Async matcher does not handle rejections #129
Comments
|
@RossCurry what do you except what should happen? I would simply return false for the matcher in case of an network error. |
|
Not sure about @RossCurry (on holiday atm), but I'd expect the promise to be rejected. Are there any considerations for not propagating errors like that? |
|
The problem is that if an error is thrown inside zxcvbn-ts it will not be further executed. Which means a user won't get a scoring for the password. |
|
That's a fair point, and I agree it's a sensible default for most usecases. For other usecases it's a dangerous default though as we'd fail silently. If we'd apply zxcvbn on a server with incorrect network policies (e.g. whitelisting domains that the server is allowed to access, where the pwnd domain is not whitelisten), then a sysadmin would never detect this misconfiguration. That being said, I'm not sure how to best cater to all usecases though. Possibly a configuration function |
|
I thought about a config parameter too but this is a bit tricky so first let's get rid of the major issue and than make it better 👍 |
|
@LaurensRietveld i published a new version for the pwned matcher |
|
Thanks a lot! |
Rejections thrown by async matchers are not handled correctly. They end up as
Uncaught (in Promise) type errorsTo reproduce this:
Not having a proper mechanism for error handling means that we cannot use things like the pnwd matcher in production
The text was updated successfully, but these errors were encountered: