Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: replace gravatar-url with inline function (#5128)
As #4475 says, MD5 is not available in secure places anymore. This PR swaps out gravatar-url with an inline function using crypto:sha256 which is FIPS-140-2 compliant. Since we only used this method for generating avatar URLs the extra customization wasn't needed and we could hard code the URL parameters. fixes: Linear https://linear.app/unleash/issue/SR-112/gh-support-swap-out-gravatar-url-lib closes: #4475
- Loading branch information
Christopher Kolstad
committed
Oct 24, 2023
1 parent
ab390db
commit c60bca7
Showing
8 changed files
with
44 additions
and
43 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
import { generateImageUrl } from './generateImageUrl'; | ||
|
||
describe('Gravatar image url', () => { | ||
it('generates the correct sha-256 hash for gravatars test idents', () => { | ||
expect(generateImageUrl({ email: 'MyEmailAddress@example.com' })).toBe( | ||
'https://gravatar.com/avatar/84059b07d4be67b806386c0aad8070a23f18836bbaae342275dc0a83414c32ee?s=42&d=retro&r=g', | ||
); | ||
}); | ||
it('lowercases and trims all emails', () => { | ||
const upperCaseAndLeadingSpace = ' helloWorld@example.com'; | ||
const upperCaseAndTrailingSpace = 'helloWorld@exAMPLE.com '; | ||
const lowerCaseAndNoSpaces = 'helloworld@example.com'; | ||
const uCALSHash = generateImageUrl({ email: upperCaseAndLeadingSpace }); | ||
const uCATSHash = generateImageUrl({ | ||
email: upperCaseAndTrailingSpace, | ||
}); | ||
const lCANSHash = generateImageUrl({ email: lowerCaseAndNoSpaces }); | ||
expect(uCALSHash).toBe(uCATSHash); | ||
expect(uCATSHash).toBe(lCANSHash); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,17 @@ | ||
import gravatarUrl from 'gravatar-url'; | ||
import { createHash } from 'crypto'; | ||
|
||
const base: string = 'https://gravatar.com/avatar'; | ||
export const generateImageUrl = (user: { | ||
email: string; | ||
username: string; | ||
id: number; | ||
}): string => | ||
gravatarUrl(user.email || user.username || String(user.id), { | ||
size: 42, | ||
default: 'retro', | ||
}); | ||
email?: string; | ||
username?: string; | ||
id?: number; | ||
}): string => { | ||
let ident = user.email || user.username || String(user.id); | ||
if (ident.indexOf('@')) { | ||
ident = ident.toLowerCase().trim(); | ||
} else { | ||
ident = ident.trim(); | ||
} | ||
const identHash = createHash('sha256').update(ident).digest('hex'); | ||
return `${base}/${identHash}?s=42&d=retro&r=g`; | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters