https://github.com/mgomes/api_auth/blob/master/CHANGELOG.md#200-2016-05-11

Link to the security vulnearability:
https://github.com/mgomes/api_auth/blob/master/CHANGELOG.md#140-2015-12-16

Co-authored-by: Angel Malavar <angel.malavar@gmail.com>
@JoshCheek
Copy link
Author

JoshCheek commented Feb 9, 2022

@tellodaniel said you were intentionally avoiding the upgrade because it was breaking something. The breaking change was that it includes the HTTP method when signing, so that a GET and DELETE request don't have the same SHA, for example. If that less secure behaviour is desired, you can opt into it by passing override_http_method: true when signing (here).

Screen Shot 2022-02-09 at 12 53 20 PM

@tellodaniel tellodaniel mentioned this pull request Jun 21, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JoshCheek